SFMC Permissions
Welcome to the jungle, we've got Roles and Permissions.
Table of Contents
#
Permissions Best Practices#
Standard vs Custom RolesThe best way to work with Roles and Permissions in Salesforce Marketing Cloud is to leverage standard roles and only build on top of them with custom permissions/roles. Creating custom roles from scratch (even by copying existing standard role) is not recommended. There are two reasons for this:
- Standard Roles are updated every release to support changes in permissions structure.
- In many Marketing Cloud spaces, you need multiple permissions from various permission groups.
You Should Know
An excellent example of it might be the Journey Builder.
It is not enough to add full Journey Builder permissions to allow someone to work with that part of Marketing Cloud, because Activities used on Journey canvas require additional permissions to work:
Such mixes are happening in multiple parts of Marketing Cloud and might change from release to release, which makes creating custom roles from scratch very hard to make and maintain.
However, Standard Roles not always align perfectly with your needs. The widespread use case would be hiding shared folders via permissions or blocking deletion rights for some users. It is where custom work is needed.
#
Permission OverlapWhen working with multiple roles or overlapping permissions, be sure to check what is the outcome on the user.
Marketing Cloud goes with the most restrictive resulting permission possible:
- If at least one permission (role-based or individual) is set to Deny - the user will not be able to use the feature.
- If there is neither Allow nor Deny permission - the user will not be able to use the feature.
- If there is at least one Allow permission and not even one Deny permission - the user will be able to use the feature.
You can check the outcome by going to Setup > Users > Users > clicking checkbox next to a user > clicking Manage Roles > Edit Permissions. In this place, you can not only configure individual permissions but also, by expanding to the final permission level, check current result permission along with the source for that state.
#
SFMC PermissionsBelow I have listed details on the permissions currently available in Salesforce Marketing Cloud Setup. For better readability, I have split them by Studio/Builder, so they are not in the same order as in Setup.
To search for specific permission you can use site search in top right or browser search (CMD
/Ctrl
+F
keys).
#
General Permissions#
Salesforce Marketing CloudContains a mix of permissions for:
- Marketing Cloud Dashboard tools
- Contacts
- Marketing Cloud Roles
- Some Legacy or unreleased functions like Pulse or Watchdog.
One of the most important permissions here is:
- Salesforce Marketing Cloud > Contacts > Read Contact Data.
It is used in multiple SFMC areas and is required for them to work.
#
TagsPermissions for Marketing Cloud tagging solution.
#
AdministrationPermissions for most of the Setup items.
#
Event NotificationsPermissions for REST API Event Notifications Service.
#
Audit TrailPermissions for Audit Trail tools.
#
Database EncryptionPermissions for Transparent Database Encryption.
#
Email Studio Permissions#
EmailHuge permission set for most of the Email Studio features.
Two of the most important permissions here are:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
They are used in multiple SFMC areas and are required for them to work.
You Should Know
Some of the Shared Data Extension permissions are overwritten by local Data Extension permissions (for example Move, Rename). If you have problem with correctly limiting rights to Shared data, try playing with standard Data Extensions permissions.
Contains also some permissions for Legacy features like Omniture TnT and 3sixty.
#
Email Send WizardEnables Email Send process in Email Studio and partially for single send in Journey Builder.
#
Distributed SendingPermissions for Distributed Sending.
#
Transactional SendingPermissions for Transactional Messaging API.
#
Mobile Studio Permissions#
MobileConnectPermissions for MobileConnect.
#
MobilePushPermissions for MobilePush.
#
GroupConnectPermissions for Group Connect.
#
Social Studio PermissionsMost permissions are managed from within Social Studio and not available in global Setup.
#
SocialEngagePermissions for Engage, part of Social Studio.
Perform Workgroup Leader Role is permission for an unreleased feature.
#
Web Studio Permissions#
CloudPagesPermissions for Cloud Pages.
#
Interaction Studio PermissionsMost permissions are managed from within Interaction Studio and not available in global Setup.
#
Interaction StudioPermissions for Interaction Studio (Evergage).
#
Interaction Studio - LegacyLegacy permissions for previous Interaction Studio solution (Thunderhead).
#
Analytics Builder PermissionsTracking within Email Studio is managed by separate permissions available within Email permission group.
#
ReportsPermissions for Reports.
#
CampaignAnalyticsPermissions enabling Campaign objects for Reports. Available only on Role level (cannot be limited as individual permission).
#
AnalyticsPermissions for Web Analytics and integration with Google Analytics.
#
DiscoverPermissions for Discover premium feature.
#
Journey Builder Permissions#
Automation StudioPermissions for Automation Studio.
#
Journey BuilderPermissions for Journey Builder.
#
Content Builder Permissions#
Content BuilderPermissions for Content Builder.
#
Workflows and ApprovalsPermissions for Content Builder Approval tool.
#
Approvals (Email)Additional Permissions for Content Builder Approval tool.
#
Audience Builder Permissions#
Contact BuilderPermissions for Contact Builder.
#
Audience BuilderPermissions for Audience Builder.
#
Active AudiencesPermissions for Active Audiences - part of Audience Builder.
#
Audience Builder EnablerPermission for enabling Audience Builder.
#
Data Factory UtilityPermission related to Audience Builder and Discover (Analytics Builder add-on). Moves data between environments. Configured during implementation. Do not touch.
#
Salesforce DMPMost permissions are managed from within Salesforce DMP and not available in global Setup.
#
Einstein Data AnalyticsMost permissions are managed from within Einstein Analytics and not available in global Setup.
#
DatoramaMost permissions are managed from within Datorama and not available in global Setup.
#
Datorama ReportsPermissions for Datorama Reports - part of Datorama.
#
AppExchange Permissions#
HubExchangePermissions for AppExchange.
#
Legacy PermissionsBelow you can find permissions for solutions that are no longer offered by Salesforce. No need to worry about them.
#
MarketoLegacy permissions for integration with Adobe Marketo.
#
XpressLegacy permissions.
#
AdobeAnalyticsLegacy permissions for integration with Adobe Analytics.
#
tmMessengerLegacy permissions for integration with TicketMaster.
#
LEMILegacy permissions.
#
3sixtyLegacy permissions for integration with 3sixty elearning platform.
#
Extension ManagerLegacy permissions for Marketing Cloud Extension Manager.
#
DeveloperAppLegacy permissions.