Manage Access Profile Creation Permissions
How to delegate Access Profile creation to specific Operators and Groups.
Overview
By default, only Administrators can create Access Profiles in Lifecycle Management. With Access Controls enabled, Administrators can grant Creator permissions to specific Operators and Groups, allowing them to create new profiles. Users who create a profile automatically become its Owner and can edit that profile, but cannot modify profiles created by others. Administrators always retain full access to all profiles.
Users must have the Operator role to use Creator permissions — non-Operator roles (Access Reviewer, Watcher, etc.) cannot create Access Profiles even with explicit permission grants.
Early Access Feature: This feature requires enablement by Veza support. Contact your Veza support team to enable Access Controls for your tenant.
Before you start
You have the Administrator role on the root team
Access Controls are enabled on your tenant (contact Veza support)
The users receiving permissions have the Operator role assigned
Grant Access Profile creation permissions
To assign Access Profile creation permissions to users or groups:
Navigate to Lifecycle Management in the navigation sidebar.
Click Settings in the Lifecycle Management sidebar.
On the Settings page, locate the Access Profile Types section.
Click Manage Access Profile Creation Permissions.
The Manage Permissions modal opens, showing currently assigned users and groups.
Select the Type of principal to add:
User: Assign permissions to individual Veza users
Group: Assign permissions to a Veza Group (all members receive permissions)
Select the user or group from the dropdown menu.
The dropdown shows only users or groups that don't already have permissions assigned. The permission is assigned automatically when you make a selection.
Repeat steps 5-6 to assign permissions to additional users or groups.
When finished, click outside the modal or press ESC to close.
Result: Users and groups with Creator permissions can now create new Access Profiles from the Lifecycle Management > Access Profiles page.
Verify permissions
To confirm that permissions were assigned correctly:
In the Manage Permissions modal, review the list of assigned users and groups.
Each row shows:
Principal name (user or group)
Principal type (User or Group)
Permission set name ("creator")
Assigned users should now see the Create Access Profile button on the Access Profiles page.
Users without permissions will not see the Create Access Profile button.
Remove Access Profile creation permissions
To revoke Access Profile creation permissions:
Navigate to Lifecycle Management > Settings.
Click Manage Access Profile Creation Permissions.
In the permissions table, locate the user or group to remove.
Click the delete (trash can) icon next to the user or group.
Confirm the deletion when prompted.
Result: The user or group can no longer create new Access Profiles. They retain read-only access to view existing profiles.
Important: Removing a user's Creator permissions prevents them from creating new Access Profiles. However, they retain Owner permissions on profiles they previously created, allowing them to continue editing those specific profiles.
To fully revoke a user's access to Access Profiles, you must remove both:
Their Creator permission (prevents creating new profiles)
Their individual Owner permissions on specific profiles (revokes editing rights for those profiles)
Only Administrators can manage these permission assignments.
See also
Permission Sets for Configurations and Integrations - Overview of the permission sets system
Access Profiles - Understanding Access Profiles and their role in Lifecycle Management
User Roles and Permissions - Veza role definitions and capabilities
Veza Groups - Creating and managing user groups for permission assignment
Last updated
Was this helpful?