Shine a light on shadow apps

ConductorOne Docs

Clarify complex entitlement relationships

Linked, bound, and custom entitlements help you establish relationships between entitlements and make it clearer to your colleagues what they need to request or review.

Choosing the right tool

ConductorOne offers three tools to help you create relationships between entitlements. Use bound, custom, or linked entitlements when you have a complex relationship between entitlements that you need to model within ConductorOne or want to present to your colleagues in a simplified way.

Here’s an overview of the three tools and when to use each one:

Linked entitlements

Linked entitlements are existing relationships between IdP- and non-IdP entitlements that ConductorOne identifies for you. You configure how these entitlements show up in ConductorOne.

Use when: You want to clarify the relationship between IdP resources and the apps they grant access to.

Bound entitlements

Bound entitlements create “two-for-one” relationships between entitlements.

Use when: You want to grant a user two or more entitlements from a single approval.

Custom entitlements

Custom entitlements are special proxy entitlements that exist only in ConductorOne, and that can be bound to other entitlements.

Use when: You need to create a clear and easily understood target for user access requests while preserving the underlying complexity of your apps’ configuration.

Set up a linked entitlement

When ConductorOne identifies a relationship between an entitlement in an IdP and one in a standalone application, that relationship is called a linked entitlement. You’ll find any linked entitlements ConductorOne has identified on the Linked entitlements tab on an application’s details page. You can set how you want ConductorOne to treat each linked entitlement.

To set up a linked entitlement:

  1. On an app’s details page, click the Linked entitlements tab.

  2. Click Set up linked entitlements.

  3. For each IdP entitlement ConductorOne has identified as linked to the app, choose an action:

    • Create role: Set up a new role in the app that will be linked to the IdP entitlement. This role will only exist in ConductorOne, and will function as an alias for the IdP entitlement. Your colleagues can request and review the role, which will appear as part of the app, but they will in actuality be requesting or reviewing the IdP entitlement.

    • Link entitlement: Link the IdP entitlement to an existing entitlement in the app. When your colleagues request or review the app entitlement, they will also be requesting or reviewing the IdP entitlement.

    • Skip: Do nothing.

  4. When you’ve made all of your selections, click Save.

Frequently asked questions about linked entitlements

Why is this page blank? If an app’s linked entitlements tab is blank, ConductorOne has not found any entitlements in an IdP that are related to the app’s entitlements.

Why is the button disabled? If there are linked entitlements on the page but the Set up linked entitlements button is disabled, all linked entitlement relationships have already been set up.

Add a manual binding

Linked entitlements automatically create entitlement bindings. You can also manually set up a binding between any two entitlements, so that granting access to one entitlement also grants access to the other.

To add a manual binding:

  1. Navigate to an entitlement’s details page (for clarity we’ll call this the “active entitlement” in these instructions) and click Bindings.

  2. Click Add manual binding.

  3. Select whether the binding is Incoming (the active entitlement is granted by another entitlement) or Outgoing (the active entitlement grants another entitlement).

  4. Select the application that contains the entitlement you’re binding the active entitlement to.

  5. Select the specific entitlement that you’re binding the active entitlement to.

  6. Click Add binding.

Your new manual binding is added to the list of bindings for the active entitlement. If you’ve created an outgoing binding, the details of the additional access grants that are bound to access to the active entitlement are shown in the Inherited entitlements area.

Create a custom entitlement

Custom entitlements are ideal when you need to create a custom target entitlement that is easy for users to understand. A custom entitlement exists only in ConductorOne (it does not get written back to their source application). You can bind it to other entitlements, using the custom entitlement as a proxy, then include the custom entitlement in request catalogs and access review campaigns.

To create a custom entitlement:

  1. Navigate to an app’s Entitlements tab and click Create custom entitlement.

  2. Select the relevant resource type (the app’s available resource types are shown).

  3. Give the new resource a name and description.

  4. If needed, edit the default entitlement.

  5. Optional. If ConductorOne has identified any entitlements in your IdP that are linked to this app, you have the option to select one to be linked to the custom app.

  6. Optional. Select the owner (or multiple owners) of the new resource.

  7. Click Create.

The new custom entitlement is created and added to the list of entitlements. If you did not link the custom entitlement to an IdP entitlement during setup, follow the instructions above to create a manual binding to another entitlement.