# Birthright access **Birthright access** refers to the entitlements that are granted automatically when specified conditions are true. For example, a business rule can be configured so that during the joiner process, a user with a job title of "HR Information Specialist" is automatically assigned the roles specific to that job function. The same rule can be configured to remove those roles if the job title changes during the mover process. ## Adding targets Targets are actions performed on a user. They are invoked when the conditions defined in a business rule are met. {% stepper %} {% step %} #### Select **Add target**. {% endstep %} {% step %} #### Enter the **Name** and **Description** of the target. Select **Active** to ensure the target will be applied by the business rules. Select **Save**. {% endstep %} {% step %} #### Right-click the target name from the target list and select **Add action**. {% endstep %} {% step %} #### Select a **Type**:

Action type	Description
Activate user	Activates the user account.
Add user to group	Assigns the user to a group. Choose the Managed System and group.
Add user to organization	Assigns the user to an organization. Choose the organization type and organization.
Add user to role	Assigns the user to a role. Choose the Managed System and role.
Call Groovy script	Calls a specified Groovy script when the target is invoked.
Deactivate user	Deactivates the user account.
Disable user	Disables the user account.
Enable user	Enables the user account.
Grant resource to user	Grants a resource to the user. Choose the resource type and resource.
Lock user	Locks the user account.
Remove all entitlements (roles, groups, organizations, resources) now	Removes all entitlements from the user immediately.
Remove user from group	Removes the user from a group. Choose the Managed System and group.
Remove user from organization	Removes the user from an organization. Choose the organization type and organization.
Remove user from role	Removes the user from a role. Choose the Managed System and role.
Resume access, erase memberships end dates	Restores access by removing end dates from memberships.
Resume access, prolong end date for given number of days from current moment	Restores access and extends it by a specified number of days from the time the target is invoked.
Revoke access from resource	Revokes a resource from the user. Choose the resource type and resource.
Terminate access to all entitlements by setting end date for now	Ends all entitlements immediately by setting their end date to now.

{% endstep %} {% step %} #### Select **Save**. Multiple actions can be added per target. {% endstep %} {% endstepper %}

*** ## Adding business rules Business rules define when targets are invoked by specifying conditions that are evaluated against users. {% stepper %} {% step %} #### Select **Add business rules**. {% endstep %} {% step %} #### Enter the **Name** and **Description** of the new business rule. {% endstep %} {% step %} #### Choose an **Operation**:

Operation	When it applies
All	Applied during both new user creation and user updates.
Add	Applied during new user creation only.
Update	Applied during user updates only.

{% endstep %} {% step %} #### Choose a **Status**: Active or Inactive. {% endstep %} {% step %} #### Choose the required target in the respective section. In **Apply selected rule when conditions match**, choose the target to invoke when conditions are met. In **Apply selected rule when conditions DO NOT match**, choose the target to invoke when conditions are not met. Right-click **Or** to begin building conditions:

Option	Description
Add `Or`	Groups two or more expressions. The condition evaluates to true if any one expression is true.
Add `And`	Groups two or more expressions. The condition evaluates to true only if all expressions are true.
Add `Expression`	Adds an expression to evaluate. Set Negation to true to reverse the result.
Add `Groovy`	Adds a Groovy script whose logic is evaluated against the user.
Edit	Edits an existing condition node.

{% endstep %} {% step %} #### **Select Save**. {% endstep %} {% endstepper %} {% hint style="info" %} This matching/non-matching pair is the key mechanism for automatic access transitions. When a user moves to a new job title, the matching target grants the new access and the non-matching target removes the old access — no workflow or custom preprocessing script is required. {% endhint %} *** ## Out of sync users Out of sync users are users who will be impacted by updated business rules but have not yet been provisioned. * Select **Preview impacted users** to evaluate all users against the updated business rules and display the list of affected users. * Select **Provision impacted users** to begin provisioning out of sync users. {% hint style="info" %} If a business rule is newly implemented and you have existing users you want it to apply to, use the **Perform Business Rules recalculation** batch task. See the [scheduled tasks documentation](https://docs.openiam.com/docs-4.2.1.14/developerguide/4-scheduledtasks) for details. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/automated-user-provisioning/birthright-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.