A Layered Access Management Model for Adobe Experience Platform (AEP)
Scalable, governable RBAC across AEP, Customer Journey Analytics, and Adobe Data Collection
As Adobe Experience Platform (AEP) implementations grow across business units, regions, and use cases, managing user access can quickly become complex. One of the most common challenges is providing the right level of access while maintaining governance, security, and operational simplicity.
During a recent AEP implementation, I adopted a layered access management model that leverages Adobe's native capabilities while keeping the architecture scalable and easy to maintain. Rather than creating numerous Product Profiles for every business role, the model separates identity, product entitlement, and platform authorization.
Assign people to User Groups (who they are). Each group grants access along two parallel tracks: Product Profiles (which Adobe apps — and these fully govern Customer Journey Analytics and Data Collection) and AEP Roles (what a user can do on platform resources, scoped by sandbox). The two tracks meet in only a couple of narrow spots — for example, a CJA administrator managing Data Management needs a minimal AEP Role. Keep each layer doing one job and you get least-privilege access without a sprawl of Product Profiles.
The group, profile, and role names below are illustrative — swap in your own naming convention as you adapt the model.
Access Management Architecture
Access Management Principles
Before diving into the layers, it helps to establish the ground rules the model operates by:
- User access is provisioned through Adobe User Groups — the only object you assign people to.
- Each User Group is mapped to one or more Product Profiles and/or AEP Roles based on business responsibilities.
- Users may belong to multiple User Groups as required by their job functions.
- Product Profiles govern access to Adobe applications and their capabilities. Customer Journey Analytics and Data Collection are managed almost entirely through Product Profiles — they need an AEP Role only for the two capabilities that reach into platform resources (CJA Data Management and Data Collection datastreams).
- AEP Roles govern access to Adobe Experience Platform resources only — sandboxes, datasets, schemas, identities, and other platform capabilities.
- Sandbox access is controlled through AEP Role assignments. Administrative capabilities (Manage Sandboxes, Manage Packages, Reset Sandboxes) are restricted to designated platform administrator roles.
- Access follows the principle of least privilege — only the permissions required to perform a responsibility.
- Production administrative access is restricted to authorized platform administrators, while development activities are performed within designated non-production sandboxes.
Layer 1 – Adobe Admin Console User Groups
User Groups represent business personas, not technical permissions. Examples include:
- Platform Administrators
- Platform Developers
- Data Engineers
- Data Analysts
- Customer Journey Analytics Administrators
- Customer Journey Analytics Business Users
- Data Collection Administrators
- Data Collection Developers
This simplifies onboarding and offboarding, since users are assigned to business groups instead of individual permissions.
Layer 2 – Adobe Product Profiles
Product Profiles determine which Adobe applications a user can access. Instead of creating Product Profiles for every business role, I recommend a hybrid approach.
For Customer Journey Analytics and Adobe Data Collection, the Product Profile is almost the entire access model — capabilities within those applications (Connections, Data Views, tags, rules, and so on) are controlled by the profile itself.
There are two narrow exceptions: the capabilities that reach into AEP platform resources. Managing CJA Data Management (Connections & Data Views) and creating Data Collection datastreams each require a small, dedicated AEP Role in addition to the Product Profile, because both write to or read from platform objects (datasets, schemas, sandboxes). Everything else in these two applications is profile-governed.
| Product | Product Profile | Type |
|---|---|---|
| Adobe Experience Platform | AEP-Default-All-Users | OOTB |
| Customer Journey Analytics | CJA Administrator | Custom |
| Customer Journey Analytics | CJA Business User | Custom |
| Adobe Data Collection | Data Collection Administrator | Custom |
| Adobe Data Collection | Data Collection Developer | Custom |
Why a Hybrid Approach?
- Use the OOTB AEP-Default-All-Users Product Profile as the standard platform entitlement.
- Create custom Product Profiles only where business segregation is required, such as Customer Journey Analytics and Adobe Data Collection.
- Keep Product Profiles focused on application access, not detailed permissions.
Layer 3 – AEP Roles
AEP Roles determine what users can do inside Adobe Experience Platform. They apply only to AEP platform resources — Customer Journey Analytics and Data Collection are otherwise handled through Product Profiles, apart from the two narrow crossovers noted earlier (CJA Data Management and Data Collection datastreams).
Sample AEP Roles
| Role | Example Permissions |
|---|---|
| Platform Administrator | Manage Sandboxes, Datasets, Schemas, Sources, Destinations, Identity, Governance, Query Service |
| Platform Developer | Create and modify Schemas, Datasets, Sources, Destinations, Queries (typically non-production) |
| Data Engineer | Manage Data Ingestion, Schemas, Datasets, Monitoring |
| Data Analyst | Read Datasets, Execute Queries, View Schemas |
| CJA Data Management (minimal) | Minimal AEP access to the datasets and schemas that back CJA Connections and Data Views — the only place CJA touches an AEP Role |
| Data Collection Datastreams (minimal) | Manage Datastreams plus view access to the target sandbox, datasets, and schemas — the only place Data Collection touches an AEP Role |
The key idea is to keep Product Profiles simple while using AEP Roles to enforce least-privilege access on the platform.
Example Access Mapping
Business Persona Admin Console User Group Product Profile AEP Role Platform Administrator Platform Admins AEP-Default-All-Users (OOTB) Platform Administrator Platform Developer Platform Developers AEP-Default-All-Users (OOTB) Platform Developer Data Engineer Data Engineering AEP-Default-All-Users (OOTB) Data Engineer Data Analyst Analytics Team AEP-Default-All-Users (OOTB) Data Analyst CJA Administrator CJA Administrators CJA Administrator Minimal — Data Management only CJA Business User CJA Business Users CJA Business User None Data Collection Administrator Data Collection Admins Data Collection Administrator N/A Data Collection Developer Data Collection Developers Data Collection Developer N/A
| Business Persona | Admin Console User Group | Product Profile | AEP Role |
|---|---|---|---|
| Platform Administrator | Platform Admins | AEP-Default-All-Users (OOTB) | Platform Administrator |
| Platform Developer | Platform Developers | AEP-Default-All-Users (OOTB) | Platform Developer |
| Data Engineer | Data Engineering | AEP-Default-All-Users (OOTB) | Data Engineer |
| Data Analyst | Analytics Team | AEP-Default-All-Users (OOTB) | Data Analyst |
| CJA Administrator | CJA Administrators | CJA Administrator | Minimal — Data Management only |
| CJA Business User | CJA Business Users | CJA Business User | None |
| Data Collection Administrator | Data Collection Admins | Data Collection Administrator | N/A |
| Data Collection Developer | Data Collection Developers | Data Collection Developer | N/A |
Reading the table: each persona gets exactly one User Group, which carries the Product Profile and (where applicable) the AEP Role. None / N/A means the persona needs no AEP Role — Customer Journey Analytics and Adobe Data Collection are otherwise governed by their Product Profiles, not by AEP RBAC. The two platform crossovers are handled explicitly: CJA Data Management is granted here on the CJA Administrator (a minimal AEP Role for the underlying datasets and schemas), while Data Collection datastreams are owned by the Platform Administrator in this example — which is why the Data Collection personas show N/A. If your Data Collection team owned datastreams instead, they would carry a minimal AEP Role too.
Customer Journey Analytics Consideration
Customer Journey Analytics access is normally governed entirely by its Product Profile. There is one exception worth calling out.
If a user is responsible for managing Connections, Data Views, and Data Management in CJA, the CJA Product Profile alone is not sufficient. In addition to it, the user should also:
- Hold the AEP application Product Profile (e.g., AEP-Default-All-Users) so they can reach the Adobe Experience Platform interface, where Data Management lives.
- Have a minimal AEP Role that grants access to the datasets and schemas backing those Connections and Data Views. This is the only situation in which CJA relies on an AEP Role.
- Be assigned as a Product Administrator in the Adobe Admin Console when responsible for administering Customer Journey Analytics.
Separation of Responsibilities
One of the biggest advantages of this model is that every layer has a clear purpose.
| Layer | Responsibility |
|---|---|
| Admin Console User Group | Represents the user's business function |
| Product Profile | Determines which Adobe products the user can access |
| AEP Role | Determines what the user can do within AEP |
| Sandbox Permissions | Determines where the user can perform those actions |
Keeping these responsibilities separate results in a cleaner and more maintainable access model.
Benefits
This approach provides several advantages:
- Reduced number of Product Profiles
- Simplified onboarding and offboarding
- Better governance and auditability
- Clear separation of business and technical responsibilities
- Easier administration
- Scalable role-based access control (RBAC)
- Improved security through the Principle of Least Privilege
How to Apply This Model
If you want to adapt this in your own tenant, a practical order of operations is:
- List your business personas. Start from what people actually do (administer, develop, engineer, analyze, report) — not from Adobe's technical objects.
- Create one User Group per persona in the Admin Console. This is the only thing you'll assign people to.
- Default to the OOTB AEP Product Profile. Add custom Product Profiles only where you need product-level segregation (e.g., CJA, Data Collection).
- Define AEP Roles for least privilege and map each platform User Group to the role that matches its persona. Groups that only need CJA or Data Collection generally require no AEP Role — the exceptions are the two crossovers (CJA Data Management, and Data Collection datastreams if that team owns them).
- Scope with sandbox permissions so non-production personas can't touch production.
- Handle CJA administration separately — remember the Product Administrator assignment for anyone managing Connections and Data Views (see the note above).
- Document the mapping (a table like the one above) and make it the single source of truth for onboarding and audits.
Final Thoughts
As AEP deployments mature, access management becomes a critical success factor. Rather than treating User Groups, Product Profiles, and AEP Roles as interchangeable, defining a clear responsibility for each layer results in a governance model that is scalable, maintainable, and easier to operate.
This layered approach has worked well in practice by reducing administrative overhead while maintaining flexibility for different Adobe products such as AEP, Customer Journey Analytics, and Adobe Data Collection.