Access Profile Types

Understanding and configuring different types of Access Profiles for Lifecycle Management and Access Requests

Last updated 3 days ago

Was this helpful?

Access Profile Types

Understanding and configuring different types of Access Profiles for Lifecycle Management and Access Requests

Overview

Access Profile Types determine the behavior of for Veza Lifecycle Management and Veza Access Requests. They define common characteristics such as:

Whether the profile can inherit entitlements from other profiles
If the profile can grant entitlements in one or more target applications
The maximum number of entitlements the profile can grant
The specific integrations where entitlements can be granted

Veza provides built-in profile types, such as Profiles and Business Roles, for hierarchical management of birthright entitlements by employee population. You can also create new profile types to meet your organization's Access Requests and Lifecycle Management needs.

Common Access Profile Type Categories

Access Profiles define collections of entitlements within one or more target applications that can be assigned to an identity. Depending on the profile type, an access profile can include certain groups or roles, or inherit entitlements from another profile.

For example, you can create different types to organize profiles by:

Applications: Granting access to an application without specific entitlements, such as access to Zoom
Single Entitlements: Defining a single entitlement within a single application, such as a user being added to the DNS Admin group in Active Directory or the Domain Name Administrator role in Entra ID
Application Entitlements: Defining multiple entitlements within a single application, such as access to several Okta Groups
Multi-Application Entitlements: Defining multiple entitlements across different applications, such as for site reliability engineers who need access to GitHub, AWS, Jira, and Snowflake, along with one or more roles and group memberships within each of those applications
Business Roles: Inheriting combinations of other profile types to model sophisticated access privileges, such as all US Call Center employees inheriting US Employee access

Managing Access Profile Types

Use Access Profile Types to set rules for all profiles using that type. You can create new profile types to implement Lifecycle Management and Access Requests based on how and what access you will grant to employees.

Creating a New Profile Type

Open Lifecycle Management > Settings
In the Profile Types section, click New Profile Type
In the sidebar, configure the new type:
- Basic Information shown when creating Access Profiles:
  - Name: Display name for the profile type, shown when creating new Access Profiles
  - Description: Extended description to document the purpose of the profile type
  - Instructions: Optional custom instructions for using the profile type, shown when creating new profiles. Note that this is useful if allowing self-service Access Profile creation.
- On Create Behavior: Set the default policy state for Access Profiles created with this profile type:
  - Default: Uses Veza's default behavior (currently sets the profile to Initial state, but this may change in future releases)
  - Initial: The Access Profile is created but remains inactive/non-functional until a user explicitly starts it to move it to Running state
  - Running: The Access Profile starts in an active state and is immediately functional with no additional action required
  - Initial Start By Admin: The Access Profile starts in Initial state but requires an administrator (not a regular user) to explicitly start it to move it to Running state
- Relationship Options:
  - Allow Inheritance from Other Access Profiles: When enabled, profiles with this type can use another access profile to specify the exact entitlements.
  - Allow Direct Relationships: When enabled, you will specify the exact entitlements when creating a profile with this type. When disabled, profiles with this type can only inherit entitlements from another profile
- Access Request Policy: Choose the default Access Request Policy to apply access duration controls and approval workflow.
  - Allow overwrite of Access Request Policy: Enable selection of an alternative policy when Access Profile creators and owners create Access Profiles of this type.
- Integrations: Choose if the Access Profile of this type supports multiple integrations, integrations of a single type, or a single instance of a single integration:
  - Allow multiple integration types: Profiles can have specific entitlements in more than one target integration type (such as one or more entitlements from any Active Directory or Okta integration)
  - Limit to a single integration type: Entitlements must be within integrations of a specific type (such as one or more entitlements from any Okta integration)
  - Limit to a single integration: Profiles are limited to a single integration (such as one or more entitlements from a specific Okta integration)
  - Create a local user account only (if limited to a single integration): Create a local user account without specific entitlements.
- Entitlements: Set the maximum number of entitlements that can be added to profiles with this type (0 for unlimited entitlements).
  - Access Profile creators and owners can choose specific entitlements when editing the profile.
  - Create New Entitlement if None Exists: Configure the CREATE_ENTITLEMENT action to run when the policy is applied, including:
    The target integration and entity type to create
    Any member conditions (ANY to apply to all identities, or restricted by a condition string)
    Enabling Continuous Sync to periodically recreate and reapply entitlements if removed within the target system.
Click Create Profile Type to save the changes

After saving a profile type, you can edit or delete it on the Lifecycle Management Settings > Profile Types tab.

To manage the users or groups allowed to create profiles of that type, click Actions > Manage Permissions.
To view profiles with a specific type, choose a profile type and click Show Access Profiles.

Best Practices for Access Profile Types

When working with Access Profile Types, consider the following best practices:

Consistent Naming: Use clear, descriptive names for profile types that indicate their purpose and scope
Appropriate Granularity: Create profile types with the right level of granularity for your organization's needs
Documentation: Add thorough descriptions and instructions to help others understand when to use each profile type
Inheritance Planning: Carefully plan which profile types should inherit from others to create a logical hierarchy
Regular Review: Periodically review profile types to ensure they continue to meet your organization's needs
Good Hygiene: Eliminate profile types that are no longer in use (when the count of Access Profiles with that type equals zero)

PreviousAccess Profiles NextPolicies