SFMC Permissions
Welcome to the jungle, we've got Roles and Permissions.
Table of Contents
Permissions Best Practices#
Standard vs Custom Roles#
The best way to work with Roles and Permissions in Salesforce Marketing Cloud is to leverage standard roles and only build on top of them with custom permissions/roles. Creating custom roles from scratch (even by copying existing standard role) is not recommended. There are two reasons for this:
- Standard Roles are updated every release to support changes in permissions structure.
- In many Marketing Cloud spaces, you need multiple permissions from various permission groups.
You Should Know
An excellent example of it might be the Journey Builder.
It is not enough to add full Journey Builder permissions to allow someone to work with that part of Marketing Cloud, because Activities used on Journey canvas require additional permissions to work:
1. Decision Splits and Wait by Attribute requires: - Email > Subscribers > Data Extensions > View - Salesforce Marketing Cloud > Contacts > Read Contact Data2. Update Contact requires: - Email > Subscribers > Data Extensions > View - Email > Subscribers > List > View3. Engagement Splits requires: - Email > Content > Email > View - Content Builder > Assets > View4. Journey Entry Sources requires: - Email > Subscribers > Data Extensions > View - Email > Subscribers > List > View - Salesforce Marketing Cloud > Contacts > Read Contact Data5. Goals, Exit Criteria, Default Email and Mobile Number settings require: - Email > Subscribers > Data Extensions > View - Salesforce Marketing Cloud > Contacts > Read Contact DataSuch mixes are happening in multiple parts of Marketing Cloud and might change from release to release, which makes creating custom roles from scratch very hard to make and maintain.
However, Standard Roles not always align perfectly with your needs. The widespread use case would be hiding shared folders via permissions or blocking deletion rights for some users. It is where custom work is needed.
Permission Overlap#
When working with multiple roles or overlapping permissions, be sure to check what is the outcome on the user.
Marketing Cloud goes with the most restrictive resulting permission possible:
- If at least one permission (role-based or individual) is set to Deny - the user will not be able to use the feature.
- If there is neither Allow nor Deny permission - the user will not be able to use the feature.
- If there is at least one Allow permission and not even one Deny permission - the user will be able to use the feature.
You can check the outcome by going to Setup > Users > Users > clicking checkbox next to a user > clicking Manage Roles > Edit Permissions. In this place, you can not only configure individual permissions but also, by expanding to the final permission level, check current result permission along with the source for that state.
SFMC Permissions#
Below I have listed details on the permissions currently available in Salesforce Marketing Cloud Setup. For better readability, I have split them by Studio/Builder, so they are not in the same order as in Setup.
To search for specific permission you can use site search in top right or browser search (CMD/Ctrl+F keys).
General Permissions#
Salesforce Marketing Cloud#
Contains a mix of permissions for:
- Marketing Cloud Dashboard tools
- Contacts
- Marketing Cloud Roles
- Some Legacy or unreleased functions like Pulse or Watchdog.
One of the most important permissions here is:
- Salesforce Marketing Cloud > Contacts > Read Contact Data.
It is used in multiple SFMC areas and is required for them to work.
Tags#
Permissions for Marketing Cloud tagging solution.
Administration#
Permissions for most of the Setup items.
Event Notifications#
Permissions for REST API Event Notifications Service.
Audit Trail#
Permissions for Audit Trail tools.
Database Encryption#
Permissions for Transparent Database Encryption.
Email Studio Permissions#
Email#
Huge permission set for most of the Email Studio features.
Two of the most important permissions here are:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
They are used in multiple SFMC areas and are required for them to work.
You Should Know
Some of the Shared Data Extension permissions are overwritten by local Data Extension permissions (for example Move, Rename). If you have problem with correctly limiting rights to Shared data, try playing with standard Data Extensions permissions.
Contains also some permissions for Legacy features like Omniture TnT and 3sixty.
Email Send Wizard#
Enables Email Send process in Email Studio and partially for single send in Journey Builder.
Distributed Sending#
Permissions for Distributed Sending.
Transactional Sending#
Permissions for Transactional Messaging API.
Mobile Studio Permissions#
MobileConnect#
Permissions for MobileConnect.
MobilePush#
Permissions for MobilePush.
GroupConnect#
Permissions for Group Connect.
Social Studio Permissions#
Most permissions are managed from within Social Studio and not available in global Setup.
SocialEngage#
Permissions for Engage, part of Social Studio.
Perform Workgroup Leader Role is permission for an unreleased feature.
Web Studio Permissions#
CloudPages#
Permissions for Cloud Pages.
Interaction Studio Permissions#
Most permissions are managed from within Interaction Studio and not available in global Setup.
Interaction Studio#
Permissions for Interaction Studio (Evergage).
Interaction Studio - Legacy#
Legacy permissions for previous Interaction Studio solution (Thunderhead).
Analytics Builder Permissions#
Tracking within Email Studio is managed by separate permissions available within Email permission group.
Reports#
Permissions for Reports.
CampaignAnalytics#
Permissions enabling Campaign objects for Reports. Available only on Role level (cannot be limited as individual permission).
Analytics#
Permissions for Web Analytics and integration with Google Analytics.
Discover#
Permissions for Discover premium feature.
Journey Builder Permissions#
Automation Studio#
Permissions for Automation Studio.
Journey Builder#
Permissions for Journey Builder.
Content Builder Permissions#
Content Builder#
Permissions for Content Builder.
Workflows and Approvals#
Permissions for Content Builder Approval tool.
Approvals (Email)#
Additional Permissions for Content Builder Approval tool.
Audience Builder Permissions#
Contact Builder#
Permissions for Contact Builder.
Audience Builder#
Permissions for Audience Builder.
Active Audiences#
Permissions for Active Audiences - part of Audience Builder.
Audience Builder Enabler#
Permission for enabling Audience Builder.
Data Factory Utility#
Permission related to Audience Builder and Discover (Analytics Builder add-on). Moves data between environments. Configured during implementation. Do not touch.
Salesforce DMP#
Most permissions are managed from within Salesforce DMP and not available in global Setup.
Einstein Data Analytics#
Most permissions are managed from within Einstein Analytics and not available in global Setup.
Datorama#
Most permissions are managed from within Datorama and not available in global Setup.
Datorama Reports#
Permissions for Datorama Reports - part of Datorama.
AppExchange Permissions#
HubExchange#
Permissions for AppExchange.
Legacy Permissions#
Below you can find permissions for solutions that are no longer offered by Salesforce. No need to worry about them.
Marketo#
Legacy permissions for integration with Adobe Marketo.
Xpress#
Legacy permissions.
AdobeAnalytics#
Legacy permissions for integration with Adobe Analytics.
tmMessenger#
Legacy permissions for integration with TicketMaster.
LEMI#
Legacy permissions.
3sixty#
Legacy permissions for integration with 3sixty elearning platform.
Extension Manager#
Legacy permissions for Marketing Cloud Extension Manager.
DeveloperApp#
Legacy permissions.