Access control overview
Access control for Experience Platform is provided through the Adobe Admin Console. This functionality leverages product profiles in Admin Console, which link users with permissions and sandboxes.
Access control hierarchy and workflow
In order to configure access control for Experience Platform, you must have administrator privileges for an organization that has an Experience Platform product integration. The minimum role that grant or withdraw permissions is a product profile administrator. Other administrator roles that can manage permissions are product administrators (can manage all profiles within a product) and system administrators (no restrictions). See the Adobe Help Center article on administrative roles for more information.
From this point on, any mentions of “administrator” in this document refer to a product profile administrator or higher (as outlined above).
A high-level workflow for gaining and assigning access permissions can be summarized as follows:
- After licensing Adobe Experience Platform, or an Application/App Service that uses Experience Platform, an email is sent to the administrator specified during licensing.
- The administrator logs in to Adobe Admin Console and selects Adobe Experience Platform from the list of products on the overview page.
- The administrator can view the default product profiles or create new customer product profiles as needed.
- The administrator can edit the permissions and users for any existing product profiles.
- When creating or editing a product profile, the administrator adds users to the profile using the users tab, and grants permissions to these users (such as “Read Datasets” or “Manage Schemas”) by accessing the permissions tab. Similarly, the administrator can assign access to sandboxes using the same permissions tab.
- When users log in to the Experience Platform user interface, their access to Platform capabilities is driven by the permissions that have been granted to them from Step 2. For example, if a user does not have the “View Datasets” permission, the Datasets tab in the side menu will not be visible to that user.
For more detailed steps on how to manage access control in Experience Platform, see the access control user guide.
All calls to Experience Platform APIs are validated for permissions, and will return errors if the appropriate permission(s) are not found in the current user context. Within the UI, elements will be hidden or altered depending on permissions granted to the current user.
Adobe Admin Console
Adobe Admin Console provides a central location for managing Adobe product entitlements and access for your organization. Through the console, you can grant groups of users access permissions for various Platform capabilities, such as “Manage Datasets”, “View Datasets”, or “Manage Profiles”.
Product profiles
In the Admin Console, permissions are assigned to users through the use of product profiles. Product profiles allow you to grant permissions to one or multiple users, and also contain their access to the scope of the sandboxes that are assigned to them through product profiles. Users can be assigned to one or multiple product profiles belonging to your organization.
Default product profiles
Experience Platform comes with two pre-configured default product profiles. The following table outlines what is provided in each default profile, including the sandbox they grant access to as well as the permissions they grant within the scope of that sandbox.
| Product profile | Sandbox access | Permissions |
|---|---|---|
| Default production all access | Production | All permissions applicable to Experience Platform, except for Sandbox Administration permissions. |
| Sandbox Administrators | N/A | Provides access only to Sandbox Administration permissions. |
Sandboxes and permissions
Non-Production sandboxes are a form of data virtualization that allow you to isolate data from other sandboxes and are typically used for development experiments, testing, or trials. A product profile’s permissions give the profile’s users access to Platform features within the sandbox environments to which they’ve been granted access to. A default Experience Platform license grants you five sandboxes (one production and four non-production). You can add packs of ten non-production sandboxes up to a maximum of 75 sandboxes in total. Please contact your IMS Org Administrator or your Adobe sales representative for more details.
For more information about sandboxes in Experience Platform, please refer to the sandboxes overview.
Access to sandboxes
Access to sandboxes is managed through product profiles. For detailed steps on how to enable access to a sandbox for a product profile, see the access control user guide.
Users can be granted access to one or more sandboxes within a product profile. If one user is included in two or more product profiles, that user will have access to all sandboxes included in those profiles.
The “Sandbox Management” permission allows users to manage, view, or reset sandboxes.
Permissions
The permissions tab within a product profile displays the sandboxes and permissions that are active for that profile:
Permissions that are granted through the Admin Console are sorted by category, with some permissions granting access to several low-level functionalities.
The following table outlines the available permissions for Experience Platform in the Admin Console, with descriptions of the specific Platform capabilities they grant access to. For detailed steps on how to add permissions to a product profile, see the access control user guide.
| Category | Permission | Description |
|---|---|---|
| Alerts | View Alerts History | Read-only access for alerts history. |
| Alerts | Resolve Alerts | Access to read, edit, and delete alerts. |
| Alerts | View Alerts | Read-only access for alerts. |
| Alerts | Manage Alerts | Access to read, create, edit, and delete alerts history. |
| Data Hygiene | View Data Hygiene | Read-only access for data hygiene. |
| Data Hygiene | Manage Data Hygiene | Access to read, create, edit, and delete data hygiene. |
| Data Modeling | Manage Schemas | Access to read, create, edit, and delete schemas and related resources. |
| Data Modeling | View Schemas | Read-only access to schemas and related resources. |
| Data Modeling | Manage Relationships | Access to read, create, edit, and delete schema relationships. |
| Data Modeling | Manage Identity Metadata | Access to read, create, edit, and delete identity metadata for schemas. |
| Data Management | Manage Datasets | Access to read, create, edit, and delete datasets. Read-only access for schemas. |
| Data Management | View Datasets | Read-only access for datasets and schemas. |
| Data Management | Data Monitoring | Read-only access to monitoring datasets and streams. |
| Profile Management | Manage Profiles | Access to read, create, edit, and delete datasets that are used for customer profiles. Read-only access to available profiles. |
| Profile Management | View Profiles | Read-only access to available profiles. |
| Profile Management | Manage Segments | Access to read, create, edit, and delete segments. |
| Profile Management | View Segments | Read-only access to available segments. |
| Profile Management | Manage Merge Policies | Access to read, create, edit, and delete merge policies. |
| Profile Management | View Merge Policies | Read-only access to available merge policies. |
| Profile Management | Export Audience for Segment | Ability to export an evaluated audience segment to a dataset. |
| Profile Management | Evaluate a Segment to an Audience | Ability to generate profiles for an audience by evaluating a segment definition… |
| Identity Management | Manage Identity Namespaces | Access to read, create, edit, and delete identity namespaces. |
| Identity Management | View Identity Namespaces | Read-only access for identity namespaces. |
| Identity Management | View Identity Graph | Read-only access for identity graphs. |
| Sandbox Administration | Manage Sandboxes | Access to read, create, edit, and delete sandboxes. |
| Sandbox Administration | View Sandboxes | Read-only access for sandboxes belonging to your organization. |
| Sandbox Administration | Reset a Sandbox | Ability to reset a sandbox. |
| Destinations | Manage Destinations | Access to read, create, edit, and disable destinations. |
| Destinations | View Destinations | Read-only access to available destinations in the Catalog tab and authenticated destinations in the Browse tab. |
| Destinations | Activate Destinations | Ability to activate data to active destinations that have been created. This permission requires either View Destinations or Manage Destinations to be granted to the user who will activate destinations. |
| Destinations | Manage and Activate Dataset Destinations | Ability to read, create, edit, and disable dataset export flows. Ability to also activate data to active datasets that have been created. |
| Destinations | Destination Authoring | Ability to author destinations using Adobe Experience Platform Destination SDK. |
| Data Ingestion | Manage Sources | Access to read, create, edit, and disable sources. |
| Data Ingestion | View Sources | Read-only access to available sources in the Catalog tab and authenticated sources in the Browse tab. |
| Data Ingestion | Manage Audience Share Connections | Access to create, accept, and decline partner handshakes to connect two IMS Organizations and enable Segment Match flows. |
| Data Ingestion | Manage Audience Share | Access to read, create, edit, and publish Segment Match feeds with active partners. |
| Data Science Workspace | Manage Data Science Workspace | Access to read, create, edit, and delete in Data Science Workspace. |
| Data Governance | Apply Data Usage Labels | Access to read, create, and delete usage labels. |
| Data Governance | Manage Data Usage Policies | Access to read, create, edit, and delete data usage policies. |
| Data Governance | View Data Usage Policies | Read-only access for data usage policies belonging to your organization. |
| Data Governance | View User Activity Log | Read-only access to view recorded audit logs of Platform activities. |
| Dashboards | View License Usage Dashboard | Read-only access to view the license usage dashboard. |
| Dashboards | Manage Standard Dashboards | Add custom attributes that are not yet in the data warehouse. |
| Query Service | Manage Queries | Access to read, create, edit, and delete structured SQL queries for Platform data. |
| Query Service | Manage Query Service Integration | Access to create, update, and delete non-expiring credentials for Query Service access. |
Next steps
By reading this guide, you have been introduced to the main principles of access control in Experience Platform. You can now continue to the access control user guide for detailed steps on how use the Admin Console to create product profiles and assign permissions for Platform.
Business.Adobe.com resources
Resources
Adobe Account
