Tech Mastery: Deep Dives into AEM, Cloud Technologies, AI Innovations, and Advanced Marketing Strate
A Layered Access Management Model for Adobe Experience Platform (AEP)
Scalable, governable RBAC across AEP, Customer Journey Analytics, and Adobe Data CollectionAs Adobe Experience Platform (AEP) implementations grow across business units, regions, and use cases, managing user access can quickly become complex. One of the most common challenges is providing the right level of access while maintaining governance, security, and operational simplicity.During a recent AEP implementation, I adopted a layered access management model that leverages Adobe's native capabilities while keeping the architecture scalable and easy to maintain. Rather than creating numerous Product Profiles for every business role, the model separates identity, product entitlement, and platform authorization.In shortAssign people to User Groups (who they are). Each group grants access along two parallel tracks: Product Profiles (which Adobe apps — and these fully govern Customer Journey Analytics and Data Collection) and AEP Roles (what a user can do on platform resources, scoped by sandbox). The two tracks meet in only a couple of narrow spots — for example, a CJA administrator managing Data Management needs a minimal AEP Role. Keep each layer doing one job and you get least-privilege access without a sprawl of Product Profiles.The group, profile, and role names below are illustrative — swap in your own naming convention as you adapt the model.
Before diving into the layers, it helps to establish the ground rules the model operates by:User access is provisioned through Adobe User Groups — the only object you assign people to.Each User Group is mapped to one or more Product Profiles and/or AEP Roles based on business responsibilities.Users may belong to multiple User Groups as required by their job functions.Product Profiles govern access to Adobe applications and their capabilities. Customer Journey Analytics and Data Collection are managed almost entirely through Product Profiles — they need an AEP Role only for the two capabilities that reach into platform resources (CJA Data Management and Data Collection datastreams).AEP Roles govern access to Adobe Experience Platform resources only — sandboxes, datasets, schemas, identities, and other platform capabilities.Sandbox access is controlled through AEP Role assignments. Administrative capabilities (Manage Sandboxes, Manage Packages, Reset Sandboxes) are restricted to designated platform administrator roles.Access follows the principle of least privilege — only the permissions required to perform a responsibility.Production administrative access is restricted to authorized platform administrators, while development activities are performed within designated non-production sandboxes.Permissions are additive. When a user belongs to multiple User Groups, their effective access is the union of all permissions granted through the associated Product Profiles and AEP Roles. Design groups so overlapping membership never accidentally escalates privilege.
User Groups represent business personas, not technical permissions. Examples include:Platform AdministratorsPlatform DevelopersData EngineersData AnalystsCustomer Journey Analytics AdministratorsCustomer Journey Analytics Business UsersData Collection AdministratorsData Collection DevelopersThis simplifies onboarding and offboarding, since users are assigned to business groups instead of individual permissions.
Product Profiles determine which Adobe applications a user can access. Instead of creating Product Profiles for every business role, I recommend a hybrid approach.For Customer Journey Analytics and Adobe Data Collection, the Product Profile is almost the entire access model — capabilities within those applications (Connections, Data Views, tags, rules, and so on) are controlled by the profile itself.There are two narrow exceptions: the capabilities that reach into AEP platform resources. Managing CJA Data Management (Connections & Data Views) and creating Data Collection datastreams each require a small, dedicated AEP Role in addition to the Product Profile, because both write to or read from platform objects (datasets, schemas, sandboxes). Everything else in these two applications is profile-governed.ProductProduct ProfileTypeAdobe Experience PlatformAEP-Default-All-UsersOOTBCustomer Journey AnalyticsCJA AdministratorCustomCustomer Journey AnalyticsCJA Business UserCustomAdobe Data CollectionData Collection AdministratorCustomAdobe Data CollectionData Collection DeveloperCustom