An access profile is a group of one or more entitlements that grants a specific set of access rights associated with a source. Access profiles provide you with a lot of flexibility when you are provisioning access to your identities, based on various scenarios you need to support.
One of the fundamental benefits of access profiles is that if an identity has all of the entitlements in an access profile, those entitlements are automatically bundled together as an access profile. Any apps associated with it are added to their Launchpad automatically. However, access profiles serve many other functions:
If your organization has the Provisioning feature enabled...
Identities can be granted entitlements in the access profile and an account on the source the entitlements come from automatically when your system is configured for it.
You can grant identities these related entitlements and source accounts by defining and granting them roles.
If your organization has the Certifications feature enabled...
Access profiles allow your reviewers to see bundles of access that clearly define what a user can and can't do, so that they can review that access more effectively.
Instead of certifying entitlements individually, bundling them into access profiles allows you to certify an easily-readable access profile representing a set of access, rather than an individual entitlement.
Using campaign filters, you can filter certifications based on access profiles, giving you fine-grained control over the access items you're reviewing.
If your organization has the Access Request feature enabled...
By assigning access profiles to apps, you can allow your users to request access to an app. If the request is approved, the app and the access profile associated with it are granted to the user.
CAUTION: If a user has all of the entitlements in an access profile, those entitlements are no longer treated as individual units. This could result in some unexpected behavior, including:
A campaign filter based on an entitlement that previously filtered on a user with that entitlement might no longer filter on that user, because the user was granted the remaining entitlements in an access profile containing that entitlement. The entitlement is no longer counted as an individual unit, because it is part of the access profile.
A user is granted all the entitlements in an access profile and during all future certification campaigns, those entitlements are bundled into an access profile and must be certified as an access profile.
A user is granted an app after being granted several entitlements individually. The entitlements were an access profile, and as soon as the user had all of them, they were bundled into an access profile that granted the user an app.
To prevent data problems during certification campaigns, avoid assigning the same entitlement to more than one access profile.
IdentityNow is not case-sensitive to entitlement names. In other words, the entitlements "Domain Users" and "domain users" are treated as the same entitlement in IdentityNow.
To enable others in your organization to work with access profiles, you can grant individuals source admin or source sub-admin user levels. Source admins can create, manage, and edit access profiles. Source sub-admins can perform these access profile actions only on the sources associated with the governance groups they are members of.
1. From the Admin interface, go to Access > Access Profiles.
2. Click New.
3. Enter a Name and Description for your access profile.
Important: Be sure the name and description of your access profiles are user-friendly, descriptive, and easy to understand, especially if your site has the Access Request service or Certifications. The character limit for this description is 2000 characters.
4. Choose the source that contains the entitlements you want to use in this access profile.
5. Select an owner for your access profile.
If you have the Access Request service enabled for your site, the access profile owner can be configured to review access requests.
7. Select one or more entitlements for your access profile.
NOTE: If an access profile has no entitlements, it is considered "empty" and will become disabled automatically. The profile will not be available for request or reassignment until entitlements are added and saved.
8. Click Save.
The access profile appears in your list of access profiles. You can click the access profile to view the entitlements it contains at any time.