Access Profiles
Map application entitlements to user populations based on common roles, functions, levels, or locations in the organization.
Last updated
Map application entitlements to user populations based on common roles, functions, levels, or locations in the organization.
Last updated
Access Profiles govern how application entitlements are assigned to employees across your organization. These profiles define how birthright access should be granted based on segmentation criteria, which could include business role, job function, seniority level, location, or group membership. Access Profiles are used by the Manage Relationship action to assign users to specific groups, roles, permission sets, or other access-granting entities when specific conditions are met.
Profiles can be configured hierarchically to create a fine-grained model of how access should be assigned to different groups of employees. Administrators can position child profiles underneath a parent profile, with each child profile inheriting the entitlements from the parent profile.
For instance, a parent profile might be "Sales" (defining all the application entitlements that an individual belonging to the Sales organization should be granted), with child Profiles for "Account Executive," "Sales Engineering," "Sales Operations," and "Inside Sales." Each child Profile will have additional application entitlements specific to those roles. With these profiles configured, a workflow in policy for sales engineers can use just the "Sales Engineering" Profile, which includes the access defined by the "Sales" profile.
| Profile Name | Target | Relationship |
|---|---|---|
Executive Employees | Active Directory | Executive Employee - Manager US (Active Directory Group) |
US Engineering Managers | Active Directory | Engineering - Manager US (Active Directory Group) |
Azure Helpdesk Role | Azure | Helpdesk Administrator (Azure AD Role) |
Google Asia Employees | Google Cloud | Google Asia Employees (Google Group) |
Since workflows in Lifecycle Management policies can apply these Profiles at all stages in a user's lifecycle, defining Profiles enables Veza to serve as a source of truth for birthright entitlements for all employees. Access Profiles also define what access-granting relationships to remove from users during de-provisioning workflows.
The access granted by a Profile can be defined by both:
Explicitly-defined, application-specific entitlements, such as roles, groups, permission sets, etc., within the Profile. A single Access Profile can support granting one or more entitlements across one or more applications simultaneously.
Any entitlements inherited from a parent Profile.
The example below shows Business Roles for teams, managers, and all employees, along with Profiles for different applications. When configuring workflow actions, administrators can choose from one or more Business Profiles to assign the entitlements granted by the child Profiles.
Veza offers two types of built-in Access Profile types for defining birthright entitlements by user segments:
Profiles are a type of Access Profile for defining access-granting relationships (such as user assignments to groups or roles) within the applications you will provision to users. Profiles are intended to represent a specific set of entitlements across one or more applications that should be granted based on a user's segmentation criteria.
Profiles should be configured in coordination with the application owner, who will best understand the exact permissions and privileges granted by various groups, roles, and other entitlements in each specific application.
Business roles are a type of Access Profile used to model your organization's structure, based on a hierarchy of job functions, locations, and titles. Ideally by itself, a Business Role should not describe specific entitlements but can inherit relationships from other Profiles. These will usually be named according to logical segments that should be assigned to different applications with different levels of access, such as "Sales," "QA Contractors," or "Engineering Managers."
Business Roles can inherit Profiles to enable a hierarchical approach to birthright access management. You should draft and review Access Profiles to create a map of user entitlements for each application (such as "GitHub Developers" or "Salesforce Administrators").
Create Business Roles that align with your organizational structure, especially taking location, business unit, and functional organization into consideration. Then, configure these Business Roles to inherit Profiles that describe the birthright entitlements granted to different user populations.
To create and manage Access Profiles, go to Lifecycle Management > Access Profiles.
Click Create Access Profile
Under Access Profile Details, choose the Profile Type to create:
Business Role: Business roles are intended to represent logical units within your organizational structure, and can inherit entitlements defined in other Access Profiles. Use Business Roles to establish segmentation criteria based on location, role, business unit, or functional organization.
Profile: Profiles define entitlements that can be assigned to users in target applications, such as groups, roles, or permission sets assigned to users as birthright entitlements. Profiles cannot be inherited from other Access Profiles, but can be inherited by Business Roles. Use this profile type to define the birthright entitlements within one or more applications (such as group memberships or role assignments).
Profile Name and Description: You should follow a standard naming convention for all profiles to help identify them, describing the employee segment or applications the Access Profile applies to.
Profile Labels: Labels are available for quickly finding access profiles when configuring actions in a policy. Apply and create labels as needed to organize your Access Profiles by the employee segments and applications they apply to.
Assigned Relationships:
Click Add Relationship
Choose the type of relationship to add:
Access Profile: Use the Relationship menu to pick one or more Access Profiles to grant those business roles or entitlements. This option is not available for Access Profiles with the "Profile" type.
Relationship: Choose the target data source and specific entities the Profile will govern access to (such as Google Cloud Platform > Google Group). This option is not available for Access Profiles with the "Business Role" type.
Click Assign to save the changes.
After saving an Access Profile, you can view details, edit, or pause and resume it on the Lifecycle Management > Access Profiles page.
When configuring a policy to include the Manage Relationships action, you can choose from any active profiles for the target data source.
