Showing posts with label AEP. Show all posts
Showing posts with label AEP. Show all posts

Tuesday, June 30, 2026

A Layered Access Management Model for Adobe Experience Platform (AEP)

A Layered Access Management Model for Adobe Experience Platform (AEP)

Scalable, governable RBAC across AEP, Customer Journey Analytics, and Adobe Data Collection

As Adobe Experience Platform (AEP) implementations grow across business units, regions, and use cases, managing user access can quickly become complex. One of the most common challenges is providing the right level of access while maintaining governance, security, and operational simplicity.

During a recent AEP implementation, I adopted a layered access management model that leverages Adobe's native capabilities while keeping the architecture scalable and easy to maintain. Rather than creating numerous Product Profiles for every business role, the model separates identity, product entitlement, and platform authorization.

In short

Assign people to User Groups (who they are). Each group grants access along two parallel tracks: Product Profiles (which Adobe apps — and these fully govern Customer Journey Analytics and Data Collection) and AEP Roles (what a user can do on platform resources, scoped by sandbox). The two tracks meet in only a couple of narrow spots — for example, a CJA administrator managing Data Management needs a minimal AEP Role. Keep each layer doing one job and you get least-privilege access without a sprawl of Product Profiles.

The group, profile, and role names below are illustrative — swap in your own naming convention as you adapt the model.

Access Management Architecture


Access Management Principles

Before diving into the layers, it helps to establish the ground rules the model operates by:

  • User access is provisioned through Adobe User Groups — the only object you assign people to.
  • Each User Group is mapped to one or more Product Profiles and/or AEP Roles based on business responsibilities.
  • Users may belong to multiple User Groups as required by their job functions.
  • Product Profiles govern access to Adobe applications and their capabilities. Customer Journey Analytics and Data Collection are managed almost entirely through Product Profiles — they need an AEP Role only for the two capabilities that reach into platform resources (CJA Data Management and Data Collection datastreams).
  • AEP Roles govern access to Adobe Experience Platform resources only — sandboxes, datasets, schemas, identities, and other platform capabilities.
  • Sandbox access is controlled through AEP Role assignments. Administrative capabilities (Manage Sandboxes, Manage Packages, Reset Sandboxes) are restricted to designated platform administrator roles.
  • Access follows the principle of least privilege — only the permissions required to perform a responsibility.
  • Production administrative access is restricted to authorized platform administrators, while development activities are performed within designated non-production sandboxes.
Permissions are additive. When a user belongs to multiple User Groups, their effective access is the union of all permissions granted through the associated Product Profiles and AEP Roles. Design groups so overlapping membership never accidentally escalates privilege.

Layer 1 – Adobe Admin Console User Groups

User Groups represent business personas, not technical permissions. Examples include:

  • Platform Administrators
  • Platform Developers
  • Data Engineers
  • Data Analysts
  • Customer Journey Analytics Administrators
  • Customer Journey Analytics Business Users
  • Data Collection Administrators
  • Data Collection Developers

This simplifies onboarding and offboarding, since users are assigned to business groups instead of individual permissions.

Layer 2 – Adobe Product Profiles

Product Profiles determine which Adobe applications a user can access. Instead of creating Product Profiles for every business role, I recommend a hybrid approach.

For Customer Journey Analytics and Adobe Data Collection, the Product Profile is almost the entire access model — capabilities within those applications (Connections, Data Views, tags, rules, and so on) are controlled by the profile itself.

There are two narrow exceptions: the capabilities that reach into AEP platform resources. Managing CJA Data Management (Connections & Data Views) and creating Data Collection datastreams each require a small, dedicated AEP Role in addition to the Product Profile, because both write to or read from platform objects (datasets, schemas, sandboxes). Everything else in these two applications is profile-governed.

ProductProduct ProfileType
Adobe Experience PlatformAEP-Default-All-UsersOOTB
Customer Journey AnalyticsCJA AdministratorCustom
Customer Journey AnalyticsCJA Business UserCustom
Adobe Data CollectionData Collection AdministratorCustom
Adobe Data CollectionData Collection DeveloperCustom

Why a Hybrid Approach?

  • Use the OOTB AEP-Default-All-Users Product Profile as the standard platform entitlement.
  • Create custom Product Profiles only where business segregation is required, such as Customer Journey Analytics and Adobe Data Collection.
  • Keep Product Profiles focused on application access, not detailed permissions.

Layer 3 – AEP Roles

AEP Roles determine what users can do inside Adobe Experience Platform. They apply only to AEP platform resources — Customer Journey Analytics and Data Collection are otherwise handled through Product Profiles, apart from the two narrow crossovers noted earlier (CJA Data Management and Data Collection datastreams).

Sample AEP Roles

RoleExample Permissions
Platform AdministratorManage Sandboxes, Datasets, Schemas, Sources, Destinations, Identity, Governance, Query Service
Platform DeveloperCreate and modify Schemas, Datasets, Sources, Destinations, Queries (typically non-production)
Data EngineerManage Data Ingestion, Schemas, Datasets, Monitoring
Data AnalystRead Datasets, Execute Queries, View Schemas
CJA Data Management (minimal)Minimal AEP access to the datasets and schemas that back CJA Connections and Data Views — the only place CJA touches an AEP Role
Data Collection Datastreams (minimal)Manage Datastreams plus view access to the target sandbox, datasets, and schemas — the only place Data Collection touches an AEP Role

The key idea is to keep Product Profiles simple while using AEP Roles to enforce least-privilege access on the platform.

Example Access Mapping

Business PersonaAdmin Console User GroupProduct ProfileAEP Role
Platform AdministratorPlatform AdminsAEP-Default-All-Users (OOTB)Platform Administrator
Platform DeveloperPlatform DevelopersAEP-Default-All-Users (OOTB)Platform Developer
Data EngineerData EngineeringAEP-Default-All-Users (OOTB)Data Engineer
Data AnalystAnalytics TeamAEP-Default-All-Users (OOTB)Data Analyst
CJA AdministratorCJA AdministratorsCJA AdministratorMinimal — Data Management only
CJA Business UserCJA Business UsersCJA Business UserNone
Data Collection AdministratorData Collection AdminsData Collection AdministratorN/A
Data Collection DeveloperData Collection DevelopersData Collection DeveloperN/A

Reading the table: each persona gets exactly one User Group, which carries the Product Profile and (where applicable) the AEP Role. None / N/A means the persona needs no AEP Role — Customer Journey Analytics and Adobe Data Collection are otherwise governed by their Product Profiles, not by AEP RBAC. The two platform crossovers are handled explicitly: CJA Data Management is granted here on the CJA Administrator (a minimal AEP Role for the underlying datasets and schemas), while Data Collection datastreams are owned by the Platform Administrator in this example — which is why the Data Collection personas show N/A. If your Data Collection team owned datastreams instead, they would carry a minimal AEP Role too.

Customer Journey Analytics Consideration

Customer Journey Analytics access is normally governed entirely by its Product Profile. There is one exception worth calling out.

If a user is responsible for managing Connections, Data Views, and Data Management in CJA, the CJA Product Profile alone is not sufficient. In addition to it, the user should also:

  • Hold the AEP application Product Profile (e.g., AEP-Default-All-Users) so they can reach the Adobe Experience Platform interface, where Data Management lives.
  • Have a minimal AEP Role that grants access to the datasets and schemas backing those Connections and Data Views. This is the only situation in which CJA relies on an AEP Role.
  • Be assigned as a Product Administrator in the Adobe Admin Console when responsible for administering Customer Journey Analytics.
Understanding the distinction between Product Profiles, Product Administrators, and AEP Roles is critical when designing access for CJA administrators.

Separation of Responsibilities

One of the biggest advantages of this model is that every layer has a clear purpose.

LayerResponsibility
Admin Console User GroupRepresents the user's business function
Product ProfileDetermines which Adobe products the user can access
AEP RoleDetermines what the user can do within AEP
Sandbox PermissionsDetermines where the user can perform those actions

Keeping these responsibilities separate results in a cleaner and more maintainable access model.

Benefits

This approach provides several advantages:

  • Reduced number of Product Profiles
  • Simplified onboarding and offboarding
  • Better governance and auditability
  • Clear separation of business and technical responsibilities
  • Easier administration
  • Scalable role-based access control (RBAC)
  • Improved security through the Principle of Least Privilege

How to Apply This Model

If you want to adapt this in your own tenant, a practical order of operations is:

  1. List your business personas. Start from what people actually do (administer, develop, engineer, analyze, report) — not from Adobe's technical objects.
  2. Create one User Group per persona in the Admin Console. This is the only thing you'll assign people to.
  3. Default to the OOTB AEP Product Profile. Add custom Product Profiles only where you need product-level segregation (e.g., CJA, Data Collection).
  4. Define AEP Roles for least privilege and map each platform User Group to the role that matches its persona. Groups that only need CJA or Data Collection generally require no AEP Role — the exceptions are the two crossovers (CJA Data Management, and Data Collection datastreams if that team owns them).
  5. Scope with sandbox permissions so non-production personas can't touch production.
  6. Handle CJA administration separately — remember the Product Administrator assignment for anyone managing Connections and Data Views (see the note above).
  7. Document the mapping (a table like the one above) and make it the single source of truth for onboarding and audits.
Rule of thumb: if you're about to create a new Product Profile, first ask whether an AEP Role or sandbox permission can express the same intent. Reserve Product Profiles for product access, and let Roles handle what and where.

Final Thoughts

As AEP deployments mature, access management becomes a critical success factor. Rather than treating User Groups, Product Profiles, and AEP Roles as interchangeable, defining a clear responsibility for each layer results in a governance model that is scalable, maintainable, and easier to operate.

This layered approach has worked well in practice by reducing administrative overhead while maintaining flexibility for different Adobe products such as AEP, Customer Journey Analytics, and Adobe Data Collection.

I'd be interested to hear how others are designing their AEP access models. Are you using mostly OOTB Product Profiles, creating custom Product Profiles, or adopting a layered RBAC strategy similar to this?