User Types
This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.
A user type defines a large grouping of similar users. It can be viewed as a category of users with much in common, even though they don’t all have the same business role. Typical examples include staff, contractors, customers, and students.
User types are helpful not only for classifying users but also for provisioning access. One way is by assigning items through birthright access at the user type level.
User types are recommended for grouping users by specific geographies, such as US and UK staff.
About Birthright Access
Birthright access sets the resources, roles, and other things that a particular category of identities get when they are first created.
A common example would be to set Entra ID and Email as birthright resources, since most organizations provision an identity provider account and email address to all staff members, regardless of their job function.
Birthright assignments only manage access to applications, not physical assets.
Access Types
-
Resource: A resource is a digital or physical asset to which a user can be granted access. This could be a physical asset such as a key card or a digital application (Ping Directory, Okta, or Entra ID).
-
Entitlements: Entitlements are access levels within a resource (security roles, responsibilities, security groups, permission sets, and so forth).
-
Role: A role is a collection of resources and entitlements. Roles can be assigned to more than one person. Roles are best organized for a specific purpose, such as a specific job function.
Access Model
Every identity has exactly one user type, and this is the foundation of the IGA access model.
Within the user type, administrators configure different access levels for roles and resources (such as birthright, default granted, and default not granted), defining the initial and potential access given to an identity.
Only access defined in the user type can be granted. Anything not explicitly set in the user type can never be granted to an identity of that user type. When access is defined, it is specified in one of the following categories:
-
Birthright: Birthright access is granted to every identity of this user type and can never be removed.
-
Example: An email account for employees: All identities of the employee user type are granted an email account. They have that email account as long as they are employees.
-
-
Assigned: Access is granted to every identity of the user type when the Identity is created or changed to that user type. Access can be removed.
-
Assignable: Access is not granted to new identities by default. Access can added directly by administrators or managers, by policies attached to a role, or through a self-service request if the access is available in a catalog. Access can be removed.
Ways Access is Granted
Users can obtain access in various ways based on the business processes and security requirements of their organization.
Birthright
Birthright access is access that every identity receives based on their user type. For example, every Delinea employee gets an Azure AD and Slack account. Those would be birthright resources for the “Employee” user type.
Birthright access is granted when an identity is created or updated; however, it is re-evaluated if the user type is updated.
Direct Assignment
An administrator can assign access to an identity; however, only access available to the specific user type can be assigned.
Role Access by Dynamic Collections
Dynamic collections can automatically assign roles to users. A role will be assigned to all users in the dynamic collection. Dynamic collections are evaluated:
-
When a user is created
-
When a user is updated
-
On a schedule
-
When the collection definition is updated
-
When the user type is updated
To view or manage Dynamic Collections, navigate to the Collections page and select the Dynamic Collections tab.
