Announcing Unified Identity Governance

ConductorOne docs

Create access profiles

An access profile is a curated list of apps scoped to a specific employee group, so every person can see and request the access relevant to their work.

What’s an access profile?

Everyone in your organization needs access to the software your whole team uses to stay in touch and get work done. But an employee in the Accounting department probably doesn’t need access to the specialized tools the Product Design team uses, or vice versa. For both simplicity and security, limit the list of resources each employee at your company can request by creating access profiles.

Access profiles are groups of resources and entitlements. You determine the contents of each profile and who the profile is visible to. You’ll likely want to create two types of access profiles:

  • An access profile with the tools and access used by everyone in your company, which is visible to everyone

  • Access profiles scoped to certain departments, job types, or access levels, which are only visible to the folks in those groups

When requesting access in ConductorOne or through Slack, each employee can see and request the contents of all the access profiles they have access to, but nothing more.

You also have the option to allow employees to ask for all the resources and entitlements in an access profile. This is called a profile request, and is especially useful for onboarding or times when employees will need access to several interrelated entitlements.

Profiles available to an employee for profile requests are shown on the Profiles tab of the Request access form and the Manage access page.

Want to automatically enroll users in access profiles to users as part of onboarding? Check out Automate onboarding & offboarding access changes to learn more about setting up automatic enrollment and unenrollment.

Create a new access profile

  1. Navigate to Admin > Access profiles.

  2. Click New profile.

  3. Give the new access profile a name and enter a description. You can edit these later, if needed.

  4. Click Continue. The new access profile’s details page opens.

  5. Assign an owner to the access profile. Click the pencil icon next to Owners: at the top of the page and select one or more owners.

    Because an access profile is a resource within the ConductorOne application, naming an owner or owners makes it possible to set up review, request, and revoke policies that assign these tasks to the owner of the access profile resource.

  6. Add entries to the profile. Click Manage entitlements, then use the search and filter tools to zero in on the entitlements you want to add to the access profile.

    Tips for adding entitlements to access profiles:

    1. Make sure you’re adding the right access entitlements. If you have applications that are sourced through your identity provider (IdP), be sure to add the access entitlement for the app itself, and not the access entitlement for the app via IdP, which only grants the ability to SSO into the app.

    Here’s an example: When DocuSign is sourced through Okta, you’ll see two DocuSign access credentials. To add Docusign access to your access profile, choose the DocuSign credential entitlement, not the Okta app entitlement.

    2. Make sure every entitlement you add has a request policy set. Make sure that each entitlement you add to an access profile has a request policy set on either the application or the entitlement. If no request policy is set, users attempting to request the entitlement will see an error message. This is a known issue and will be corrected.

  1. When you’ve selected the entitlements you want to add to the access profile (don’t worry, you can always adjust this list later), click Save.

  2. Set who can view and request items from this access profile. In the Published area of the screen, click Edit.

  3. Enable the Published toggle. This makes the access profile’s contents available to the selected requesters. You can leave this toggle disabled until you’re ready to launch the access profile.

  4. Under Entitlements visible to, set whether this access profile can be viewed and requested by everyone in your organization, or just members of specific groups. If you choose specific groups, use the dropdown to find and add the groups who can view and request this access profile’s contents.

  5. Use the Allow profile requests toggle to set whether employees can request the entire access profile with a single request.

    ConductorOne will automatically create individual request tickets for each entitlement in the access profile not yet granted to the employee.

  6. Click Save.

That’s it! The access profile is shown in the list of access profiles, and is requestable. Its contents are visible to the employees you selected on the Request access form, the Manage access page, and in Slack (if enabled). If you allowed profile requests, your selected users can request it from the Profiles tab on the Request access form and the Manage access page.

Add an entitlement to an existing access profile

There are two ways to add an entitlement to a access profile.

Add entitlements on the access profile’s details page

You can add an entitlement to an existing access profile by navigating to the access profile’s details page and clicking Manage entitlements. (See Step 6 of Create a new access profile for step-by-step instructions.) This method is ideal for times when you want to add multiple entitlements to a single access profile.

Enrolled users are not automatically granted new entitlements added to the access profile. If you want all currently enrolled users to receive the entitlements you’ve added to the access profile, check the Create requests for currently enrolled users box before saving your changes. ConductorOne will automatically create access request tasks for each new entitlement for each enrolled user. Alternatively, you can leave the box unchecked and follow the process in Update a current access profile holder’s grant.

Add an entitlement on the entitlement’s details page

Alternatively, you can add an entitlement to an existing access profile from the entitlement’s own details page. This method is ideal for times when you want to add a single entitlement to multiple access profiles.

  1. Navigate to Admin > Applications.

  2. On the Managed apps tab, navigate to the entitlement you want to add to an access profile:

    • Click the application’s name
    • Click the Entitlements tab
    • Locate the entitlement you want and click its name

  3. In the Access requests section of the entitlement’s details page, click Edit.

  4. Use the Access profiles dropdown to select one or more access profiles you want to add the entitlement to.

  5. Click Save.

The entitlement is now included in the access profile. Users who have access to the access profile will see the entitlement as an option on the Request access form, the Manage access page, and in Slack (if enabled).

Update a current access profile holder’s grant

If profile requests are allowed, any newly added entitlement will be included in future grants of the full access profile, but the entitlement will not be automatically granted retroactively to users who were previously granted the access profile. To manually add the new entitlement to a current profile holder’s access:

  1. Navigate to the access profile’s Setup tab.

  2. Locate the newly added entitlement in the list of entitlements included in the access profile and click the (more actions) menu.

  3. Select Manage provisioning.

  4. Any users who have been granted the full access profile but do not currently have access to the entitlement display Not granted in the Status column. Click Request for the users who you want to receive access to the new entitlement.

    You can also click Request for all to request access for all profile holders who do not have the entitlement.

That’s it! ConductorOne automatically creates an access request for the entitlement for each user. You can track the progress of the access requests at any time by returning to the Manage provisioning drawer.