Entitlements
The catalog you can actually keep current.
Connector-declared entitlements become first-class objects in Owlie's graph. Assignments link identities to them. Sync keeps the catalog current. Ownership and hygiene signals surface stale and orphaned access before it becomes an audit finding.
Entitlement catalog — live admin view
Catalog rows with source connector, owner, last-observed state, and assignment count.
First-class objects
Every connector declares what it grants.
Roles in Auth0. Admin roles in Google Workspace. Group memberships in Microsoft Entra ID. Every connector declares the kinds of entitlements it exposes, and Owlie sync pulls the current set into the shared graph. From there, each entitlement is a first-class object — with attributes the rest of the platform can reason about: ownership, last-observed state, linked assignments, and which resource can grant it.
Signals, not surprises
Four signals that keep the catalog honest.
Ownership.
Each entitlement can carry an owner — a user or group responsible for deciding who gets it. Ownership surfaces during access reviews and drives approval routing when the entitlement is requested.
Stale observations.
When sync stops observing an entitlement Owlie previously provisioned, the assignment is marked stale instead of deleted. The signal surfaces without destroying context.
Orphaned assignments.
Identities linked to entitlements whose source object has disappeared get flagged. Useful for JML cleanup and for audits that ask "who still has access to systems we decommissioned?"
Access reviews hook.
Entitlements are a natural scope for review campaigns. Campaign owners pick the entitlements to review; reviewers see assignments per entitlement.
Honest about what's missing
No entitlement-risk scoring. Not today.
Owlie does not ship a full entitlement-risk scoring model at launch. We don't synthesize "this role is risky because X + Y + Z." We surface the primitives — ownership, lifecycle state, stale flags, assignment graph — and let your policy decide. Risk scoring is a deferred feature; we'd rather say so than pretend.