The Cure for IGAD

Clarify complex entitlement relationships

Linked, bound, and virtual entitlements help you establish relationships between entitlements and make it clearer to your colleagues what they need to request or review.

Choosing the right tool

ConductorOne offers three tools to help you create relationships between entitlements. Use bound, virtual, or linked entitlements when you have a complex relationship between entitlements that you need to model within ConductorOne or want to present to your colleagues in a simplified way.

Here’s an overview of the three tools and when to use each one:

Linked entitlements

Linked entitlements are existing relationships between IdP- and non-IdP entitlements that ConductorOne identifies for you. You configure how these entitlements show up in ConductorOne.

Use when: You want to clarify the relationship between IdP resources and the apps they grant access to.

Bound entitlements

Bound entitlements create “two-for-one” relationships between entitlements.

Use when: You want to grant a user two or more entitlements from a single approval.

Virtual entitlements

Virtual entitlements are special proxy entitlements that exist only in ConductorOne, and that can be bound to other entitlements.

Use when: You need to create a clear and easily understood target for user access requests while preserving the underlying complexity of your apps’ configuration.

Set up a linked entitlement

When ConductorOne identifies a relationship between an entitlement in an IdP and one in a standalone application, that relationship is called a linked entitlement. You’ll find any linked entitlements ConductorOne has identified on the Linked entitlements tab on an application’s details page. You can set how you want ConductorOne to treat each linked entitlement.

To set up a linked entitlement:

  1. On an app’s details page, go to the Entitlements tab and click the Linked entitlements icon at the top right corner of the entitlements table (the icon looks like a Venn diagram).

    The Figma application's Entitlements tab, showing the Linked entitlements button with the tooltip enabled.

  2. In the Linked entitlements drawer, click the Setup tab.

  3. For each IdP entitlement ConductorOne has identified as linked to the app, choose an action:

    • Create virtual role: Set up a new role in the app that will be linked to the IdP entitlement. This role will only exist in ConductorOne, and will function as an alias for the IdP entitlement. Your colleagues can request and review the role, which will appear as part of the app, but they will in actuality be requesting or reviewing the IdP entitlement.

    • Provision access for: Link the IdP entitlement to an existing entitlement in the app. When your colleagues request or review the app entitlement, they will also be requesting or reviewing the IdP entitlement.

    • Skip: Do nothing.

  4. When you’ve made all of your selections, click Save.

The results of your choices are shown on the Bindings tab.

Add a manual binding

Linked entitlements automatically create entitlement bindings. You can also manually set up a binding between any two entitlements, so that granting access to one entitlement also grants access to the other.

To add a manual binding:

  1. Navigate to an entitlement’s details page (for clarity we’ll call this the “active entitlement” in these instructions) and click Bindings.

  2. Click Add manual binding.

  3. Select whether the binding is Incoming (the active entitlement is granted by another entitlement) or Outgoing (the active entitlement grants another entitlement).

  4. Select the application that contains the entitlement you’re binding the active entitlement to.

  5. Select the specific entitlement that you’re binding the active entitlement to.

  6. Click Add binding.

Your new manual binding is added to the list of bindings for the active entitlement. If you’ve created an outgoing binding, the details of the additional access grants that are bound to access to the active entitlement are shown in the Inherited entitlements area.

Create a virtual entitlement

Virtual entitlements are ideal when you need to create a custom target entitlement that is easy for users to understand. A virtual entitlement exists only in ConductorOne (it does not get written back to the source application). You can bind it to other entitlements, using the virtual entitlement as a proxy, then include the virtual entitlement in access profiles and access review campaigns.

To create a virtual entitlement:

  1. Navigate to an app’s Entitlements tab and click Create virtual entitlement.

  2. Select the relevant resource type (the app’s available resource types are shown).

  3. Give the new resource a name and description.

  4. If needed, edit the default entitlement.

  5. Optional. If ConductorOne has identified any entitlements in your IdP that are linked to this app, you have the option to select one to be linked to the custom app.

  6. Optional. Select the owner (or multiple owners) of the new resource.

  7. Click Create.

The new virtual entitlement is created and added to the list of entitlements. If you did not link the virtual entitlement to an IdP entitlement during setup, follow the instructions above to create a manual binding to another entitlement.