Entitlement Catalog

The entitlement catalog is the system of record for fine-grained access "things" — application roles, groups, permissions, and licenses — and who holds them.

Admin console: /admin/entitlements · Aggregation: /admin/entitlement-aggregation

Concepts

Entitlement — a discrete unit of access (e.g. GitHub · Admin, Finance · Approver), cataloged with an owner, description, and risk.
Holding — an identity ↔ entitlement assignment, with provenance (how it was granted).
Aggregation — importing entitlements and holdings from a connected source (e.g. Microsoft Entra) so the catalog reflects reality, not just what nexusID granted.

How it works

Entitlements can be defined directly or aggregated from a source. Aggregation runs pull the current holdings from the target and reconcile them into the catalog, recording provenance on each holding so reviewers can see where access came from. The catalog feeds access reviews, role mining, and SoD evaluation.

Typical tasks

Browse / curate the catalog at /admin/entitlements.
Run an aggregation from /admin/entitlement-aggregation — pick a target, trigger the run, and review the run summary (created / updated / holdings discovered).
Assign owners so certifications route to the right reviewer.

Role Mining — discovers candidate roles from catalog holdings.
Access Reviews — certify entitlement holdings.

Concepts​

How it works​

Typical tasks​

Related​

Concepts

How it works

Typical tasks

Related