> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Profiles

> Define which users can request specific roles based on group membership

Access profiles ensure only users in designated groups can request access to particular roles. This prevents unauthorized access requests and maintains security boundaries across your applications.

***

## Understanding Access Profiles

Access profiles answer the question: "Who is allowed to request this role?"

They work by mapping Serval groups to roles. When a user requests access, Serval checks whether they belong to a group that's allowed to request that role.

<Tip>
  **Example:** You can create an "Engineering" profile that only allows members of your engineering teams to request access to production databases.
</Tip>

Configure the following settings to define which users can request specific roles:

<CardGroup cols={2}>
  <Card title="Name" icon="heading">
    The user group identifier from Serval. Must match existing Serval group naming conventions.
  </Card>

  <Card title="Description" icon="align-left">
    Optional context about the profile's purpose, target user population, or usage guidelines.
  </Card>

  <Card title="Associated Groups" icon="users">
    Additional Serval groups included in this access profile. Use this to combine multiple groups under a single access policy.
  </Card>

  <Card title="Associated Roles" icon="user-tag">
    IdP groups linked to this profile. These determine which roles become requestable for users matching this profile.
  </Card>
</CardGroup>

## Profile Configurable in the Application

<Frame caption="Configure access profile settings">
  <img src="https://mintcdn.com/serval/1MkNvweOjUDMFgE8/images/Screenshot2025-10-21at12.30.19AM.png?fit=max&auto=format&n=1MkNvweOjUDMFgE8&q=85&s=65f7e4d853cf5e14f8d7893857cd9f79" alt="Access profile configuration form with name, description, and group settings" width="4112" height="2394" data-path="images/Screenshot2025-10-21at12.30.19AM.png" />
</Frame>

***

## Create an Access Profile

<Steps>
  <Step title="Name the profile">
    **Name:** The user group identifier from Serval. Must match existing Serval group naming conventions.

    **Description:** Optional context about the profile's purpose, target user population, or usage guidelines.
  </Step>

  <Step title="Add associated groups">
    **Associated Groups:** Additional Serval groups included in this access profile. Use this to combine multiple groups under a single access policy.

    <Note>
      For example, combine "Engineering-Frontend" and "Engineering-Backend" groups into a single "Engineering" profile.
    </Note>
  </Step>

  <Step title="Link IdP groups">
    **Associated Roles:** IdP groups linked to this profile. These determine which roles become requestable for users matching this profile.
  </Step>

  <Step title="Save the profile">
    Click "Save profile" to make it available for role configuration
  </Step>
</Steps>

***

## Manage Access Profiles

Once created, access profiles can be managed centrally and applied to multiple roles across your organization.

To access profile management, navigate to the relevant team, click the "..." button, then select "Access Profiles."

### What You Can Do

<AccordionGroup>
  <Accordion title="Set a default profile" icon="star">
    Choose a default profile that applies to new roles automatically. This is typically your broadest user group (e.g., "All Employees").
  </Accordion>

  <Accordion title="Edit existing profiles" icon="pen">
    Modify profile settings. Changes apply to all roles using that profile, making it easy to update access permissions organization-wide.
  </Accordion>

  <Accordion title="View profile usage" icon="eye">
    See which roles currently use each profile. This helps you understand the impact before making changes.
  </Accordion>

  <Accordion title="Apply profiles to roles" icon="link">
    Add or remove roles that the profile should apply to. Reuse profiles across similar access patterns for consistency.
  </Accordion>
</AccordionGroup>

***

## Profile Examples

<CardGroup cols={2}>
  <Card title="All Employees">
    **Groups:** company-all-employees\
    **Purpose:** Standard company-wide applications like Slack, Google Workspace

    **Use for:** Access that every employee should be able to request
  </Card>

  <Card title="Engineering">
    **Groups:** eng-frontend, eng-backend, eng-infrastructure\
    **Purpose:** Engineering tools and production access

    **Use for:** Developer tools, code repositories, staging environments
  </Card>

  <Card title="Finance Team">
    **Groups:** finance-accounting, finance-payroll\
    **Purpose:** Financial systems and sensitive data

    **Use for:** Accounting software, payment processors, financial dashboards
  </Card>

  <Card title="Contractors">
    **Groups:** contractor-engineering, contractor-design\
    **Purpose:** Limited access for external workers

    **Use for:** Non-sensitive tools and resources appropriate for contractors
  </Card>
</CardGroup>

***

## Best Practices

<CardGroup cols={2}>
  <Card title="Map to org structure" icon="sitemap">
    Create profiles that mirror your actual organizational structure. This makes it intuitive for admins to assign the right profiles.
  </Card>

  <Card title="Use broad profiles for common access" icon="users">
    Create an "All Employees" profile for widely-used applications. This reduces administrative overhead.
  </Card>

  <Card title="Combine groups thoughtfully" icon="object-group">
    Group teams with similar access needs together. For example, all engineering groups can share an "Engineering" profile.
  </Card>

  <Card title="Document profile purposes" icon="file-lines">
    Write clear descriptions so admins understand when to use each profile when configuring new roles.
  </Card>
</CardGroup>
