Managing Access Profiles
Access profiles are bundles of entitlements representing specific sets of access. For example, you may have one access profile that grants users read-only access to part of a system, and another access profile that grants users editing access on a wider part of that system.
Creating an Access Profile
To create a new access profile:
From the Admin interface, go to Access > Access Profiles.
Enter a Name and Description for your access profile.
Be sure the name and description of your access profiles are user-friendly and easy to understand. Certification and access request reviewers will use this description to make decisions about whether a user should have this access profile, and a detailed description will improve the quality and speed of their decisions. The character limit for this description is 2000 characters.
Choose the source that contains the entitlements you want to use in this access profile.
Select an owner for your access profile. If you have the Access Request service enabled for your site, the access profile owner can be configured to review access requests.
If necessary, configure an approval process for your access profile. This option only appears if you have the Access Request service.
In the Entitlements section, search for entitlements from the source you selected in step 4, and select them to add them to this access profile. Add at least one entitlement to your access profile.
Select Save. The access profile appears in your list of access profiles. You can select the access profile to view the entitlements it contains at any time.
Editing Access Profiles
You can make changes to the name, description, and owner of any access profile in your site.
Prerequisite: Create at least one access profile
To edit an existing access profile:
From the Admin interface, go to Access > Access Profiles
Select the name of the access profile you want to edit.
Make all applicable changes and select Save.
It is not possible to edit the entitlements in an access profile after it's created. You can create a new access profile with the entitlements you need.
Configure Provisioning Criteria for Multiple Accounts
Some identities in your organization might have more than one account on a source. If you use the provisioning service in IdentityNow, this might lead to some confusion when an access profile needs to be provisioned to an identity's account, and it isn't clear which account needs the access.
You can configure criteria that specify which account will receive access, so that when provisioning occurs, it can occur without additional intervention by your IT staff. This is applicable to lifecycle state changes and role changes.
To configure the criteria the access profile uses to choose an account:
From the Admin interface, go to Access > Access Profiles and click the access profile you want to edit.
In the Source section, select Provisioning Criteria for Multiple Accounts.
You are taken to a new page. Here, you can configure the logic used to choose which account will receive the access profile when a provisioning action takes place.
Configure the criteria using the attributes, operators, and groups available.
Choose whether to use the AND or the OR operator within groups. The other will be used between criteria groups.
If the OR operator applies between groups, the criteria from only one group are applied. Since the criteria in that group use the AND operator, all criteria from that single group are applied.
If the AND operator applies between groups, the criteria from all groups ware applied. Since the criteria within that group use the OR operator, only one criteria from each group is applied.
For each line in a group:
- Choose an account attribute in the first drop-down list.
Use the next drop-down list to select how the attribute should be compared to the value you enter.
- Equals - The value of the account attribute you selected must be equal to the value you enter in the third column.
- Does Not Equal - The value of the account attribute you selected must not be equal to the value you enter in the third column.
- Contains - The value of the account attribute you selected must contain the value you enter in the third column.
Finally, enter the value you want to determine which account should receive the access profile for provisioning actions.
Click the Add icon beside a row to add a new criteria within a group. Click
Add Group to add a new group of criteria.
Using the criteria here, you can choose the correct account using a range of criteria from simple to very complex.
- You might choose to provision to an account with the attribute
type, the operator
Equals, and the value
Primary. This will provision the access to the identity's account that has the Primary value in their customAccountType attribute. This provisioning criteria doesn't use any AND/OR operators.
- You might choose to provision the access profile to the user's account where the
type equals Admin, or to the user's account with a
IT Adminand a
HQ. In this example, the operator within groups is AND, and the operator between groups is OR. The screenshot below illustrates this example.
Whenever IdentityNow tries to provision this access profile to an identity with multiple accounts on the source, the criteria on this page are used to determine which account should receive the access. This is applicable to lifecycle state changes and role changes.
If IdentityNow is unable to determine which account should receive access based on these configurations, a manual task is created for the source owner to grant the access profile to the correct account.
Deleting Access Profiles
If you create an access profile and later decide you don't need it, you can delete it from IdentityNow. Deleting an access profile does not remove those entitlements from your system.
- At least one access profile has been created
- This access profile has been removed from any applicable provisioning configurations
To delete an access profile:
From the Admin interface, go to Access > Access Profiles.
Select the checkbox beside the access profiles you want to delete.
Open the Menu icon and click Delete.
A warning is displayed that reminds you to remove the access profile from provisioning configurations.
The access profile is deleted and removed from your list of access profiles.
If you delete an access profile after creating a certification campaign, the access profile will still appear in your certification.