This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.

Edit this page

3. Manage the Entitlements Lifecycle

Three hexagons with the letters I, C, and A. The I is highlighted in red for Identity Management, with a red banner for the Provisioning service.

You can assign access entitlements to individuals, roles, and groups. These entitlements define an employee or contractor’s access to agency services, so you’ll need to assign entitlements before an employee or contractor can access an agency service.

Use Case

In this use case, an administrator needs to assign entitlements to an employee or contractor.

Icon Key for the diagrams that follow.

1. Initiate the request
A diagram showing an employee or contractor requesting entitlements from an administrator.
An individual requests entitlements, or joins a team with specific access requirements.

This individual may be the employee or contractor, their supervisor, HR, or a security team member.
2. Review the request
A diagram showing an administrator comparing an entitlement request with access requirements.
The administrator compares the employee or contractor’s requested entitlements with the relevant access requirements.

If the employee or contractor qualifies for the requested entitlements and has a mission need for access, the administrator approves the request.
3. Assign the entitlements
A diagram showing an administrator assigning entitlements to the employee or contractor.
The administrator assigns the entitlements to the employee or contractor.

Any time the employee or contractor’s role or relationship changes, the administrator updates the entitlements accordingly, including removing entitlements as needed.


  • I want to indicate that an employee or contractor requires and is allowed access to an agency service, so that they can access the service when needed.
  • An employee is hired to be part of the financial review team and requires access to financial applications. The employee may have a specific role assigned to their enterprise identity record.

Next Steps

Create and issue a credential, and grant access to agency services.