Access control overview

Access control for Adobe Experience Platform is provided through the Permissions in Adobe Experience Cloud. This functionality leverages roles and policies, which link users with permissions and sandboxes.

Access control hierarchy and workflow

In order to configure access control for Experience Platform, you must have system or product administrator privileges for an organization that has an Experience Platform product. The minimum role that can grant or withdraw permissions is a product administrator. Other administrator roles that can manage permissions are system administrators (no restrictions). See the Adobe Help Center article on administrative roles for more information.

NOTE
From this point on, any mentions of “administrator” in this document refer to a product administrator or higher (as outlined above).

A high-level workflow for gaining and assigning access permissions can be summarized as follows:

  • After licensing Adobe Experience Platform, or an Application/App Service that uses Experience Platform, an email is sent to the administrator specified during licensing.
  • The administrator logs in to Adobe Admin Console and selects Adobe Experience Platform from the list of products on the overview page.
  • To grant access to Experience Platform, it is recommended that the administrator add users to the default product profile: AEP-Default-All-Users.
  • In Experience Platform Permissions, the administrator can create new roles or edit the permissions and users for any existing roles.
  • When creating or editing a role, the administrator adds users to the role using the users tab, and grants permissions to these users (such as “Read Datasets” or “Manage Schemas”) by editing the role’s permissions. Similarly, the administrator can assign access to sandboxes using the same editing option.
  • When users log in to the Experience Platform user interface, their access to Experience Platform capabilities is driven by the permissions that have been granted to them from the previous step. For example, if a user does not have the View Datasets permission, the Datasets tab in the side menu will not be visible to that user.

For more detailed steps on how to manage access control in Experience Platform, see the access control user guide.

All calls to Experience Platform APIs are validated for permissions, and will return errors if the appropriate permission(s) are not found in the current user context. Within the UI, elements will be hidden or altered depending on permissions granted to the current user.

Permissions platform-permissions

Permissions provides a central location for managing Experience Platform access for your organization. Through Permissions, you can grant groups of users access permissions for various Experience Platform capabilities, such as Manage Datasets, View Datasets, or Manage Profiles.

Roles

In the Roles section, permissions are assigned to users through the use of roles. Roles allow you to grant permissions to one or multiple users, and also contain their access to the scope of the sandboxes that are assigned to them through roles. Users can be assigned to one or multiple roles belonging to your organization.

Default roles

Experience Platform comes with two pre-configured default roles. The following table outlines what is provided in each default profile, including the sandbox they grant access to as well as the permissions they grant within the scope of that sandbox.

Role
Sandbox access
Permissions
Default production all access
Production
All permissions applicable to Experience Platform, except for Sandbox Administration permissions.
Sandbox Administrators
N/A
Provides access only to Sandbox Administration permissions.

Sandboxes and permissions

Non-Production sandboxes are a form of data virtualization that allow you to isolate data from other sandboxes and are typically used for development experiments, testing, or trials. A role’s permissions give the role’s users access to Experience Platform features within the sandbox environments to which they’ve been granted access to. A default Experience Platform license grants you five sandboxes (one production and four non-production). You can add packs of ten non-production sandboxes up to a maximum of 75 sandboxes in total. Please contact your organization’s administrator or your Adobe sales representative for more details.

For more information about sandboxes in Experience Platform, please refer to the sandboxes overview.

Access to sandboxes

Access to sandboxes is managed through roles. For detailed steps on how to enable access to a sandbox for a role, see the attribute based access control roles guide.

Users can be granted access to one or more sandboxes within a role. If one user is included in two or more roles, that user will have access to all sandboxes included in those roles.

The “Sandbox Management” permission allows users to manage, view, or reset sandboxes.

Resource permissions permissions

The resource Permissions tab within a role displays the sandboxes and permissions that are active for that role:

permissions-overview

Permissions that are granted through the resource permissions are sorted by category, with some permissions granting access to several low-level functionalities.

The following table outlines the available permissions for Experience Platform in the role, with descriptions of the specific Experience Platform capabilities they grant access to. For detailed steps on how to add permissions to a role, see the attribute based access control roles guide.

Category
Permission
Description
Alerts
View Alerts History
Read-only access for alerts history.
Alerts
Resolve Alerts
Access to read, edit, and delete alerts.
Alerts
View Alerts
Read-only access for alerts.
Alerts
Manage Alerts
Access to read, create, edit, and delete alerts history.
Computed Attributes
View Computed attributes
Read-only access for computed attributes tab, inventory, and details.
Computed Attributes
Manage Computed attributes
Access to read, create, delete drafts, and deactivate computed attributes.
Data Lifecycle
View Data Lifecycle
Read-only access for data lifecycle.
Data Lifecycle
Manage Data Lifecycle
Access to read, create, edit, and delete data lifecycle.
Data Modeling
Manage Schemas
Access to read, create, edit, and delete schemas and related resources.
Data Modeling
View Schemas
Read-only access to schemas and related resources.
Data Modeling
Manage Relationships
Access to read, create, edit, and delete schema relationships.
Data Modeling
Manage Identity Metadata
Access to read, create, edit, and delete identity metadata for schemas.
Data Management
Manage Datasets
Access to read, create, edit, and delete datasets. Read-only access for schemas.
Data Management
View Datasets
Read-only access for datasets and schemas.
Data Management
Data Monitoring
Read-only access to monitoring datasets and streams.
Profile Management
Manage Profiles
Access to read, create, edit, and delete datasets that are used for customer profiles. Read-only access to available profiles.
Profile Management
View Profiles
Read-only access to available profiles.
Profile Management
Manage Segments
Access to read, create, edit, and delete segments.
Profile Management
View Segments
Read-only access to available segments.
Profile Management
Manage Merge Policies
Access to read, create, edit, and delete merge policies.
Profile Management
View Merge Policies
Read-only access to available merge policies.
Profile Management
Import Audiences
Access to read, create, edit, and delete imported audiences.
Profile Management
Export Audience for Segment
Ability to export an evaluated audience segment to a dataset.
Profile Management
Evaluate a Segment to an Audience
Ability to generate profiles for an audience by evaluating a segment definition.
Profile Management
View B2B AI
Read-only access to settings and configurations for all B2B AI/ML services.
Profile Management
Manage B2B AI
Access to read, create, edit, and delete settings and configurations for all B2B AI/ML services.
Profile Management
View B2B Profile
Read-only access to B2B entity profiles (such as Account, Opportunity, and so on), settings and configurations for all B2B AI/ML services, and B2B dashboard widgets.
Profile Management
Manage B2B Profile
Access to read, create, edit, and delete B2B entity profiles (such as Account, Opportunity, and so on). Read-only access for settings and configurations for all B2B AI/ML services, and B2B dashboard widgets.
Identity Management
Manage Identity Namespaces
Access to read, create, edit, and delete identity namespaces.
Identity Management
View Identity Namespaces
Read-only access for identity namespaces.
Identity Management
View Identity Graph
Read-only access for identity graphs.
Sandbox Administration
Manage Sandboxes
Access to read, create, edit, and delete sandboxes.
Sandbox Administration
View Sandboxes
Read-only access for sandboxes belonging to your organization.
Sandbox Administration
Reset a Sandbox
Ability to reset a sandbox.
Destinations
View Destinations
Read-only access to view available destinations in the Catalog tab and authenticated destinations in the Browse tab.
Destinations
Manage Destinations
Access to read, create, and delete destination connections and destination accounts.
Destinations
Activate Destinations
Gives users the ability to activate segments to existing destinations. Enables the mapping step in the activation workflow. This permission also requires the View Destinations permission to be granted to the user who will activate data to destinations.
Destinations
Activate Segment without Mapping
Gives users the ability to activate segments to existing destinations, without displaying the mapping step. Users can add and remove segments in activation workflows, but cannot add or remove mapped attributes or identities. This permission also requires the View Destinations permission to be granted to the user who will activate data to destinations.
Destinations
Manage and Activate Dataset Destinations
Ability to read, create, edit, and disable dataset export flows. Ability to also activate data to active datasets that have been created. This permission also requires the View Destinations permission to be granted to the user who will activate data to destinations.
Destinations
Destination Authoring
Ability to author destinations using Adobe Experience Platform Destination SDK.
Data Ingestion
Manage Sources
Access to read, create, edit, and disable sources.
Data Ingestion
View Sources
Read-only access to available sources in the Catalog tab and authenticated sources in the Browse tab.
Data Ingestion
Manage Audience Share Connections
Access to create, accept, and decline partner handshakes to connect two organizations and enable Segment Match flows.
Data Ingestion
Manage Audience Share
Access to read, create, edit, and publish Segment Match feeds with active partners.
Data Science Workspace
Manage Data Science Workspace
Access to read, create, edit, and delete in Data Science Workspace.
Data Governance
Manage Usage Labels
Access to read, create, and delete usage labels.
Data Governance
Manage Data Usage Policies
Access to read, create, edit, and delete data usage policies.
Data Governance
View Data Usage Policies
Read-only access for data usage policies belonging to your organization.
Data Governance
View User Activity Log
Read-only access to view recorded audit logs of Platform activities.
Dashboards
View License Usage Dashboard
Read-only access to view the license usage dashboard.
Dashboards
Manage Standard Dashboards
Add custom attributes that are not yet in the data warehouse.
Query Service
Manage Queries
Access to read, create, edit, and delete structured SQL queries for Platform data.
Query Service
Manage Query Service Integration
Access to create, update, and delete non-expiring credentials for Query Service access.

Next steps

By reading this guide, you have been introduced to the main principles of access control in Experience Platform. You can now continue to the attribute based access control user guide for detailed steps on how use Experience Cloud to create roles and assign permissions for Experience Platform.

recommendation-more-help
631fcab2-5cb1-46ef-ba66-fe098ac723e0