Skip to main content

SFMC Permissions

Welcome to the jungle, we've got Roles and Permissions.

Permissions Best Practices

Standard vs Custom Roles

The best way to work with Roles and Permissions in Salesforce Marketing Cloud is to leverage standard roles and only build on top of them with custom permissions/roles. Creating custom roles from scratch (even by copying existing standard role) is not recommended. There are two reasons for this:

  1. Standard Roles are updated every release to support changes in permissions structure.
  2. In many Marketing Cloud spaces, you need multiple permissions from various permission groups.
You Should Know

An excellent example of it might be the Journey Builder.

It is not enough to add full Journey Builder permissions to allow someone to work with that part of Marketing Cloud, because Activities used on Journey canvas require additional permissions to work:

1. Decision Splits and Wait by Attribute requires:
- Email > Subscribers > Data Extensions > View
- Salesforce Marketing Cloud > Contacts > Read Contact Data
2. Update Contact requires:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
3. Engagement Splits requires:
- Email > Content > Email > View
- Content Builder > Assets > View
4. Journey Entry Sources requires:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
- Salesforce Marketing Cloud > Contacts > Read Contact Data
5. Goals, Exit Criteria, Default Email and Mobile Number settings require:
- Email > Subscribers > Data Extensions > View
- Salesforce Marketing Cloud > Contacts > Read Contact Data

Such mixes are happening in multiple parts of Marketing Cloud and might change from release to release, which makes creating custom roles from scratch very hard to make and maintain.

However, Standard Roles not always align perfectly with your needs. The widespread use case would be hiding shared folders via permissions or blocking deletion rights for some users. It is where custom work is needed.

Permission Overlap

When working with multiple roles or overlapping permissions, be sure to check what is the outcome on the user.

Marketing Cloud goes with the most restrictive resulting permission possible:

  1. If at least one permission (role-based or individual) is set to Deny - the user will not be able to use the feature.
  2. If there is neither Allow nor Deny permission - the user will not be able to use the feature.
  3. If there is at least one Allow permission and not even one Deny permission - the user will be able to use the feature.

You can check the outcome by going to Setup > Users > Users > clicking checkbox next to a user > clicking Manage Roles > Edit Permissions. In this place, you can not only configure individual permissions but also, by expanding to the final permission level, check current result permission along with the source for that state.


SFMC Permissions

Below I have listed details on the permissions currently available in Salesforce Marketing Cloud Setup. For better readability, I have split them by Studio/Builder, so they are not in the same order as in Setup.

To search for specific permission you can use site search in top right or browser search (CMD/Ctrl+F keys).


General Permissions

Salesforce Marketing Cloud

Contains a mix of permissions for:

  • Marketing Cloud Dashboard tools
  • Contacts
  • Marketing Cloud Roles
  • Some Legacy or unreleased functions like Pulse or Watchdog.

One of the most important permissions here is:

  • Salesforce Marketing Cloud > Contacts > Read Contact Data.

It is used in multiple SFMC areas and is required for them to work.

Tags

Permissions for Marketing Cloud tagging solution.

Administration

Permissions for most of the Setup items.

Event Notifications

Permissions for REST API Event Notifications Service.

Audit Trail

Permissions for Audit Trail tools.

Database Encryption

Permissions for Transparent Database Encryption.


Email Studio Permissions

Email

Huge permission set for most of the Email Studio features.

Two of the most important permissions here are:

  • Email > Subscribers > Data Extensions > View
  • Email > Subscribers > List > View

They are used in multiple SFMC areas and are required for them to work.

You Should Know

Some of the Shared Data Extension permissions are overwritten by local Data Extension permissions (for example Move, Rename). If you have problem with correctly limiting rights to Shared data, try playing with standard Data Extensions permissions.

Contains also some permissions for Legacy features like Omniture TnT and 3sixty.

Email Send Wizard

Enables Email Send process in Email Studio and partially for single send in Journey Builder.

Distributed Sending

Permissions for Distributed Sending.

Transactional Sending

Permissions for Transactional Messaging API.


Mobile Studio Permissions

MobileConnect

Permissions for MobileConnect.

MobilePush

Permissions for MobilePush.

GroupConnect

Permissions for Group Connect.


Social Studio Permissions

Most permissions are managed from within Social Studio and not available in global Setup.

SocialEngage

Permissions for Engage, part of Social Studio.

Perform Workgroup Leader Role is permission for an unreleased feature.


Web Studio Permissions

CloudPages

Permissions for Cloud Pages.


Interaction Studio Permissions

Most permissions are managed from within Interaction Studio and not available in global Setup.

Interaction Studio

Permissions for Interaction Studio (Evergage).

Interaction Studio - Legacy

Legacy permissions for previous Interaction Studio solution (Thunderhead).


Analytics Builder Permissions

Tracking within Email Studio is managed by separate permissions available within Email permission group.

Reports

Permissions for Reports.

CampaignAnalytics

Permissions enabling Campaign objects for Reports. Available only on Role level (cannot be limited as individual permission).

Analytics

Permissions for Web Analytics and integration with Google Analytics.

Discover

Permissions for Discover premium feature.


Journey Builder Permissions

Automation Studio

Permissions for Automation Studio.

Journey Builder

Permissions for Journey Builder.


Content Builder Permissions

Content Builder

Permissions for Content Builder.

Workflows and Approvals

Permissions for Content Builder Approval tool.

Approvals (Email)

Additional Permissions for Content Builder Approval tool.


Audience Builder Permissions

Contact Builder

Permissions for Contact Builder.

Audience Builder

Permissions for Audience Builder.

Active Audiences

Permissions for Active Audiences - part of Audience Builder.

Audience Builder Enabler

Permission for enabling Audience Builder.

Data Factory Utility

Permission related to Audience Builder and Discover (Analytics Builder add-on). Moves data between environments. Configured during implementation. Do not touch.

Salesforce DMP

Most permissions are managed from within Salesforce DMP and not available in global Setup.

Einstein Data Analytics

Most permissions are managed from within Einstein Analytics and not available in global Setup.

Datorama

Most permissions are managed from within Datorama and not available in global Setup.

Datorama Reports

Permissions for Datorama Reports - part of Datorama.


AppExchange Permissions

HubExchange

Permissions for AppExchange.


Legacy Permissions

Below you can find permissions for solutions that are no longer offered by Salesforce. No need to worry about them.

Marketo

Legacy permissions for integration with Adobe Marketo.

Xpress

Legacy permissions.

AdobeAnalytics

Legacy permissions for integration with Adobe Analytics.

tmMessenger

Legacy permissions for integration with TicketMaster.

LEMI

Legacy permissions.

3sixty

Legacy permissions for integration with 3sixty elearning platform.

Extension Manager

Legacy permissions for Marketing Cloud Extension Manager.

DeveloperApp

Legacy permissions.