Considerations and limits
Keep the following guidance in mind before using Entitlement Management:
-
Entitlement Management only supports applications as a resource.
-
System Log events may be inaccurate if enabling Governance Engine failed for an app.
-
For provisioning-enabled apps, you can only enable Governance Engine for app instances if you haven't enabled provisioning for them.
-
Enable Create Users and Update User Attributes for a provisioning-enabled app that has Governance Engine and provisioning enabled. These settings to ensure that entitlements are assigned accurately. Set these options in the To App section under Settings on the Provisioning tab of the app instance.
-
Create a new app instance and enable Governance Engine to use entitlement policies effectively. Enabling Governance Engine for existing app instances marks the existing user's assignments as Custom. Policies that you create for an existing app instance only apply to new users assigned to the app.
-
Entitlement assignment by policy rules is effective for Okta-sourced groups only. If a user's membership of a non-Okta-sourced group changes, their entitlements assigned by the policy aren't updated.
-
You can't assign entitlement bundles to users directly from the Admin Console. You must set up Request Types so your users can request access to entitlement bundles from Access Requests. Alternatively, you can use APIs to assign bundles to users. See Okta Identity Governance API.
-
Entitlement Management doesn't use or enforce the Timer setting in Access Requests.
-
Entitlement Management doesn't support mandatory entitlements.
-
Access Requests doesn't support requests for apps with required entitlements or attributes.
-
Assigning bundles using an entitlement policy isn't supported.
-
The Self Service section on the app's profile page is unavailable if the app has Governance Engine enabled.
Supported applications for Entitlement Management
|
Application Type
|
Supported |
|
|---|---|---|
|
Template Apps |
OIDC (without Federated Broker Mode) |
Yes |
|
OIDC (with Federated Broker Mode) |
No |
|
|
SCIM |
Yes |
|
|
SAML |
Yes |
|
|
Bookmark |
No |
|
|
SWA |
No |
|
|
OIN Apps
|
||
|
Provisioning-enabled apps with Universal Directory (UD) attributes |
Limited |
|
|
Provisioning-enabled apps without UD attributes |
Yes |
|
|
Apps without provisioning enabled |
Yes |
|
|
SWA |
No |
|
|
API Services App |
n/a |
No |
Entitlement limits
|
Component |
Maximum |
|---|---|
|
Entitlements in an org |
10,000 |
|
Entitlement values in an org |
150,000 |
|
Entitlements in a bundle |
100 |
|
Entitlement bundles in an org |
1,000 |
|
Number of entitlement policy rules for a third-party application |
100 |