Enable Entitlement management

Enable Entitlement management to manage third-party app entitlements in Okta.

Before you begin

  1. Sign in as a super admin, an app admin, or an admin with the following permissions:

    • Manage applications
    • Edit application's user assignments
    • Edit groups' application assignments or Edit users' application assignments
  2. Create a new app instance and then enable Entitlement management to use entitlement policies effectively. Enabling Entitlement management for existing app instances marks the existing user's assignments as Custom. Policies that you create for an existing app instance only apply to new users assigned to the app.
  3. Create a new app instance to use Entitlement management for Google Workspace or Microsoft Office 365. Don't enable provisioning for these apps.
  4. If the users' access was granted by a condition (that has access duration set up), Okta resets the access expiration for existing users when you enable or disable Entitlement management for the app. The access expiration is set to not expire. Consider manually updating user access expiration after you enable or disable Entitlement management.

You can enable Entitlement management for existing app instances of the following apps:

  • Box
  • Netsuite
  • PagerDuty
  • Salesforce
  • Splunk Enterprise

The preceding apps don't require an import after you enable Entitlement management if provisioning is enabled for the app instance. Any existing entitlements are automatically migrated.

For all other apps, you can't enable Entitlement management for app instances that have provisioning enabled.

If you disable provisioning on an existing app instance to enable Entitlement management, you may lose all provisioning-related data, including relationships and rules.

Start this task

  1. In the Admin Console, go to ApplicationsApplications.

  2. Select the app that you want to enable Entitlement management for.
  3. Go to the General tab.
  4. Click Edit in the Entity management section.
  5. From the Entitlement management dropdown menu, select Enabled.
  6. Click Save. Refresh the page to view the Governance tab for the app.
  7. Optional. Update user's access expiration. When you enable Entitlement management, Okta resets the user's access expiration if their access was granted by access request conditions. The access expiration is set to never expire.

You can enable provisioning for a provisioning-enabled app instance after you enable Entitlement management for it.

Enable Create Users and Update User Attributes for an app that has Entitlement management and provisioning enabled to ensure that entitlements are assigned accurately. Set these options in the To App section under Settings on the Provisioning tab of the app instance.

Disable Entitlement management

Before you disable Entitlement management, keep the following considerations in mind:

  1. For provisioning-enabled apps, you must disable provisioning before you disable Entitlement management.
  2. When you disable Entitlement management for an app, all existing entitlements, bundles, and policies are deleted from the Okta org. There's no impact on the users in the downstream app. However, if you want to manage entitlements from Okta later, you must recreate entitlements after you enable Entitlement management.

To disable Entitlement management for an app, select Disabled from the Entitlement management dropdown list. Optionally, update the user's access expiration.

When you enable or disable Entitlement management, the event appears in the System Log.

Related topics

Create entitlements

Provisioning-enabled app limits