Job Role Entitlements
How It Works
An entitlement is the business term for the technical concept of granting a user access to a SaaS Provider without any approval needed. A job role entitlement is used when specific users should have access based on pre-approved least privilege for their job role.
Creating a Job Role Entitlement
Create a new
AuthGroupor choose an existingAuthGroup. At GitLab, the recommended naming convention isJob Family Entitlement - {Job Family Name}orJob Specialty Entitlement - {Job Family - Specialty Name}.To create an
AuthGroupUserfor a user that has specific metadata that many users have, create anAuthProviderGroupwith themetatype and specify themeta_keyandmeta_valuethat you want to match when a user authenticates.At GitLab, we use the specific metadata approach with
job_familyandjob_specialty.meta_keymeta_value(example)job_familyBackend Engineerjob_specialtyBackend Engineer - EcosystemCreate an
ApprovalPolicywith typegroup_memberand select the new or previously createdAuthGroup.Navigate to an approvable relationship (ex.
AuthRole,SaaSProviderEntity,SaaSProviderGroup,SaaSProviderRole, orSaaSProviderUser) and create anApprovalChain, and attach the previously createdApprovalPolicy.
Adding a SaaS Provider (Tech Stack Application) to a Job Role Entitlement AuthGroup
- Navigate to an approvable relationship (ex.
AuthRole,SaaSProviderEntity,SaaSProviderGroup,SaaSProviderRole, orSaaSProviderUser) and create anApprovalChain, and attach the previously createdApprovalPolicy.
Removing a SaaS Provider from a Job Role Entitlement AuthGroup
- Navigate to an approvable relationship (ex.
AuthRole,SaaSProviderEntity,SaaSProviderGroup,SaaSProviderRole, orSaaSProviderUser) and delete theApprovalChainthat was previously created that appears in the list of applied Approval Chains. When deleting theApprovalChain, you will be prompted whether you want to delete all previously approved relationships (ex. users that have been created).