Marketing Cloud roles & permissions explained: Part 1

Have you ever wondered why Marketing Cloud has a default role called Administrator and another called Marketing Cloud Administrator? What's the difference? Marketing Cloud roles and permissions are notorious for being a mystery that most people don’t have time to solve, which can lead to problems down the road. For example, many companies don't realize they have a risk exposure with User Access—a user could have too many permissions and accidentally delete a critical automation or clear out an important data extension.As a consultant, I work with clients of all shapes and sizes—ranging from large corporate enterprises to local non-profit groups. Nearly every week, I receive questions on how to set up user permissions. Most of the documentation I’ve come across leaves a lot to the imagination. It’s time to fix that. In this two-part series, I'll break down each of the default role options available to help you understand how permissions work and what the default roles actually mean.If you have a Marketing Cloud Enterprise 2.0 edition account, you have the option to aggregate permissions into a role you assign to a user. The key to mastering permissions is knowing that Marketing Cloud will always honor the MOST restrictive permission in each area when a user has multiple roles assigned. For instance, if someone has the Marketing Cloud Viewer role (with the “Deny” box checked for Email Send Wizard) and you assign the Marketing Cloud Administrator role on top of it, the user will not be able to access Email Send Wizard—despite the additional role.Marketing Cloud comes with a set of default roles. Some can be modified, some cannot. There are two main role types: Classic and Marketing Cloud.

• Classic roles are legacy roles carried over from ExactTarget. They can be modified and are focused on Email Studio permissions.
• Marketing Cloud standard roles cannot be modified and generally do not include Email Studio permissions. These roles govern permissions for Marketing Cloud’s entire suite of applications, including MobileConnect, MobilePush, Advertising Studio, Social Studio, Audience Builder and more. 

Below, I’ve dissected all the default options to help you determine which default roles are right for your users.

Default Role Type: Classic

Administrator

What it really means: This role is basically an Email Studio administrator with comprehensive access across key email functions. It also provides a general set of administrative rights across Marketing Cloud, such as creating new users and managing company account settings.What to consider: Users with this role need to have a keen understanding of all email preference and data privacy compliance laws (GDPR, CAN-SPAM, CCPA, CASL, etc). This role does not grant explicit access to Automation Studio and Journey Builder, so if your user plans on utilizing these tools to deploy an email, you’ll need to grant an additional role. 

Analyst

What it really means: The Analyst role is recommended for users who need to view email tracking data. In most cases, this role should be combined with a second one such as Marketing Cloud Viewer (or higher). Otherwise, the user won’t be able to access tracking data from Email Studio. What to consider:  Out of the box, the Analyst role gives permission to view all components labeled “Tracking." It doesn’t technically include reporting capabilities (i.e. report catalog), so consider augmenting this role to allow all reporting permissions, including Discover.

Content Creator

What it really means: This role contains a concise set of “Allow” permissions that mostly reside in the “Email Content” category. This can be useful for users who are largely responsible for creating email content but do not participate in deployment. This role also gives you access to shared folders for collaborating with other business units. This role does not cover content areas related to CloudPages or MobileConnect, so you may run into an issue if you're using interactive email content blocks. What to consider:  By default, this role does not contain any “Deny” permissions. However, it also does not explicitly grant access to deploy an email. You’ll need to combine this role with additional roles and permissions to create AND send emails. (Or potentially expand the access inside of this role)

Data Manager

What it really means: This is a focused role in terms of what categories are granted “allow” access (most are left blank) but it provides comprehensive access across everything in the “Interactions” and “Subscribers” sections including lists, groups, data extensions, Salesforce data, data relationships, filters and subscriber delete. What to consider:  This role has full access within every subset of the Subscribers category. If your organization uses subscriber filters to control data between business units, be careful about how many users you grant this role to. After all, it has full permissions to delete or modify attributes that could impact the effectiveness of your filters.

Distributed Sending User

What it really means:  Marketing Cloud's Distributed Sending product was replaced with “Distributed Marketing.” Unless your company was already using Distributed Sending, you likely won't need to utilize this role.

Default Role Type: Marketing Cloud

Marketing Cloud Administrator

Marketing Cloud’s Definition:  Someone in this role assigns Marketing Cloud roles to users and manages channels, apps and tools. What it really means: Permissions in this role are largely unrelated to email functions. Limit the total number of users with this role, since it's one of the most extensive sets of permissions a user can have. What to consider: This role doesn't grant explicit access to email subscribers, email content, email send management or shared content folders. Many customers combine Marketing Cloud Administrator with Administrator for a super admin set. Use this combo sparingly. 

Marketing Cloud Viewer

Marketing Cloud definition:  A person in this role views cross-channel marketing activity that takes place in Marketing Cloud.What it really means:  This is a pretty safe bet if you’re looking for a read-only role. It's low risk and provides visibility into all key areas of Marketing Cloud. Unfortunately, since this is truly a read-only role, users don't have permission to run a report.What to consider: In this role, there are a few main “Deny” areas you need to understand before you combine the Marketing Cloud Viewer with other roles. First is inside of Audience Builder (even though it has general view access allowed, everything else is explicit Deny). Next is the Email Send Wizard area where everything is denied. Third is within campaigns, calendar and contacts, as well as inside MobileConnect and Automation Studio. Almost everything in the Administration section is explicitly denied. If the user needs any of these permissions, do not assign them this role. It will always override any expanded access in that category. 

Marketing Cloud Content Editor/Publisher

Marketing Cloud definition:  A person in this role creates and delivers messages through mobile and sites channel apps.    What it really means: Overall, this role is a step above Marketing Cloud Viewer. In addition, since it doesn't give explicit access to data, it's a fairly safe role to hand out. It mainly offers create/edit rights in mobile and sites channel apps. In most sections, this role features an explicit "Deny" for the ability to delete items users have access to create. Except for Content Builder, they can delete content.  No explicit access to email studio, data extensions or third-party content administrator, which you would need if you use the Sitecore connector. No explicit access to run most reports (except for two contact and web & mobile reports) or use Discover reporting. What to consider: The key thing to watch out for here is the "Deny" settings inside of Automation Studio. Don't give this role to users who need to do anything beyond “View” Automation Studio. It contains a handful of "Deny" permissions inside general Audience Builder and Owned Audiences, but doesn't grant explicit access to anything inside of the Email section. It also contains an explicit "Deny" to create/edit campaigns or calendar events. Do not combine this role with either Administrator role, unless your intent is to override user access to the setup menu and prevent them from accessing it. 

Marketing Cloud Channel Manager

Marketing Cloud definition:  A person in this role creates and executes cross-channel interactive marketing campaigns and administers social and mobile channels.What it really means: This role is largely similar to Marketing Cloud Content Editor/Publisher, but has slightly expanded access, such as Audience Builder, the ability to administer MobilePush and delete capability in relevant sections. Generally, this role has the most report access, except for explicit access to minor items, such as Google Analytics (Note: Marketing Cloud Content Editor/Publisher does have access to this). It contains full access inside the Transactional Sending section. This role may delete CloudPages (Marketing Cloud Content Editor/Publisher cannot). What to consider: One of the main risks of this role is the ability to administer contact data model and delete contacts. Contact cleanup is a good thing, but deleting contacts needs to be carefully considered by someone who understands the implications. The only thing Marketing Cloud Content Editor/Publisher has that this role does not is explicit access to content builder (Assets, Folders, Third-Party Content aka Sitecore). This role doesn't grant explicit access to anything inside of the email. The only "Deny" permissions contained in this role are inside Administration. Do not combine this role with either Administrator role, unless your intent is to override their access to the setup menu and prevent them from accessing it. 

Marketing Cloud Security Administrator

Marketing Cloud definition: A person in this role maintains security settings and manages user activity and alerts.What it really means: This isn’t typically a role that should be widely granted or combined with many other roles.What to consider: Beware of one tiny set of “Deny” permissions inside the MobilePush category—administration, create messages and sending MobilePush messages are denied. Now that you're equipped with a thorough understanding of each of the default roles, you should be able to determine if you need to go beyond those and use custom options. Stay tuned for part two—I’ll explain different ways you can set up custom roles that can layer on top of default roles and go over some bonus best practices to manage permissions within your overall Marketing Cloud governance strategy.Please leave a comment below to let me know if you’ve uncovered any additional tips or tricks about default roles that should be added to the list!