Delegate access governance to catalog creators in entitlement management

A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. By default, a Global administrator or an Identity governance administrator can create a catalog, and can add additional users as catalog owners.

There are three ways an organization can delegate with catalogs:

  • When getting started in a pilot project, identity governance administrators can create and manage the catalog. Later, when moving from pilot to production, they could delegate a catalog by assigning non-administrators as owners to the catalog, so that those users could maintain the policies going forward.
  • If there are resources that don't have owners, then administrators can create catalogs, add those resources to each catalog, and then assign non-administrators as owners to a catalog. This allows users who aren't administrators and aren't resource owners to manage their own access policies for those resources.
  • If resources have owners, then administrators can assign a collection of users, such as an All Employees dynamic group, to the catalog creators role, so a user who are in that group and own resources can create a catalog for their own resources.

This article illustrates how to delegate to users who aren't administrators, so that they can create their own catalogs. You can add those users to the Azure AD entitlement management-defined catalog creator role. You can add individual users, or you can add a group whose members are then able to create catalogs. After creating a catalog, they can subsequently add resources they own to their catalog.

If you have existing catalogs to delegate, then continue at the create and manage a catalog of resources article.

As an IT administrator, delegate to a catalog creator

Follow these steps to assign a user to the catalog creator role.

Prerequisite role: Global administrator, Identity Governance administrator or User administrator

  1. In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. In the left menu, in the Entitlement management section, click Settings.

  3. Click Edit.

    Settings to add catalog creators

  4. In the Delegate entitlement management section, click Add catalog creators to select the users or groups that you want to delegate this entitlement management role to.

  5. Click Select.

  6. Click Save.

Allow delegated roles to access the Azure portal

To allow delegated roles, such as catalog creators and access package managers, to access the Azure portal to manage access packages, you should check the administration portal setting.

Prerequisite role: Global administrator or User administrator

  1. In the Azure portal, click Azure Active Directory and then click Users.

  2. In the left menu, click User settings.

  3. Make sure Restrict access to Azure AD administration portal is set to No.

    Azure AD user settings - Administration portal

Manage role assignments programmatically (preview)

You can also view and update catalog creators and entitlement management catalog-specific role assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the Graph API to list the role definitions of entitlement management, and list role assignments to those role definitions.

To retrieve a list of the users and groups assigned to the catalog creators role, the role with definition id ba92d953-d8e0-4e39-a797-0cbedb0a89e8, use the Graph query

GET$filter=roleDefinitionId eq 'ba92d953-d8e0-4e39-a797-0cbedb0a89e8'&$expand=principal

Next steps