Welcome to the jungle, we've got Roles and Permissions.
Table of Contents
- Permissions Best Practices
- SFMC Permissions
The best way to work with Roles and Permissions in Salesforce Marketing Cloud is to leverage standard roles and only build on top of them with custom permissions/roles. Creating custom roles from scratch (even by copying existing standard role) is not recommended. There are two reasons for this:
- Standard Roles are updated every release to support changes in permissions structure.
- In many Marketing Cloud spaces, you need multiple permissions from various permission groups.
You Should Know
An excellent example of it might be the Journey Builder.
It is not enough to add full Journey Builder permissions to allow someone to work with that part of Marketing Cloud, because Activities used on Journey canvas require additional permissions to work:
1. Decision Splits and Wait by Attribute requires: - Email > Subscribers > Data Extensions > View - Salesforce Marketing Cloud > Contacts > Read Contact Data2. Update Contact requires: - Email > Subscribers > Data Extensions > View - Email > Subscribers > List > View3. Engagement Splits requires: - Email > Content > Email > View - Content Builder > Assets > View4. Journey Entry Sources requires: - Email > Subscribers > Data Extensions > View - Email > Subscribers > List > View - Salesforce Marketing Cloud > Contacts > Read Contact Data5. Goals, Exit Criteria, Default Email and Mobile Number settings require: - Email > Subscribers > Data Extensions > View - Salesforce Marketing Cloud > Contacts > Read Contact Data
Such mixes are happening in multiple parts of Marketing Cloud and might change from release to release, which makes creating custom roles from scratch very hard to make and maintain.
However, Standard Roles not always align perfectly with your needs. The widespread use case would be hiding shared folders via permissions or blocking deletion rights for some users. It is where custom work is needed.
When working with multiple roles or overlapping permissions, be sure to check what is the outcome on the user.
Marketing Cloud goes with the most restrictive resulting permission possible:
- If at least one permission (role-based or individual) is set to Deny - the user will not be able to use the feature.
- If there is neither Allow nor Deny permission - the user will not be able to use the feature.
- If there is at least one Allow permission and not even one Deny permission - the user will be able to use the feature.
You can check the outcome by going to Setup > Users > Users > clicking checkbox next to a user > clicking Manage Roles > Edit Permissions. In this place, you can not only configure individual permissions but also, by expanding to the final permission level, check current result permission along with the source for that state.
Below I have listed details on the permissions currently available in Salesforce Marketing Cloud Setup. For better readability, I have split them by Studio/Builder, so they are not in the same order as in Setup.
To search for specific permission you can use site search in top right or browser search (
Contains a mix of permissions for:
- Marketing Cloud Dashboard tools
- Marketing Cloud Roles
- Some Legacy or unreleased functions like Pulse or Watchdog.
One of the most important permissions here is:
- Salesforce Marketing Cloud > Contacts > Read Contact Data.
It is used in multiple SFMC areas and is required for them to work.
Permissions for Marketing Cloud tagging solution.
Permissions for most of the Setup items.
Permissions for REST API Event Notifications Service.
Permissions for Audit Trail tools.
Permissions for Transparent Database Encryption.
Huge permission set for most of the Email Studio features.
Two of the most important permissions here are:
- Email > Subscribers > Data Extensions > View
- Email > Subscribers > List > View
They are used in multiple SFMC areas and are required for them to work.
You Should Know
Some of the Shared Data Extension permissions are overwritten by local Data Extension permissions (for example Move, Rename). If you have problem with correctly limiting rights to Shared data, try playing with standard Data Extensions permissions.
Contains also some permissions for Legacy features like Omniture TnT and 3sixty.
Enables Email Send process in Email Studio and partially for single send in Journey Builder.
Permissions for Distributed Sending.
Permissions for Transactional Messaging API.
Permissions for MobileConnect.
Permissions for MobilePush.
Permissions for Group Connect.
Most permissions are managed from within Social Studio and not available in global Setup.
Permissions for Engage, part of Social Studio.
Perform Workgroup Leader Role is permission for an unreleased feature.
Permissions for Cloud Pages.
Most permissions are managed from within Interaction Studio and not available in global Setup.
Permissions for Interaction Studio (Evergage).
Legacy permissions for previous Interaction Studio solution (Thunderhead).
Tracking within Email Studio is managed by separate permissions available within Email permission group.
Permissions for Reports.
Permissions enabling Campaign objects for Reports. Available only on Role level (cannot be limited as individual permission).
Permissions for Web Analytics and integration with Google Analytics.
Permissions for Discover premium feature.
Permissions for Automation Studio.
Permissions for Journey Builder.
Permissions for Content Builder.
Permissions for Content Builder Approval tool.
Additional Permissions for Content Builder Approval tool.
Permissions for Contact Builder.
Permissions for Audience Builder.
Permissions for Active Audiences - part of Audience Builder.
Permission for enabling Audience Builder.
Permission related to Audience Builder and Discover (Analytics Builder add-on). Moves data between environments. Configured during implementation. Do not touch.
Most permissions are managed from within Salesforce DMP and not available in global Setup.
Most permissions are managed from within Einstein Analytics and not available in global Setup.
Most permissions are managed from within Datorama and not available in global Setup.
Permissions for Datorama Reports - part of Datorama.
Permissions for AppExchange.
Below you can find permissions for solutions that are no longer offered by Salesforce. No need to worry about them.
Legacy permissions for integration with Adobe Marketo.
Legacy permissions for integration with Adobe Analytics.
Legacy permissions for integration with TicketMaster.
Legacy permissions for integration with 3sixty elearning platform.
Legacy permissions for Marketing Cloud Extension Manager.