Overview
Entitlement Management involves the discovery, classification, and administration of fine-grained permissions (Entitlements) within applications. While Roles are bundles of access, Entitlements are the atomic units—the specific keys that unlock specific doors.
Examples include "AD Group: Finance_RW", "Salesforce Permission Set: Export Leads", or "SAP T-Code: SU01". Effective management requires pulling these technical permissions out of silos and translating them into business-readable terms so they can be governed. Without this, you are governing opaque strings that nobody understands.
Architecture
Reference Pattern: The Entitlement Catalog
The Catalog acts as a Rosetta Stone, translating Technical Names into Business Glossary terms with metadata (Risk, Owner, Description).
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Discovery Scope | Groups only, Internal Permissions | Groups + High-Value Permissions | AD Groups are easy, but real risk often lies in internal App Roles/Permissions. |
| Enrichment Strategy | Manual, Crowdsourced, AI-assisted | Owner-driven (Crowdsourced) | IT cannot define what "GRP_77_X" means. Force App Owners to define it. |
| Risk Scoring | High/Med/Low, Numeric (1-100) | High/Med/Low | Keep it simple. High = Admin/PII. Low = Read-only public data. |
| Cleanup Policy | Keep all, Delete unused | Delete unused | If an entitlement hasn't been assigned to anyone for 12 months, delete it. |
| Visibility | Show all to all, Filter by Dept | Filter by Context | Don't show "Mainframe Admin" entitlements to the Marketing intern. |
Implementation
Phase 1: Ingestion & Discovery
- Connect high-risk applications.
- Pull all Groups, Roles, and Permission Sets.
- Identify "Orphan Entitlements" (exist in app but not in catalog).
- Goal: Comprehensive inventory of what exists.
Phase 2: Classification & Ownership
- Assign owners to applications and entitlements.
- Launch "Data Cleanup" campaign for owners to provide descriptions.
- Tag High-Risk entitlements (SOX, Admin, PII).
- Goal: Turn "Technical Garbage" into "Business Data."
Phase 3: Lifecycle & Rationalization
- Implement "Entitlement Request" workflows.
- Periodic review of the catalog itself (not just user assignments).
- Retire duplicates and unused entitlements.
- Goal: A lean, clean catalog of relevant access.
Risks
- Catalog Stagnation: Entitlements change in the app (e.g., renamed) but the catalog is not updated, breaking provisioning.
- Description Drift: The description says "Read Only" but the underlying permission was changed to "Write" by an admin.
- Granularity Trap: Importing too much (e.g., every single file folder) and overwhelming the system.
- Context Loss: Knowing a user has "Role A" is useless if you don't know that "Role A" grants "Super Admin."
KPIs
- Enrichment Rate: Percentage of entitlements with a user-friendly description and valid owner (Target: > 90%).
- Orphan Entitlement Rate: Percentage of entitlements discovered in apps that are not managed in the IGA tool.
- Utilization Rate: Percentage of catalog items that are actually assigned to at least one user.
- Risk Coverage: Percentage of entitlements that have been risk-assessed/tagged.