Skip to content

Managing Access Profiles

Access profiles are bundles of entitlements representing related sets of access from a single source. For example, in an accounting system, you could have one access profile that grants transaction entry and reporting access, and another access profile that grants vendor management access.

Access profiles are used in roles and lifecycle states and can be enabled for access requests. They can be granted to identities through:

  • Automated provisioning based on assigned lifecycle states or role criteria
  • Access requests, directly or through a role
  • Detection, when it is determined during identity processing that a user has all of the entitlements associated with an access profile and the access profile is granted automatically. At that point, they are no longer considered to have the entitlements individually, but instead have the access profile.

Creating Access Profiles

  1. Go to Admin > Access Model > Access Profiles.

  2. Select Create New.

  3. Complete the relevant configurations.

    • Configuration - Determine the access profile’s basic information.
    • Manage Entitlements - Choose the entitlements to include in this access profile.
    • Access Requests - Enable access requests and set a review process for requests.
    • Multiple Account Options - Set the criteria to determine which account will receive this access profile when it's provisioned to a user with multiple accounts on a source.
    • Select Enable Access Profile in the top right. Disabled access profiles cannot be used for access requests.

Important

New or updated access profile configurations must be applied through identity processing. Refer to Applying Changes for details.

Creating Access Profiles from Sources

You can also create access profiles within the source itself.

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to create access profiles in.
  3. In the Aggregation History and Connections section, select Access Profiles.
  4. Select Create Access Profile.
  5. Complete the relevant configurations.

    • Configuration - Determine the access profile’s basic information.
    • Manage Entitlements - Choose the entitlements to include in this access profile.
    • Access Requests - Enable access requests and set a review process for requests.
    • Multiple Account Options - Set the criteria to determine which account will receive this access profile when it's provisioned to a user with multiple accounts on a source.
  6. If you want to use this access profile in access requests, select Enable Access Profile in the top right.

Configuration

When creating an access profile, you will define the access profile’s basic details.

  1. In the Name field, enter a unique and descriptive name for your access profile.

  2. Select the Owner dropdown list to choose an identity to own this access profile. This identity can be configured as a reviewer in access requests or certifications.

    To find an identity in this field, begin typing their name.

  3. In the Description field, provide additional details about this access profile and the access it contains. This field allows a maximum of 2,000 characters.

    Best Practice

    Provide user-friendly, informative names and descriptions for your access profiles. Both are visible in certifications, access requests, and approvals. A detailed description will improve the quality and speed of reviewer decisions.

  4. Select the Entitlement Source dropdown list to choose the source the entitlements in this access profile should come from. This can't be edited later.

  5. Select Save.

Manage Entitlements

Access profiles must contain at least one entitlement.

  1. In the access profile configuration, select Manage Entitlements.
  2. In the Add Entitlement field, search for an entitlement from the source you selected in the Configuration page and select + to add it to this access profile.
  3. Add more entitlements as needed.

    • Select X in the Delete column of an entitlement row to remove it from the access profile.
  4. Select Save.

When this access profile is provisioned to an identity, these entitlements will be granted to that identity.

Access Requests

If you have the Access Request service in your site, you can configure access profiles that users can request in the Request Center. Refer to Access Requests for details.

Multiple Account Options

When an identity has multiple accounts on a source, you can specify the criteria for determining which of the user’s accounts should receive the access in automated provisioning. These criteria are not applied for users with only one account on the source.

Important

  • These criteria only apply when access profiles are automatically provisioned through lifecycle states or automated role assignment.
  • These criteria do not apply to access requests. Access requests are not supported for users with multiple accounts on the entitlement source.

If no account matches or if more than one account matches the specified criteria, a manual task is created for the source owner to add the access profile’s entitlements to the correct account.

To configure the account selection criteria:

  1. In the access profile configuration, select Multiple Account Options.

  2. In the Attribute field, select the account attribute to use in this filter.

  3. In the Operation dropdown list, choose an operation to compare the attribute to the value you enter.

    • Equals - The attribute and value must match.
    • Does Not Equal – The attribute and value cannot match.
    • Contains - The specified value must exist somewhere within the attribute’s value.
  4. Type a value in the Value field to compare to the attribute. This field is case insensitive.

  5. If you need multiple criteria, select Add Criteria and repeat steps 2-4.

    • Use the Within Groups toggle to specify whether your criteria should be combined with an AND or an OR operator.
      • AND means all criteria must be met while OR means meeting any of the criteria produces a match.
  6. If your requirements are more complex, needing both AND and OR, use Add Group to add another group.

    The operator not selected for Within Groups will automatically apply between groups.

    When a provisioning action takes place that would grant this access profile to an identity with multiple accounts on this source, the criteria on this page will be used to determine which account should receive the access.

Account Selection Criteria Examples

Your configuration to choose the correct account could range from simple to very complex.

Simple selection criteria don’t use any AND/OR operators. To provision the access to the identity's account that has the Primary value in the type attribute, specify attribute type, the operator Equals, and value Primary.

Very complex criteria might include both AND and OR. To provision the access profile to the user's account where the type equals Admin, or to the user's account with a title of Admin and a location of HQ, you must specify the title and location requirements together with AND while including the type in an OR branch, as shown here:

Editing Access Profiles

You can change most of the access profile attributes defined when creating an access profile.

To edit an existing access profile:

  1. Go to Admin > Access Model > Access Profiles.

  2. Select Actions > Edit on the access profile you want to edit.

  3. Make changes to the access profile’s configuration, entitlements, access request configurations, or account selection logic. Select Save on each page you change.

    • You cannot change the Entitlement Source. To change your source, create a new access profile and delete the unneeded one.
    • Refer to Changing Access Profile Entitlements for the impact of editing the entitlements in an access profile.

Best Practice

When you have completed a set of access profile and role changes, select Apply Changes to apply the new configurations to all identities through identity processing.

Changing Access Profile Entitlements

When an access profile's entitlements are edited, users that had the access profile already might gain new entitlements, but they won't lose any.

When entitlements are removed from an access profile:

  • Those entitlements are not removed from identities that currently have the access profile.
  • The removed entitlements become independent entitlements for the identity, detached from the access profile.

When entitlements are added to an access profile:

  • For identities that have the access profile due to a role or lifecycle state assignment, the added entitlements are provisioned to their accounts to enforce the role or lifecycle state’s requirements.
  • For identities that have the access profile due to detection or based on a previous access request for the access profile itself, the additional entitlements are not provisioned.
  • The user’s entitlements do not change.
  • The user only retains the access profile if they already have all of the entitlements in the new list.

These changes take place the next time the identity is evaluated in identity processing.

Applying Changes

Access Profile configuration changes are not immediately applied to identities. You must select Apply Changes on the access profile list page to initiate identity processing for all identities in your organization, to recalculate users’ access based on your changes.

For best system performance, wait to select Apply Changes until you are ready to apply the whole set of configuration changes to your whole set of identities. Selecting it for roles, access profiles, or applications automatically processes all three.

Deprovisioning with Access Profiles

You can revoke access profiles from users through various provisioning actions such as access removal requests and lifecycle state changes.

The following are the limitations and behavior of access profile deprovisioning:

  • Roles supersede access profiles.
  • If the identity was granted an access profile based on their membership in a role, the access profile can't be deprovisioned directly. The identity must be removed from the role, which also deprovisions its access profiles and their entitlements.
  • If a role assignment contains overlapping access with an access profile, the user will retain the role's required access when the access profile is revoked.
  • Overlapping entitlements between access profiles are revoked.
  • When a user has two access profiles (not through roles) with overlapping entitlements, revoking one of those access profiles removes all of its entitlements.
  • The user will lose the second access profile because they do not have its required entitlements. However, any other entitlements granted to the user by the second access profile are retained as individual entitlements.
  • This is true whether the access profile was detected for the user or granted to them through provisioning processes.

Disabling an Access Profile

You can disable access profiles if you need to pause their usage.

To disable an access profile:

  1. Go to Admin > Access Model > Access Profiles.

  2. Select Actions > Disable on the access profile you want to disable.

    Disabling an access profile has these implications:

    • Removes the access profile from the Request Center (if previously enabled for requests).
    • Removes the access profile from your identities the next time they are examined in identity processing.
    • Does not deprovision its entitlements from identities who previously held the access profile. Identities will keep the entitlements; they will just no longer be associated with the access profile.
    • The access profile will still appear in existing certifications, and any revocation decisions will still be able to be enforced.

The access profile will still appear in any roles or lifecycle states that previously included it to facilitate reenabling and applying it again later.

Important

If all the entitlements in an access profile are deleted, the access profile is automatically disabled. This can occur when entitlements from the source are aggregated and the access profile's entitlements are no longer present. Information about deleted entitlements' connection to access profiles is not retained, so if they are later recreated in the source and readded, the access profile will need to be rebuilt.

Deleting an Access Profile

You can delete access profiles if you no longer need them.

Important

You cannot delete an access profile that is currently included in any provisioning configuration. You must first remove it from all lifecycle states and roles.

To delete an access profile:

  1. Go to Admin > Access Model > Access Profiles.

  2. Select Actions > Delete on the access profile you want to remove.

    You can also select the checkbox beside the name of each access profile you want to delete and select the Delete button.

  3. A warning appears, reminding you to remove the access profiles from provisioning configurations. Select Continue.

Deleting an access profile has these implications:

  • Removes the access profile from the Request Center (if it was previously enabled for requests).
  • Removes the access profile from roles or lifecycle states that previously included it.
  • Does not deprovision its entitlements from identities who previously held the access profile. Identities will keep the entitlements, but they will no longer be associated with the access profile.
  • The access profile will still appear in existing certifications, and any revocation decisions will still be able to be enforced.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.