Entitlements

Entitlements in Veriam define what a user is allowed to do once they’ve logged into your application. They represent the specific permissions assigned to a user and are returned as part of the OIDC Claim during authentication.

No matter which access control model you use (roles, policies, attributes, or resource relationships) the end result is the same: Veriam returns a set of entitlements that your application can use to determine what the user should see or be allowed to do.

What are entitlements?

In Veriam, entitlements are permission strings that reflect what a user is allowed to access. These are included in the OIDC token under the entitlements field. Your application can use this data to dynamically adjust the user interface, enable or restrict features, or control access to sensitive actions.

Think of entitlements as the final output of your access logic.

Where entitlements come from

Veriam uses multiple access control models to determine which entitlements a user should receive:

• Subscription-Based Access Control (SBAC):

  Access is granted based on the user’s active subscription. Entitlements are tied to plans and automatically updated when subscriptions change.

• Role-Based Access Control (RBAC): Permissions are attached to roles. When a user is assigned a role, they inherit its entitlements.

• Policy-Based Access Control (PBAC): Policies can assign entitlements based on conditions such as user attributes, device status, or environment.

• Attribute-Based Access Control (ABAC): Attributes such as department, job title, or location are used in policy filters to determine which entitlements apply.

• Resource-Based Access Control (ReBAC): Access decisions are made based on relationships between users and resources, and these also result in entitlements being returned.

All of these models feed into the same outcome, entitlements are returned to your application via OIDC and can be enforced client-side or server-side.

Example OIDC entitlements claim

json

"entitlements": [ 
    "feature:analytics", 
    "action:export", 
    "access:premium-reports" 
]

Your app can use these to control what the user sees and can interact with, such as hiding premium features from basic users or unlocking export tools for admins.

Common use cases

• Feature gating: Only show advanced tools to users with specific entitlements.

• Subscription tier management: Control what features are available by plan.

• Customer-specific configurations: Tailor access based on contract terms or trial status.

• Security enforcement: Hide or disable sensitive actions unless the correct entitlement is present.

Best practices

• Using clear, consistent names that reflect real product capabilities (e.g. feature:reports, action:edit, access:admin-panel) makes it easier to onboard new developers and troubleshoot access issues quickly.

• Avoid assigning permissions directly to users. Instead, assign permissions through control models, like roles or policies, to keep your system scalable, maintainable, and easier to audit.

• Regularly audit your entitlement logic to ensure it reflects your current product and pricing.

Related guides

• Configuring roles

• Adding permissions to roles

• Policy based access

• Attribute based access

• Resource based access