SFMC Permissions
Welcome to the jungle, we've got Roles and Permissions.
Permissions Best Practices
Standard vs Custom Roles
The best way to work with Roles and Permissions in Salesforce Marketing Cloud is to leverage standard roles and only build on top of them with custom permissions/roles. Creating custom roles from scratch (even by copying existing standard role) is not recommended. There are two reasons for this:
- Standard Roles are updated every release to support changes in permissions structure.
- In many Marketing Cloud spaces, you need multiple permissions from various permission groups.
You Should Know
An excellent example of it might be the Journey Builder.
It is not enough to add full Journey Builder permissions to allow someone to work with that part of Marketing Cloud, because Activities used on Journey canvas require additional permissions to work:
1. Decision Splits and Wait by Attribute requires:
- Email > Subscribers > Data Extensions > View
- Salesforce Marketing Cloud > Contacts > Read Contact Data
2. Update Contact requires:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
3. Engagement Splits requires:
- Email > Content > Email > View
- Content Builder > Assets > View
4. Journey Entry Sources requires:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
- Salesforce Marketing Cloud > Contacts > Read Contact Data
5. Goals, Exit Criteria, Default Email and Mobile Number settings require:
- Email > Subscribers > Data Extensions > View
- Salesforce Marketing Cloud > Contacts > Read Contact Data
Such mixes are happening in multiple parts of Marketing Cloud and might change from release to release, which makes creating custom roles from scratch very hard to make and maintain.
However, Standard Roles not always align perfectly with your needs. The widespread use case would be hiding shared folders via permissions or blocking deletion rights for some users. It is where custom work is needed.
You Should Know
If you want to quickly:
- clone permissions of a standard role,
- move a tested and proven role between SFMC accounts or
- document your custom solution
You can do it easily with a ready-to-use JavaScript snippet.
Permission Overlap
When working with multiple roles or overlapping permissions, be sure to check what is the outcome on the user.
Marketing Cloud goes with the most restrictive resulting permission possible:
- If at least one permission (role-based or individual) is set to Deny - the user will not be able to use the feature.
- If there is neither Allow nor Deny permission - the user will not be able to use the feature.
- If there is at least one Allow permission and not even one Deny permission - the user will be able to use the feature.
You can check the outcome by going to Setup > Users > Users > clicking checkbox next to a user > clicking Manage Roles > Edit Permissions. In this place, you can not only configure individual permissions but also, by expanding to the final permission level, check current result permission along with the source for that state.
SFMC Permissions
Below I have listed details on the permissions currently available in Salesforce Marketing Cloud Setup. For better readability, I have split them by Studio/Builder, so they are not in the same order as in Setup.
To search for specific permission you can use site search in top right or browser search (CMD/Ctrl+F keys).
General Permissions
Salesforce Marketing Cloud
Contains a mix of permissions for:
- Marketing Cloud Dashboard tools
- Contacts
- Marketing Cloud Roles
- Some Legacy or unreleased functions like Pulse or Watchdog.
One of the most important permissions here is:
- Salesforce Marketing Cloud > Contacts > Read Contact Data.
It is used in multiple SFMC areas and is required for them to work.
Tags
Permissions for Marketing Cloud tagging solution.
Administration
Permissions for most of the Setup items.
Event Notifications
Permissions for REST API Event Notifications Service.
Audit Trail
Permissions for Audit Trail tools.
Database Encryption
Permissions for Transparent Database Encryption.
Email Studio Permissions
Email
Huge permission set for most of the Email Studio features.
Two of the most important permissions here are:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
They are used in multiple SFMC areas and are required for them to work.
You Should Know
Some of the Shared Data Extension permissions are overwritten by local Data Extension permissions (for example Move, Rename). If you have problem with correctly limiting rights to Shared data, try playing with standard Data Extensions permissions.
Contains also some permissions for Legacy features like Omniture TnT and 3sixty.
Email Send Wizard
Enables Email Send process in Email Studio and partially for single send in Journey Builder.
Distributed Sending
Permissions for Distributed Sending.
Transactional Sending
Permissions for Transactional Messaging API.
Mobile Studio Permissions
MobileConnect
Permissions for MobileConnect.
MobilePush
Permissions for MobilePush.
GroupConnect
Permissions for Group Connect.
Social Studio Permissions
Most permissions are managed from within Social Studio and not available in global Setup.
SocialEngage
Permissions for Engage, part of Social Studio.
Perform Workgroup Leader Role is permission for an unreleased feature.
Web Studio Permissions
CloudPages
Permissions for Cloud Pages.
Interaction Studio Permissions
Most permissions are managed from within Interaction Studio and not available in global Setup.
Interaction Studio
Permissions for Interaction Studio (Evergage).
Interaction Studio - Legacy
Legacy permissions for previous Interaction Studio solution (Thunderhead).
Analytics Builder Permissions
Tracking within Email Studio is managed by separate permissions available within Email permission group.
Reports
Permissions for Reports.
CampaignAnalytics
Permissions enabling Campaign objects for Reports. Available only on Role level (cannot be limited as individual permission).
Analytics
Permissions for Web Analytics and integration with Google Analytics.
Discover
Permissions for Discover premium feature.
Journey Builder Permissions
Automation Studio
Permissions for Automation Studio.
Journey Builder
Permissions for Journey Builder.
Content Builder Permissions
Content Builder
Permissions for Content Builder.
Workflows and Approvals
Permissions for Content Builder Approval tool.
Approvals (Email)
Additional Permissions for Content Builder Approval tool.
Audience Builder Permissions
Contact Builder
Permissions for Contact Builder.
Audience Builder
Permissions for Audience Builder.
Active Audiences
Permissions for Active Audiences - part of Audience Builder.
Audience Builder Enabler
Permission for enabling Audience Builder.
Data Factory Utility
Permission related to Audience Builder and Discover (Analytics Builder add-on). Moves data between environments. Configured during implementation. Do not touch.
Salesforce DMP
Most permissions are managed from within Salesforce DMP and not available in global Setup.
Einstein Data Analytics
Most permissions are managed from within Einstein Analytics and not available in global Setup.
Datorama
Most permissions are managed from within Datorama and not available in global Setup.
Datorama Reports
Permissions for Datorama Reports - part of Datorama.
AppExchange Permissions
HubExchange
Permissions for AppExchange.
Legacy Permissions
Below you can find permissions for solutions that are no longer offered by Salesforce. No need to worry about them.
Marketo
Legacy permissions for integration with Adobe Marketo.
Xpress
Legacy permissions.
AdobeAnalytics
Legacy permissions for integration with Adobe Analytics.
tmMessenger
Legacy permissions for integration with TicketMaster.
LEMI
Legacy permissions.
3sixty
Legacy permissions for integration with 3sixty elearning platform.
Extension Manager
Legacy permissions for Marketing Cloud Extension Manager.
DeveloperApp
Legacy permissions.