Baseline Entitlements

How It Works

An entitlement is the business term for the technical concept of granting a user access to a SaaS Provider without any approval needed. A baseline entitlement is used when all users should have access regardless of job role.

Creating a Baseline Entitlement

  1. Create a new AuthGroup or choose an existing AuthGroup. The recommended naming convention is Baseline Entitlement - {Short Description} (ex. Baseline Entitlement - US Employees).

  2. To create an AuthGroupUser when any user authenticates with the AuthProvider, create an AuthProviderGroup with the default type. To create an AuthGroupUser for a user that has specific metadata that many users have, create an AuthProviderGroup with the meta type and specify the meta_key and meta_value that you want to match when a user authenticates.

    At GitLab, we use the specific metadata approach with entity, country, division, and department.

    meta_key meta_value (example)
    entity inc
    country US
    division Engineering
    department Development
  3. Create an ApprovalPolicy with type group_member and select the new or previously created AuthGroup.

  4. Navigate to an approvable relationship (ex. AuthRole, SaaSProviderEntity, SaaSProviderGroup, SaaSProviderRole, or SaaSProviderUser) and create an ApprovalChain, and attach the previously created ApprovalPolicy.

Adding a SaaS Provider (Tech Stack Application) to a Baseline Entitlement AuthGroup

  1. Navigate to an approvable relationship (ex. AuthRole, SaaSProviderEntity, SaaSProviderGroup, SaaSProviderRole, or SaaSProviderUser) and create an ApprovalChain, and attach the previously created ApprovalPolicy.

Removing a SaaS Provider from a Baseline Entitlement AuthGroup

  1. Navigate to an approvable relationship (ex. AuthRole, SaaSProviderEntity, SaaSProviderGroup, SaaSProviderRole, or SaaSProviderUser) and delete the ApprovalChain that was previously created that appears in the list of applied Approval Chains. When deleting the ApprovalChain, you will be prompted whether you want to delete all previously approved relationships (ex. users that have been created).