An access profile is a group of one or more entitlements that grants a specific set of access rights associated with a source. Access profiles provide you with a lot of flexibility when you are provisioning access to your identities, based on various scenarios you need to support.
One of the fundamental benefits of access profiles is that if an identity has all of the entitlements in an access profile, those entitlements are automatically bundled together as an access profile. Any apps associated with it are added to their Launchpad automatically. However, access profiles serve many other functions:
| If your organization has the Provisioning feature enabled... |
|
| If your organization has the Certifications feature enabled... |
|
| If your organization has the Access Request feature enabled... |
|
See Provisioning Methods for more information on provisioning using access profiles.
CAUTION: If a user has all of the entitlements in an access profile, those entitlements are no longer treated as individual units. This could result in some unexpected behavior, including:
- A campaign filter based on an entitlement that previously filtered on a user with that entitlement might no longer filter on that user, because the user was granted the remaining entitlements in an access profile containing that entitlement. The entitlement is no longer counted as an individual unit, because it is part of the access profile.
-
A user is granted all the entitlements in an access profile and during all future certification campaigns, those entitlements are bundled into an access profile and must be certified as an access profile.
- A user is granted an app after being granted several entitlements individually. The entitlements were an access profile, and as soon as the user had all of them, they were bundled into an access profile that granted the user an app.
NOTES:
- To prevent data problems during certification campaigns, avoid assigning the same entitlement to more than one access profile.
- IdentityNow is not case-sensitive to entitlement names. In other words, the entitlements "Domain Users" and "domain users" are treated as the same entitlement in IdentityNow.
- To enable others in your organization to work with access profiles, you can grant individuals source admin or source sub-admin user levels. Source admins can create, manage, and edit access profiles. Source sub-admins can perform these access profile actions only on the sources associated with the governance groups they are members of.
Prerequisite:
- Load accounts and entitlements from at least one source.
Complete the following steps:
|
1. From the Admin interface, go to Access > Access Profiles.
2. Click New. |
 |
|
3. Enter a Name and Description for your access profile. Important: Be sure the name and description of your access profiles are user-friendly, descriptive, and easy to understand, especially if your site has the Access Request service or Certifications. The character limit for this description is 2000 characters.
4. Choose the source that contains the entitlements you want to use in this access profile.
5. Select an owner for your access profile. If you have the Access Request service enabled for your site, the access profile owner can be configured to review access requests. |
 |
|
6. If necessary, configure an approval process for your access profile. See How do I configure an app for access requests? for more information.
7. Select one or more entitlements for your access profile. NOTE: If an access profile has no entitlements, it is considered "empty" and will become disabled automatically. The profile will not be available for request or reassignment until entitlements are added and saved. 8. Click Save. The access profile appears in your list of access profiles. You can click the access profile to view the entitlements it contains at any time. |
 |
Revision #:
11 of 11
Last update:
Dec 01, 2020
01:05 PM
Updated by:
