## Entitlement-based access in self-service

Frontegg allows you to define how users interact with the [self-service portal](/ciam/guides/admin-portal/intro) of your application by giving you full control over their access to key features.

This functionality can facilitate your business growth by enabling you to offer premium features to customers on higher-tier plans. By controlling feature access in this way, you can ensure that users only receive the functionalities that are relevant to them. This not only enhances the customer experience by delivering tailored solutions, but also helps you optimize your product offerings and resources.

### Step 1: Enable the entitlements option in your application code

To begin, you need to enable the [entitlements](/ciam/guides/authorization/entitlements/intro) option in your application code by adding the following lines:


```javascript
entitlementsOptions={{
    enabled: true,
}}
```

See [`entitlementsOptions`](/ciam/sdks/components/fronteggappoptions#entitlementsOptions) for more information.

### Step 2: Create a feature

1. In the **Frontegg portal**, navigate to [ENVIRONMENT] → Configurations → Entitlements → Features.


![entitlements-features-step-1](/assets/entitlements-features-step-1.75511a3e70aa384b3f9198c2c36724cce700dfa4107c37cfaad34e0b82220b7a.b72b77a7.png)

1. Click **Create feature**.


![entitlements-features-step-2](/assets/entitlements-features-step-2.ebd436e8b3ed425ac2ae83fc327ade233f3c16baeaafbdb8b61bd2ea15d31c63.b72b77a7.png)

1. Enter the required feature name into the **Name** field (the feature is the actual tab in the [self-service portal](/ciam/guides/admin-portal/intro) you'd like to control), description into the **Description** field and feature key into the **Key** field.
2. Click **Save**.


### Step 2: Create a feature plan

1. Navigate to **Plans**.


![entitlements-features-step-3](/assets/entitlements-features-step-3.d4c74d76ecea032cf7c0542915459691a6705f0dc7bfbcfcc43bbd6bed42f6b9.b72b77a7.png)

1. Click **Create plan**.


![entitlements-features-step-4](/assets/entitlements-features-step-4.75637db2a3758a75d5c66c83bcd2b11c3aa42355009e22d21937e1f638ee0713.b72b77a7.png)

1. Enter the required plan name into the **Name** field. If required, provide an optional description in the **Description** field and metadata into the **Metadata** field. Additionally, you can enable this plan for all new accounts in the environment, by switching the **Grant to all new accounts** toggle.
2. Click **Save**.


### Step 3: Add the feature to the plan

1. Go to the **Features** tab.


![entitlements-features-step-7](/assets/entitlements-features-step-7.1e2ccc40a53794760da267168c753bfe875f2dbff3c1c9f5b4609a20ad655ec0.b72b77a7.png)

1. Click **Assign features**.


![entitlements-features-step-8](/assets/entitlements-features-step-8.67632afd2b62f538c1d1cf43accac1de64effc3903f155f00c5d71d495d070c4.b72b77a7.png)

1. Select the feature you created in step 1.
2. Click **Save**.


### Step 4: Add accounts to the feature inside the plan

1. Go to the **Accounts** tab.


![entitlements-features-step-9](/assets/entitlements-features-step-9.56af7c23f20a6e78967ba0ad1b535adffeded7efad10c8418dadc26cbbaf1c75.b72b77a7.png)

1. Click **Assign accounts**.


![entitlements-features-step-10](/assets/entitlements-features-step-10.613a5f48e64e9f8db683b05963e56939ba6e6d2ba62372ee0e33c23d49dafffe.b72b77a7.png)

1. Select accounts that you want to grant access to this feature in the self-service portal.
2. Click **Save**.


### Step 5: Define the feature's permissions

This step establishes the connection between a feature and its corresponding permission. Once configured, users must have both the required permission and the associated feature enabled to gain access. If a user has the permission but lacks the feature, access will not be granted. Only when both are assigned will the user be entitled to the feature. Read more about this functionality [here](/ciam/guides/authorization/entitlements/feature-based/features).

1. Go to the **Features** tab.
2. In the row of your feature, click the three vertical dots at the end of the line.


![entitlements-features-step-11](/assets/entitlements-features-step-11.971beaec5ea2f5e6277f901f90150622a3f5c84759b3c7e87390409a5f1dc5dd.b72b77a7.png)

1. Click **Edit**.
2. Click the **Permissions** tab.


![entitlements-features-step-12](/assets/entitlements-features-step-12.268a790ac9443261320b3f38814aef2000156f091a0105f7897cb3f8adcec998.b72b77a7.png)

1. Click **Assign permissions**.
2. Select the required permissions.
3. Click **Assign permissions**


![entitlements-features-step-13](/assets/entitlements-features-step-13.d0819f07d0f09884b62a01c72b93a83f8df047e03d2fecd4ab8939cccacb03f7.b72b77a7.png)

1. Click **Save**.


### Example integration: SSO feature

Before the change, the user had access to all available permissions, and the SSO tab was visible in the self-service portal:

![entitlements-features-step-15](/assets/entitlements-features-step-15.f2ddacc72ae897a42e114d8cac12940a696a36b80a222a586f064030c9f40ca4.b72b77a7.png)

After the change, the user no longer sees the SSO tab, as they no longer have access to it.

![entitlements-features-step-14](/assets/entitlements-features-step-14.955ff152d45696c78c90d9ca59e7cce530bf5d08e92b3a48b0a0a15353db1a3d.b72b77a7.png)

### Self-service features permissions

Use these permissions to control access using plans.

| **Permission key** | **Permission description** | **Self-service portal section** |
|  --- | --- | --- |
| `fe.secure.read.accountSettings` | Read account settings page | Account details |
| `fe.secure.write.accountSettings` | Write account settings | Account details |
| `fe.secure.read.tenantApiTokens` | Read Tenant API tokens page | API tokens |
| `fe.secure.write.tenantApiTokens` | Write Tenant Token | API tokens |
| `fe.secure.read.groups` | Read Groups page | Groups |
| `fe.secure.write.groupsUsers` | Write Groups permissions | Groups |
| `fe.secure.delete.groupsUsers` | Delete Group users | Groups |
| `fe.secure.delete.groups` | Delete Groups | Groups |
| `fe.secure.write.groups` | Write Groups | Groups |
| `fe.secure.write.groupsRoles` | Has write permission | Groups |
| `fe.account-hierarchy.write.subAccount` | Write subaccounts | MSP |
| `fe.account-hierarchy.delete.subAccount` | Delete subaccounts | MSP |
| `fe.account-hierarchy.write.subAccountAccess` | Write subaccounts details | MSP |
| `fe.secure.read.userApiTokens` | Read user API tokens | Personal tokens |
| `fe.secure.delete.userApiTokens` | Delete user API tokens | Personal tokens |
| `fe.secure.write.userApiTokens` | Write user API tokens | Personal tokens |
| `fe.secure.read.provisioningConfiguration` | Read provisioning configurations | Provisioning |
| `fe.secure.write.provisioningConfiguration` | Write provisioning configurations | Provisioning |
| `fe.secure.delete.provisioningConfiguration` | Delete provisioning configurations | Provisioning |
| `fe.secure.read.securityPolicy` | Read security and privacy pages | Security all |
| `fe.secure.read.emailDomainRestrictions` | Read email domain restrictions | Security - Email |
| `fe.secure.write.emailDomainRestrictions` | Write email domain restrictions | Security - Email |
| `fe.secure.delete.emailDomainRestrictions` | Delete email domain restrictions | Security - Email |
| `fe.secure.read.ipRestrictions` | Read IP restrictions | Security - IP |
| `fe.secure.write.ipRestrictions` | Write IP restrictions | Security - IP |
| `fe.secure.delete.ipRestrictions` | Delete IP restrictions | Security - IP |
| `fe.secure.read.samlConfiguration` | Read SSO configurations | SSO |
| `fe.secure.write.samlConfiguration` | Write SSO configurations | SSO |
| `fe.secure.delete.samlConfiguration` | Delete SSO configurations | SSO |
| `fe.secure.read.samlDefaultRoles` | Read SSO default roles | SSO |
| `fe.secure.write.samlDefaultRoles` | Write SSO default roles | SSO |
| `fe.secure.read.users` | Read Users page | Users |
| `fe.secure.delete.users` | Delete users | Users |
| `fe.secure.write.users` | Write users | Users |
| `fe.secure.write.updateUser` | Write user updates | Users |
| `fe.secure.delete.usersRoles` | Delete user roles | Users |
| `fe.secure.read.roles` | Read user roles | Users |
| `fe.secure.write.usersRoles` | Write user roles | Users |
| `fe.secure.write.resendActivationEmail` | Resend activation email | Users |
| `fe.secure.write.tenantInvites` | Create invitation link | Users |
| `fe.secure.*` | Secure general | Users |
| `fe.connectivity.read.webhooks` | Read webhooks page | Webhooks |
| `fe.connectivity.write.webhook` | Write webhooks | Webhooks |
| `fe.connectivity.delete.webhook` | Delete webhooks | Webhooks |
| `fe.secure.read.audits` | Read audits | Audit logs |