Access Profiles

Access Profiles govern how application entitlements are assigned to employees across your organization. These profiles define how birthright access should be granted based on segmentation criteria, such as business role, job function, seniority level, location, or group membership. Access Profiles are used by the Manage Relationship action to assign users to specific groups, roles, permission sets, or other access-granting entities when specific conditions are met.

Profiles can be configured hierarchically to create a fine-grained model for assigning access to different employee groups. Administrators can position child profiles beneath a parent profile, with each child profile inheriting the parent profile's entitlements.

For instance, a parent profile might be "Sales" (defining all the application entitlements that an individual belonging to the Sales organization should be granted), with child Profiles for "Account Executive," "Sales Engineering," "Sales Operations," and "Inside Sales." Each child Profile will have additional application entitlements specific to those roles. With these profiles configured, a workflow in policy for sales engineers can use just the "Sales Engineering" Profile, which includes the access defined by the "Sales" profile.

Example Profiles

Since workflows in Lifecycle Management policies can apply these Profiles at all stages in a user's lifecycle, defining Profiles enables Veza to serve as a source of truth for birthright entitlements for all employees. Access Profiles also define what access-granting relationships to remove from users during de-provisioning workflows.

The access granted by a Profile can be defined by both:

• Explicitly-defined, application-specific entitlements, such as roles, groups, permission sets, etc., within the Profile. A single Access Profile can support granting one or more entitlements across one or more applications simultaneously.

• Any entitlements inherited from a parent Profile.

The example below shows Business Roles for teams, managers, and all employees, along with Profiles for different applications. When configuring workflow actions, administrators can choose from one or more Business Profiles to assign the entitlements granted by the child Profiles.

Access Profile Types

Veza offers two types of built-in Access Profile types for defining birthright entitlements by user segments:

Profiles

Profiles are a type of Access Profile used to define access-granting relationships (such as user assignments to groups or roles) within the applications you will provision to users. Profiles are intended to represent a specific set of entitlements across one or more applications that should be granted based on a user's segmentation criteria.

Profiles should be configured in coordination with the application owner, who will best understand the exact permissions and privileges granted by various groups, roles, and other entitlements in each specific application.

Business Roles

Business roles are a type of Access Profile used to model your organization's structure, based on a hierarchy of job functions, locations, and titles. Ideally, by itself, a Business Role should not describe specific entitlements but can inherit relationships from other Profiles. These will usually be named according to logical segments that should be assigned to different applications with different levels of access, such as "Sales," "QA Contractors," or "Engineering Managers."

Best Practices for Access Profile Types

Business Roles can inherit Profiles to enable a hierarchical approach to birthright access management. You should draft and review Access Profiles to create a map of user entitlements for each application (such as "GitHub Developers" or "Salesforce Administrators").

Create Business Roles that align with your organizational structure, especially considering location, business unit, and functional organization. Then, configure these Business Roles to inherit Profiles that describe the birthright entitlements granted to different user populations.

Configuring Access Profiles

To create and manage Access Profiles, go to Lifecycle Management > Access Profiles.

1. Click Create Access Profile.

2. Under Access Profile Details, choose the Profile Type to create:

   1. Business Role: Business roles are intended to represent logical units within your organizational structure, and can inherit entitlements defined in other Access Profiles. Use Business Roles to establish segmentation criteria based on location, role, business unit, or functional organization.

   2. Profile: Profiles define entitlements that can be assigned to users in target applications, such as groups, roles, or permission sets assigned to users as birthright entitlements. Profiles cannot be inherited from other Access Profiles, but can be inherited by Business Roles. Use this profile type to define the birthright entitlements within one or more applications (such as group memberships or role assignments).

3. Profile Name and Description: You should follow a standard naming convention for all profiles to help identify them, describing the employee segment or applications the Access Profile applies to.

4. Profile Labels: Labels are available for quickly finding access profiles when configuring actions in a policy. Apply and create labels as needed to organize your Access Profiles by employee segment and the applications they apply to.

5. Assigned Relationships:

   1. Click Add Relationship

   2. Choose the type of relationship to add:

      • Access Profile: Use the Relationship menu to pick one or more Access Profiles to grant those business roles or entitlements. This option is not available for Access Profiles of type "Profile".

      • Relationship: Choose the target data source and specific entities the Profile will govern access to (such as Google Cloud Platform > Google Group). This option is not available for Access Profiles with the "Business Role" type.

6. Click Assign to save the changes.

After saving an Access Profile, you can view its details, edit it, or pause and resume it on the Lifecycle Management > Access Profiles page.

When configuring a policy to include the Manage Relationships action, you can select any active profile for the target data source.

Access Profile Ownership

Access Profiles can have designated owners who are responsible for managing and maintaining the profile. Owners have elevated permissions to configure the profile, manage its lifecycle, and create additional profiles.

Who Can Be Owners

Both Veza Users and Veza Groups can be assigned as Access Profile owners:

• Individual Users: Any Veza platform user with the appropriate permissions

• Veza Groups: Both Customer Managed groups (created in Veza) and SCIM Managed groups (provisioned from identity providers). See Veza Groups for details on group types and management

Owner Eligibility Requirements

To be eligible as an Access Profile owner, a user or group must have the Creator permission set for the relevant Access Profile Type. This is a two-step configuration process:

1. Grant Profile Type Permissions:

   • Navigate to Lifecycle Management > Settings

   • Select the Profile Types tab

   • Locate the profile type in the table

   • Click the Actions button (⋮) for that profile type

   • Select Manage Permissions from the dropdown menu

   • In the Manage Permissions dialog, select USER or GROUP from the Type dropdown

   • Choose the specific user or group to grant Creator permissions

2. Assign as Owner: Once a user or group has Creator permissions for the profile type, they can be designated as owners for individual Access Profiles of that type

Owner Permissions

When a user or group is designated as an Access Profile owner, they automatically receive three distinct permissions:

1. Owner permission on the specific Access Profile

   • Read: View the profile's configuration, entitlements, and metadata

   • Update: Modify the profile's settings, labels, descriptions, and assigned relationships

   • Create: Perform create operations within the profile context

   • Delete: Remove the Access Profile

   • Enables full control over the profile's configuration and lifecycle (pause/resume)

2. Creator permission globally for all Access Profiles

   • Grants the ability to create new Access Profiles of any type (subject to other constraints)

   • Scoped to the entire access_profiles table, not limited to specific Profile Types

   • This is a privilege escalation: first-time owner assignment grants global creation capability

3. Viewer permission on the Access Profile Type

   • Read: View details about the profile type configuration and requirements

   • Scoped to the specific Profile Type of the owned profile

These permissions enable owners to not only manage their assigned profiles but also create additional profiles of any type they have access to.

Managing Owners

Access Profile owners are managed through the Access Profiles interface:

1. Navigate to Lifecycle Management > Access Profiles.

2. Locate the Access Profile in the list.

3. Click the Actions button (⋮) for that profile.

4. Select Manage Owners from the dropdown menu.

5. In the Manage Owners dialog:

   • Use the Type dropdown to select USER or GROUP.

   • Use the Name dropdown to select the specific user or group to add as an owner.

   • View and manage existing owners in the list below.

   • Click Done to save changes.

See Also

• Manage Relationships

• Lifecycle Management Policies

• Access Profile Types

• Veza Groups