Managing Access Profiles
Limited Availability Release
Customers who have opted into the limited availability release of the redesigned Role and Access Profile UIs, indicated by a “cards” view on the administrative list pages, should refer to Managing Access Profiles - Limited Availability.
Access profiles are bundles of entitlements representing specific sets of access. For example, you may have one access profile that grants users read-only access to part of a system, and another access profile that grants users editing access on a wider part of that system.
Creating an Access Profile
To create a new access profile:
From the Admin interface, go to Access > Access Profiles.
Enter a Name and Description for your access profile.
Be sure the name and description of your access profiles are user-friendly and easy to understand. Certification and access request reviewers will use this description to make decisions about whether a user should have this access profile, and a detailed description will improve the quality and speed of their decisions. The character limit for this description is 2,000 characters.
Choose the source that contains the entitlements you want to use in this access profile.
Select an owner for your access profile. If you have the Access Request service enabled for your site, the access profile owner can be configured to review access requests.
If necessary, configure an approval process for your access profile. This option only appears if you have the Access Request service.
In the Entitlements section, search for entitlements from the source you selected in step 4, and select them to add them to this access profile. Add at least one entitlement to your access profile.
Select Save. The access profile appears in your list of access profiles. You can select the access profile to view the entitlements it contains at any time.
- When IdentityNow detects that an identity has access to all the entitlements that make up an access profile, the identity is automatically granted that access profile. This detection happens during identity processing.
- Administrators can still search identity data based on the separate entitlements and view the entitlements in the identity record. However, in certifications, entitlements that a user has through an access profile are encapsulated within that access profile, and approval and revocation decisions can be made only at the access profile level.
When you are done creating or making changes to your access profiles, you must apply changes to update users' access data.
Editing Access Profiles
You can make changes to any access profile in your site.
When an access profile's entitlements are edited, users that had the access profile already might gain new entitlements, but they won't lose any. Review the impacts of editing the entitlements associated with an access profile.
Prerequisite: Create at least one access profile
To edit an existing access profile:
From the Admin interface, go to Access > Access Profiles
Select the name of the access profile you want to edit.
Make all applicable changes.
- To add new entitlements to this access profile, start typing their names in the Entitlements section, and select its name to add it to the access profile.
- To remove an entitlement from the list, select the X icon beside its name in the list.
When you are done making changes to your access profiles, you must apply changes to update users' access data.
Changing the entitlements in an access profile has the following effects:
- If entitlements are removed from the access profile, those entitlements are not removed from identities that had the previous version of this access profile. They remain as entitlements for those identities, independent of the access profile.
- If entitlements are added, the system behavior depends on how the identity was granted the access profile.
- Identities who were given the access profile through a role or lifecycle state get the added entitlements provisioned for them.
- Identities who obtained the access profile through an access profile request or through detection, based on their existing entitlements, do not get the new entitlements provisioned to their accounts. Though they keep their existing entitlements, if they don't already have the new entitlements, they are no longer shown as having the access profile.
Applying Access Profile Changes
When you have completed all the access profile changes you need to make, return to the Access Profile list page and select Apply Changes to execute identity processing for all identities. This recalculates access they should have based on the roles and lifecycle states which connect the access profiles and the identities.
Access profile changes are also applied to individual identities, through event-driven or scheduled identity processing, when their identity data changes.
Configure Provisioning Criteria for Multiple Accounts
Some identities in your organization might have more than one account on a source. If you use the provisioning service in IdentityNow, this might lead to some confusion when an access profile needs to be provisioned to an identity's account, and it isn't clear which account needs the access.
You can configure criteria that specify which account will receive access, so that when provisioning occurs, it can occur without additional intervention by your IT staff. This is applicable to lifecycle state changes and role changes.
To configure the criteria the access profile uses to choose an account:
From the Admin interface, go to Access > Access Profiles and select the access profile you want to edit.
In the Source section, select Provisioning Criteria for Multiple Accounts.
You are taken to a new page. Here, you can configure the logic used to choose which account will receive the access profile when a provisioning action takes place.
Configure the criteria using the attributes, operators, and groups available.
Choose whether to use the AND or the OR operator within groups. The other will be used between criteria groups.
If the OR operator applies between groups, the criteria from only one group are applied. Since the criteria in that group use the AND operator, all criteria from that single group are applied.
If the AND operator applies between groups, the criteria from all groups ware applied. Since the criteria within that group use the OR operator, only one criteria from each group is applied.
For each line in a group:
- Choose an account attribute in the first dropdown list.
Use the next dropdown list to select how the attribute should be compared to the value you enter.
- Equals - The value of the account attribute you selected must be equal to the value you enter in the third column.
- Does Not Equal - The value of the account attribute you selected must not be equal to the value you enter in the third column.
- Contains - The value of the account attribute you selected must contain the value you enter in the third column.
Finally, enter the value you want to determine which account should receive the access profile for provisioning actions.
Select the Add icon beside a row to add a new criteria within a group. Select
Add Group to add a new group of criteria.
Using the criteria here, you can choose the correct account using a range of criteria from simple to very complex.
- You might choose to provision to an account with the attribute
type, the operator
Equals, and the value
Primary. This will provision the access to the identity's account that has the Primary value in their customAccountType attribute. This provisioning criteria doesn't use any AND/OR operators.
You might choose to provision the access profile to the user's account where the
type equals Admin, or to the user's account with a
IT Adminand a
HQ. In this example, the operator within groups is AND, and the operator between groups is OR. This screenshot illustrates this example.
Whenever IdentityNow tries to provision this access profile to an identity with multiple accounts on the source, the criteria on this page are used to determine which account should receive the access. This is applicable to lifecycle state changes and role changes.
If IdentityNow is unable to determine which account should receive access based on these configurations, a manual task is created for the source owner to grant the access profile to the correct account.
Deleting Access Profiles
If you create an access profile and later decide you don't need it, you can delete it from IdentityNow. Deleting an access profile does not remove those entitlements from your system.
- At least one access profile has been created
- This access profile has been removed from any applicable provisioning configurations
To delete an access profile:
From the Admin interface, go to Access > Access Profiles.
Select the checkbox beside the access profiles you want to delete.
Open the Menu icon and select Delete.
A warning is displayed that reminds you to remove the access profile from provisioning configurations.
The access profile is deleted and removed from your list of access profiles.
If you delete an access profile after creating a certification campaign, the access profile will still appear in your certification.