Upcoming webinar: Closing the door on group sprawl

ConductorOne docs

Create access profiles

An access profile is a curated list of apps scoped to a specific employee group, so every person can see and request the access relevant to their work.

What’s an access profile?

Everyone in your organization needs access to the software your whole team uses to stay in touch and get work done. But an employee in the Accounting department probably doesn’t need access to the specialized tools the Product Design team uses, or vice versa. For both simplicity and security, limit the list of resources each employee at your company can request by creating access profiles.

Access profiles are groups of resources and entitlements. You determine the contents of each profile and who the profile is visible to. You’ll likely want to create two types of access profiles:

  • An access profile with the tools and access used by everyone in your company, which is visible to everyone

  • Access profiles scoped to certain departments, job types, or access levels, which are only visible to the folks in those groups

When requesting access in ConductorOne or through Slack, each employee can see and request the contents of all the access profiles they have access to, but nothing more.

You also have the option to allow employees to ask for all the resources and entitlements in an access profile. This is especially useful for onboarding or times when employees will need access to several interrelated entitlements.

Available profiles are shown on the Profiles tab of the Request access form and the Manage access page.

Want to automatically enroll users in access profiles to users as part of onboarding? Check out Automate onboarding requests to learn more about setting up automatic enrollment.

Create a new access profile

  1. In the navigation panel, click Access profiles.

  2. Click New profile.

  3. Give the new access profile a name and enter a description. You can edit these later, if needed.

  4. Click Continue. The new access profile’s details page opens.

  5. Add entries to the profile. Click Manage entitlements, then use the search and filter tools to zero in on the entitlements you want to add to the access profile.

    Tips for adding entitlements to access profiles:

    1. Make sure you’re adding the right access entitlements. If you have applications that are sourced through your identity provider (IdP), be sure to add the access entitlement for the app itself, and not the access entitlement for the app via IdP, which only grants the ability to SSO into the app.

    Here’s an example. When DocuSign is sourced through Okta, you’ll see two DocuSign access credentials. To add Docusign access to your access profile, choose the DocuSign credential entitlement, not the Okta app entitlement.

    2. Make sure every entitlement you add has a request policy set. Make sure that each entitlement you add to an access profile has a request policy set on either the application or the entitlement. If no request policy is set, users attempting to request the entitlement will see an error message. This is a known issue and will be corrected.

  1. When you’ve selected the entitlements you want to add to the access profile (don’t worry, you can always adjust this list later), click Save.

  2. Set who can view and request items from this access profile. In the Self-service area of the screen, click Edit.

  3. Click the toggle to Allow self-service. This makes the access profile’s contents available to the selected requesters. You can leave this toggle disabled until you’re ready to launch the access profile.

  4. Under Rerequestable by, set whether this access profile can be viewed and requested by everyone in your organization, or just members of specific groups. If you choose specific groups, use the dropdown to find and add the groups who can view and request this access profile’s contents.

  5. Set whether employees can request enrollment in the access profile, thereby receiving all of the access in the profile.

    This lets employees request the full access profile with a single request. ConductorOne will automatically create individual request tickets for each entitlement in the access profile not yet granted to the employee.

  6. Click Save.

That’s it! The access profile is shown in the list of access profile, and is self-service is enabled, its contents are visible to the employees you chose.

Add an entitlement to an existing access profile

There are two ways to add an entitlement to a access profile.

You can add an entitlement to an existing access profile by navigating to the access profile’s details page and clicking Manage entitlements. (See Step 5 of Create a new access profile for step-by-step instructions.) This method is ideal for times when you want to add multiple entitlements to a single access profile.

Alternatively, you can add an entitlement to an existing access profile from the entitlement’s details page. This method is ideal for times when you want to add a single entitlement to multiple access profile. Here’s how to proceed:

  1. In the navigation panel, click Applications.

  2. On the Managed apps tab, navigate to the entitlement you want to add to an access profile:

    • Click the application’s name
    • Click the Entitlements tab
    • Locate the entitlement you want and click its name

  3. In the Access requests section of the entitlement’s details page, click Edit.

  4. Use the Access profiles dropdown to select one or more access profiles you want to add the entitlement to.

  5. Click Save.

The entitlement is now included in the access profile. Users who have access to the access profile will see the entitlement as an option when they request access.