Access Management - permissions

Permissions are sets of rights to access and work in the different modules. The permissions are defined in so called permission sets. After their creation, permission sets can be assigned to groups (they apply to users in those groups and for a selection of organizations).

Permission sets are defined as user roles, such as Template creator, Email designer, Full Access, etc.

The following roles are created by the system and cannot be deleted :

- Organization admin — Is used for Marigold Engage and Site.
For Marigold Engage : Has only access to the 'Organizations' tab in the Admin Configuration section of Marigold Engage. There, the admin can define audiences, languages and mail domains, together with endpoints and data integration for organization(s). This user role has no other rights, and can for example not create new users or configure permission sets.
For Site : Has access to the Configuration section in Site, to setup Universes (and Labels).

- System admin — Has all configuration rights in the Admin Configuration section of Marigold Engage. This user role also includes the 'Organization admin' rights.

Note: The default permission sets are not visible in the permissions overview, but can be selected directly when assigning permissions to groups.

 

The Permission overview shows all permission sets that are configured.

The overview can be sorted by clicking on a column header.

The Search field at the top-right allows searching in the list of permission sets based on name.

From this overview you can

  • create a new permission set — see below.
  • edit an existing permission set — by clicking on the name of a permission set (shown in the first column). The properties are then displayed in a right sliding panel.
  • delete an existing permission set — by clicking on the garbage bin icon at the end of a line.

Note: For customers migrating from Campaign V6 to Marigold Engage, all their users and their permission sets will be migrated to Marigold Engage.
These users have permissions assigned that correspond to their current roles in Campaign. Their permissions are automatically set for all Organizations.
Users that have the right to modify user rights in Campaign will automatically be System Administrators in Marigold Engage.

 

Create a permission set

To create a new permission, click on the New button at the top-right.


The following properties can be configured:

  • Permission Name* — Provide a name for the permission set that accurately reflects what the permission represents. (e.g., Journey Designer, Asset Creator, etc.)
  • Description — You can provide an optional description for the permission.
  • Permission Configuration — Permissions are split over the different chapters : modules, content, journeys, lists, reports, library, data exchange and cadence. For each a set of rights can be defined.
    • Access right — Refers to the right to view, create, delete or edit the referenced element.
      In case Approval management is activated, Content access rights refer also to the right to request an approval for the content.
    • Publish right — Refers to the right to publish an element or stop the execution (of a journey in this case).
      In case Content Approval management is activated on the environment, Publish right refers to the right to approve content.
    • Read only right — Only allows to view the record. No changes are allowed. The read-only permissions are the dominant ones when multiple permissions sets with different access levels are assigned to a group.
      Selecting read-only automatically deselects the other rights.

    Note:
    When activating the publish right, the access right is automatically set for that item (as a user needs access in order to publish).
    The other way around, when deactivating the access right, the publish right is automatically deselected too for that item (as a user needs access in order to publish)



    Select/deselect the checkboxes to activate/deactivate the rights (or click on the 'Select all'/'Deselect all' button to select/deselect all the check boxes at once for a chapter) :

    • Modules — The Launch right defines if a module is shown in the Module menu in the top right of the toolbar. (Note that the modules listed here depend on what has been activated for each customer environment).:
      • Campaign reporting
      • Advanced Universal Profile
      • Campaign and Renderers API explorer (includes Campaign reporting)
      • Consumer Information Management
      • FrontLine
      • Recommendations
      • Grow
      • Engage (includes API Explorer)
      • Site
      • Universal Profile
      • Loyalty
    • Note: Engage Data Studio is not included in the list of Modules as this is activated in a different way. Contact Marigold to activate Engage Data Studio.

    • Folders — Activating the Folder rights provides access to the folder rights setup and use.
      When the permission is set for a group and an organization, the group has by default access only to the root folder. The administrator can then start setting the folder rights.
      When the permission is not set for a group, the group has access to all folders as no folder rights apply to them.
    • Content — Provides Access, Read-only and Publish rights to the different types of content:
      • Copy email cross organizations — Allows messages to be copied outside the organization. There are several requirements to be able to copy to another organization. More details can be found here.
      • Email — If access is given to emails but not templates, it is not possible to convert an email to a template.
      • Live Content — This provides the right to manage the Live Content.
      • Mobile Messages —This right gives access to the Mobile component in Custom Journeys, and includes also in-app messages
      • Pages — Includes HTML and API response pages.
      • SMS — This right gives access to the SMS component.
      • MMS — This right gives access to the MMS component
      • RCS — This right allows you to use the RCS component in a journey.
      • Templates (only email) — If access is given to templates but not email, it is not possible to convert a template to an email.
      • Quick Starts — Access to Quick Starts allows setting an existing email as a Quick Start as well as editing, saving and validating the Quick Start message. Read-only rights for Quick Starts allow viewing and using the Quick Starts to create a new message from.
        Note that you also need additional Access rights for Email to be able to convert an email to a Quick Start as well as when creating a new email from a Quick Start. Quick Starts are a specific type of email and permissions for Quick Start need to be combined with permissions for Email.
    • Note:
      Read-only rights can be applied to specific content types or all types. When applied to all, it is not possible to create new content and the New button will be disabled. If read-only is applied to only certain types, the New button on the content overview page remains visible and content of other types can still be created.
      Read-Only rights on content allows 'Analysis and Preview' of content as well as sending test messages.
      Even if there is no access to the Content, it is still possible to select it in a Journey. Selecting content in a journey is managed by the journey permissions. However, editing of content will not be possible.
      Access rights to content include create, edit, save, validate, preview and test.
      Publish rights allow to publish content and delete.

    • Journeys — Provides Access, Read-only and Publish rights to the different types of journeys that can be created as well as the features in journeys that require explicit access :
      • Audience Validation — Determines if another pop-up confirmation is required upon journey launch (see usage here)
      • Batch execution - Message
      • Batch execution - Template
      • Custom channels — Access rights to Custom Channels determines if you can create Custom Components of type Custom Channel in the Data Exchange chapter. When no access is given, the option Custom Channel is not displayed in the drop-down in the Data Exchange chapter. However, you can still use Custom Channels in a journey.
      • Custom Journeys
      • Inbound — Access rights to Inbound determines if you can manage Inbound channels in the Data Exchange Chapter.
      • Transactional Journeys

        Note: Publish rights not only make a journey available for execution, it also influences if you can delete, activate, pause or set the journey offline or not. For example, Publish rights are required for Custom Journeys, Transactional Journeys, Single Batch, Recurring Batch and AB Journeys to allow the user to delete them.
        Read-only rights can be applied to specific journey types or all types. When applied to all, it is not possible to create new journeys and the New button will be disabled. If read-only is applied to only certain types, the New button on the journey overview page remains visible and journeys of other types can still be created.
        Access rights for journeys implies create, configure, schedule and set properties.

    • Lists — Users can be given Read-Only, Access and Sharing rights to any type of list.
      - Access rights imply the right to create and manage lists, data, relations, segments, etc.
      - Sharing rights can be set allowing the user to share lists with another organization.
      - Read-Only rights give the user only the permission to use existing lists in Content and Journeys, and to open and view them in the Lists chapter without the right to make any changes nor creating new ones.

      Note: When Read-Only is selected, the Access and Sharing checkboxes are automatically cleared, as they can't be combined.

    • Personal Data Visibility — By default all users have access to personal data. When access needs to be restricted, this option needs to be checked.
      Users with personal data restrictions do not have access to
      • the Data tab for Audience and Data Lists
      • the Data tab in Dynamic and Static segments for Audience and Data lists
      • the Data tab in Custom Event Lists
      • count values in the Constraint Builder
    •  Admin configuration/Labels — Users can be given read-only rights or access rights to the Asset Labels feature. Only users with access rights will be able to create, configure, delete labels here. Also, these users have the ability to create new labels on the fly when assigning them to an asset.
      Everyone, regardless the permission level, can assign labels to assets.
    • Reports — Provides access to and use of the Reports.
    •  Dashboards — Provides access to and use of Dashboards .
    • Library — Provides access to the following library-related elements. Access implies use, add, change, remove, rename and delete.
      • Content Blocks — Even without Access rights, you can still use Content Blocks in a message. For Content Blocks, there are also read-only permissions, allowing the user to view the Content Blocks in the Library without the ability to make any changes.
      • Labels and Dictionaries — Even without Access right, you can still use labels and dictionaries in messages.
      • Files — Users can access files and images. This implies managing the files (create, move, rename, remove). There is also the possibility to give a Read-only permission allowing users to use files in the Library (without the ability to make updates).

        Note: When a user is part of different user groups with different permission sets with Read-only rights as well as Access rights to the Files section, then the most restricting right (Read-only) is applied in this case.


      • Social — This access right defines if the user has access to the social components (such as Facebook and Google) in a Custom Journey.
      • Website Placements (only available when integrations are set up with Site) —This right gives users the ability to manage all Site Placements for that universe, as well as view their usage.
    • Data Exchange — The Access right implies the right to manage one of the following:
      • Custom Components — Right to create, amend, test, schedule and test Custom Components. If no access right is given here, you can still use Custom Components in a Custom Journey. However, to create a Custom Component of type Custom Channel, you need access rights to Custom Channels in the Journey permissions.
      • Data Syncs
      • Data Export — Right to create, amend, schedule and execute Data Exports
      • Data Import — Right to create, amend, schedule and execute Data Imports
      • Tasks — Right to create, amend, schedule and execute all types of tasks.
        => Also, the Define medium right can be set for Export, Import and Tasks. This right gives the ability to define your own mediums when creating exports, imports or tasks. When disabled it removes all target medium options except pre-defined. It also prevents modification to existing non-pre-defined medium targets.
      • Data Explorer, giving the ability to query user and system tables.
    • Cadence — The Access right includes the right to create, amend and configure plans and priority. Users with no access to journeys can still add journeys to a Cadence plan.
    •  Site — A matrix allows defining detailed rights for the different entities within the Site tool: Segments, Offers, Tags, Exports, Carts. Marketers with access to these sections have the right to Create, Update, Delete, Clear tag values (to allow clearing previously collected tag values) and Queue (to export manually).
      Access to the Site configuration requires Organization Admin rights.

    Note: All users that can access segments or offers can also create labels for segments/offers

    Important notes:
    - Since the launch of the Vanilla release (June 2021), the Site User rights, Create, Update and Delete have been replaced by the more generic Engage 'Access' right to be in line with the Engage rights management.
    - User rights will still be configurable in the Site module via the Configuration chapter. Only when Site permissions are updated for a specific user in Engage, the rights will disappear in Site for this specific user. From this point forward, you are expected to manage your Site permissions via Engage.
    - In Site, the ‘Edit my profile’ menu next to the username (in the top bar) is no longer available when the user opens Site from Engage. Profile info can then be updated from the ‘Account details’ in Engage.

Click Save to save the permission set.

The permission set can now be assigned to groups.

 

Exercises

Try out the following exercises on permissions:

Exercise 1 - we have 2 permission sets, 'Approver' and 'Editor'. We have a 'Parana UK' group of which Carol is a member. Have a look at the following setup:

With the above information, try to answer the following questions: Can Carol...

1. ...create a new email for the Arkham?
2. ...update an SMS message in BEDLAM?
3. ...amend Live Content in Arkham?
4. ...publish a Push notification in Arkham?
5. ...convert a template to an email in Bedlam?
6. ...delete a page in Cluedo?
7. ...delete an In App message in Arkham?
8. ...copy an SMS from Bedlam To Cluedo?

The answers are:

1. Yes - she has access rights to Email as an editor for Arkham.
2. Yes - she has access rights to SMS as an approver for Bedlam.
3. Yes - she has access rights to Live Content as an approver for Arkham.
4. No - she has no publish rights as an editor for Arkham.
5. Yes - she has access rights to email and template as an approver for Bedlam.
6. Yes - she has publish rights as an approver for Cluedo.
7. No - she has no publish rights for Mobile messages as an editor in Arkham.
8. No - she can not copy content across organization as an approver for Bedlam.

 

Exercise 2: Here we have added a new group 'Parana US' with user Jean. There are 3 permission sets in this example. Have a look at the following setup:

With the above information, try to answer the following questions: Can Jean...

1. ....create an email in Arkham?
2. ....update an SMS message in Bedlam?
3. ... amend Live Content in Cluedo?
4. ... publish a Push notification in Arkham?
5. ... delete a template in Bedlam?
6. ... copy a page from Bedlam to Arkham?

The answers are:

1. Yes - she has access rights for email as approver to Arkham.
2. No - she has no access rights for SMS as a reviewer for Arkham.
3. No - she has no rights at all for Cluedo organization.
4. Yes - she has publish rights for Mobile Push as an approver for Arkham.
5. No - she has no publish rights for templates as a reviewer for Bedlam.
6 . Yes - she can copy content across organization as a reviewer for Bedlam and has access rights to pages as an approver for Arkham.

 

Exercise 3 - We have the same permission sets and groups but our user Hank is part of two groups in this case.

With the above information, can Hank...

1. ... create a new email in Arkham?
2. ... update an SMS message in Bedlam?
3. ... amend Live Content in Cluedo?
4. ... publish a notification in Arkham?
5. ... delete a template in Bedlam?
6. ... copy a page from Bedlam to Arkham

The answers are:

1. Yes - the user has access rights to email as an editor for Arkham + as an approver for Arkham.
2. No - the user only has read-only rights for SMS as a reviewer for Bedlam which overrules the access rights to SMS as an approver for Bedlam.
3. Yes - the user has access rights to LC as an approver for Cluedo.
4. Yes - the user has publish rights for MobilePush as an approver for Arkham.
5. No - the user only has read-only rights for templates as a reviewer for Bedlam. This overrules the publish rights for templates for Hank as an approver.
6. Yes - the user can copy across organization as a reviewer for Bedlam + has access rights to templates as an editor for Arkham.

 

Exercise 4 - Following setup defines the rights for a user for the Content and Journey Chapter.

Can you answer the following questions? Can the user...

1. ...create a mobile message for a sale, using a Single Batch Journey to deliver it next week?
2. ...use a template to create an announcement for a Single Batch Journey?
3. ...copy this template to an email , then use this email in a Recurring Batch Journey?
4. ...create a new page, then add this to a new Custom Journey?
5. ...replace an SMS in an existing Custom Journey?
6. ...delete an existing Transactional Journey?

The answers are:

1. Yes - the user has access and publish rights for mobile messages. Publish is required to be able to use the mobile messages in a journey. The user also has access rights to Batch execution journeys.
2. No - the user has no rights for batch execution using templates.
3. Yes - the user has access rights to templates so is allowed to convert it to an email. The user also has access and publish rights for emails and can make the email available for a RBJ. The user also has access to Batch execution for messages so all prerequisites are fulfilled.
4. Yes - the user has access and publish rights to pages and is allowed to access Custom Journeys.
5. Yes - the user has access rights to Custom Journeys and can select a different SMS.
6. No - the user has no publish rights for Transactional Journeys and can hence not delete such a journey.