Granular Admin Portal Access

The Entitlements Engine offers multiple ways to control user access to designated Features granularly. The engine lets you control your user's access to various admin portal capabilities via your Frontegg Portal. You can limit which sections your users can see in their Admin Portal and their permissions within those sections— For instance, you can assign users with a Read Only or Edit permissions (table of permissions can be viewed here. By creating a Feature Bundle inclusive of the specific features you pick, you can create dedicated subscription plans, and also upsell features for current users.



To use the functionality, make sure you have the following versions installed:

Nextjs v8.0.4
Vue v3.0.4
Angular v6.4.0
React v6.0.4

Entitling Users to Specific Admin Portal Areas

To harness the power of this ability and assign your users access to specific Admin Portal areas, do the following:

Step 1: Enable Entitlements in your SDK

Your first step would be to enable the Entitlements Engine in your frontend Entitlement SDK. Choose your tech stack from the main menu under Frontend SDKs. Each SDK includes an Entitlement Integration SDK.

    enabled: true }}

Step 2: Create Dedicated Features and Feature Bundles

  1. In your Frontegg Portal, go to your environment, choose the Entitlements tab, and then Features.
  2. Create Features for each section of the Admin portal you wish to protect. Should you wish to limit access to Single Sign On (SSO) for instance, do the following:
    1. Go to Add new feature give it a Key name and save it.
    2. Go to the Plans tab and create a new Plan. Add the feature you created previously to that bundle.
    3. Assign all the users that you wish to grant access to this feature. Click Save.
    4. Go back to the SSO feature and add the relevant permission to it (in this case - Check the Supported Permissions section below to see all supported permissions.

    5. Once this step is done, users who didn’t get access to the feature (via the Feature Bundle) will not be able to see this section in the Admin portal.


Important note

Users that were entitled to write or delete SSO will still be able to do so via API, even if they are not assigned to this feature via the bundle and in that case it will not be visible to them in the Admin Portal.

Supported Permissions

The following chart lists the permissions that users can be assigned and their corresponding location in the Admin Portal.

Permission keyPermission descriptionAdmin portal section account settings pageAccount details account settingsAccount details Tenant API tokens pageAPI tokens Tenant TokenAPI tokens Groups pageGroups Groups permissionsGroups Group usersGroups GroupsGroups GroupsGroups
fe.account-hierarchy.write.subAccountWrite subaccountsMSP
fe.account-hierarchy.delete.subAccountDelete subaccountsMSP
fe.account-hierarchy.write.subAccountAccessWrite subaccounts detailsMSP user API tokensPersonal tokens user API tokensPersonal tokens user API tokensPersonal tokens provisioning configurationsProvisioning provisioning configurationsProvisioning provisioning configurationsProvisioning security and privacy and security pagesSecurity all email domain restrictionsSecurity - Email email domain restrictionsSecurity - Email email domain restrictionsSecurity - Email IP restrictionsSecurity - IP IP restrictionsSecurity - IP IP restrictionsSecurity - IP SSO configurationsSSO SSO configurationsSSO SSO configurationsSSO SSO default rolesSSO SSO default rolesSSO Users pageUsers usersUsers usersUsers user updatesUsers user rolesUsers users rolesUsers users rolesUsers activation emailUsers invitation linkUsers*Secure generalUsers webhooks pageWebhooks
fe.connectivity.write.webhookWrite webhooksWebhooks
fe.connectivity.delete.webhookDelete webhooksWebhooks auditsAudit logs

Is User Entitled?

The Entitlements Engine works with the following logic to decide whether a user is entitled: