Documentation Experience Platform Access Control Guide

Manage access control policies

Last update: Tue Dec 02 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Access Control

CREATED FOR:

Admin

Access control policies are statements that bring attributes together to establish permissible and impermissible actions. Adobe provides a default policy that can be activated immediately or when your organization is ready to start controlling access to specific objects based on labels. The default policy, Default-Label-Based-Access-Control-Policy, leverages labels applied to resources to deny access unless users are in a role with a matching label.

IMPORTANT

Access control policies should not to be confused with data usage policies, which control how data is used in Adobe Experience Platform. See the guide on creating data usage policies for more information.

Configure sandboxes for a policy configure-policy

Policies are applied at the sandbox level to control which sandboxes enforce label-based access control. By default, the Auto-include feature is turned on, which means all current and future sandboxes are automatically added to the policy. When Auto-include is turned off, only the sandboxes you manually add will be subject to the policy’s access control rules.

NOTE

The Default-Label-Based-Access-Control-Policy policy is currently the only one available for configuration.

To begin configuring a policy’s sandboxes, navigate to Permissions in Adobe Experience Cloud. Select Policies from the left panel, then select the Default-Label-Based-Access-Control-Policy from the list.

The policies workspace showing a list of existing policies. {modal="regular"}

The policy’s details workspace appears. Select the Sandboxes tab to view the list of sandboxes associated with the policy and access the sandbox configuration options.

The policy's sandbox workspace showing a list of associated sandboxes. {modal="regular"}

Manage Auto-include manage-auto-include

IMPORTANT

By default, Auto-include is turned on, which means all current and future sandboxes are automatically added to the policy.

To control which sandboxes are included in a policy, you can toggle the Auto-include feature on or off. When you toggle off Auto-include, future sandboxes will not be automatically added to the policy. However, toggling off the feature will not remove any sandboxes that are already included in the policy.

The policy's sandbox tab with the Auto-include toggle highlighted and in the "off" state. {modal="regular"}

To re-enable Auto-include, use the toggle to turn it back on. The Enable Auto-include dialog appears prompting you to confirm your selection. Select Enable to complete the configuration setting.

NOTE

When you re-enable Auto-include, any sandboxes you previously removed from the policy will be re-added.

The Enable Auto-include dialog with the Enable option highlighted. {modal="regular"}

Manually manage sandboxes manually-manage-sandboxes

When Auto-includeis turned off, you can manually add or remove specific sandboxes from the policy. This gives you precise control over which sandboxes enforce the policy’s access control rules.

NOTE

To manually add or remove sandboxes, the Auto-include toggle must be off.

To add sandboxes:

Select Add Sandboxes from the policy’s sandbox workspace.

The policy's workspace with the Add Sandboxes option highlighted. {modal="regular"}

The Add Sandboxes dialog appears, displaying your library of available sandboxes. Select the sandbox(es) you wish to add to the policy and then select Save.

The Add Sandboxes dialog with a sandbox selected and the Save option highlighted. {modal="regular"}

NOTE

If all available sandboxes are already included in the policy, you will see a “You have nothing in your library” message within the dialog.

To remove sandboxes:

Find the sandbox you wish to remove from the list and select the X icon next to its name.

The policy's sandbox list with an "x" highlighted to remove a sandbox. {modal="regular"}

A confirmation dialog will appear. Select Confirm to finish removing the sandbox from the policy.

A sandbox's confirmation dialog with the Confirm option highlighted. {modal="regular"}

Activate a policy activate-policy

To activate an existing policy, select the policy from the Policies tab in Permissions. The policy’s activation status is visible under the Status section.

The policies workspace with a policy's status highlighted. {modal="regular"}

The policy’s details workspace will display. Select Activate.

The policy's detail workspace with the Activate option highlighted. {modal="regular"}

The Activate Policy dialog appears. Select Confirm to finish activating the policy.

The Activate Policy dialog with the Confirm option highlighted. {modal="regular"}

Next steps

With a policy activated, you can proceed to the next step to manage permissions for a role.

recommendation-more-help

631fcab2-5cb1-46ef-ba66-fe098ac723e0