Entitlements in Access Models and Controls

An entitlement is a set of related access points that exist within a data source. You may select an entitlement as you create a filter for an access model. If so, the filter identifies users assigned any access point in the specified entitlement.

You're advised to keep the number of access points in each entitlement as small as you can while still meeting your risk-analysis requirements. That's because large entitlements have a negative impact on performance. When a model or control uses entitlement filters, the number of access-point combinations it must analyze is the number of access points in each entitlement multiplied by one another. (And that product would be multiplied by the number of individual access points specified in any access-point filters.) For example, suppose a model or control consists of three filters that call entitlements, and each entitlement includes 30 access points. This would require the analysis of 27,000 access-point combinations (30 times 30 times 30).

In addition to creating entitlements manually, you can import them. More precisely, when you import models or controls that use entitlements, you also import any of these entitlements that don't already exist in your target instance.

When you edit an entitlement, be aware that adding or deleting access points necessarily changes the risk logic of models and controls that use the entitlement. When you run a control after editing an entitlement it uses, you may cause existing incidents to be closed automatically.