Job Role Entitlements

How It Works

An entitlement is the business term for the technical concept of granting a user access to a SaaS Provider without any approval needed. A job role entitlement is used when specific users should have access based on pre-approved least privilege for their job role.

Creating a Job Role Entitlement

  1. Create a new AuthGroup or choose an existing AuthGroup. At GitLab, the recommended naming convention is Job Family Entitlement - {Job Family Name} or Job Specialty Entitlement - {Job Family - Specialty Name}.

  2. To create an AuthGroupUser for a user that has specific metadata that many users have, create an AuthProviderGroup with the meta type and specify the meta_key and meta_value that you want to match when a user authenticates.

    At GitLab, we use the specific metadata approach with job_family and job_specialty.

    meta_key meta_value (example)
    job_family Backend Engineer
    job_specialty Backend Engineer - Ecosystem
  3. Create an ApprovalPolicy with type group_member and select the new or previously created AuthGroup.

  4. Navigate to an approvable relationship (ex. AuthRole, SaaSProviderEntity, SaaSProviderGroup, SaaSProviderRole, or SaaSProviderUser) and create an ApprovalChain, and attach the previously created ApprovalPolicy.

Adding a SaaS Provider (Tech Stack Application) to a Job Role Entitlement AuthGroup

  1. Navigate to an approvable relationship (ex. AuthRole, SaaSProviderEntity, SaaSProviderGroup, SaaSProviderRole, or SaaSProviderUser) and create an ApprovalChain, and attach the previously created ApprovalPolicy.

Removing a SaaS Provider from a Job Role Entitlement AuthGroup

  1. Navigate to an approvable relationship (ex. AuthRole, SaaSProviderEntity, SaaSProviderGroup, SaaSProviderRole, or SaaSProviderUser) and delete the ApprovalChain that was previously created that appears in the list of applied Approval Chains. When deleting the ApprovalChain, you will be prompted whether you want to delete all previously approved relationships (ex. users that have been created).