Given a scenario, implement the configuration of business units, users/permissions, and security/passwords.
While business units allow to control access to Marketing Cloud data, roles and permissions can be used to manage access to Marketing Cloud features. Additional security settings allow to configure access to the Marketing Cloud platform.
Business units allow to control access and sharing of Marketing Cloud data. They can be structured as a hierarchy to control access. Users in a business unit have access to all data created in it, but data can also be shared across business units.
Multiple business units can be created within an Enterprise 2.0 account. For each business unit, a parent business unit can be defined to create a hierarchical structure.
Business units can be used to control access to a brand, according to demography, organizational structure, publication types, or workflow processes.
To reflect such brand separations in marketing content, following feature settings can be configured separately for each business unit:
Subscribers are stored in the parent business unit, regardless of which business unit they are imported.
To control access to subscribers from business units, subscriber filters can be created. Subscriber filters can be defined based on profile and preference attributes.
A user can be assigned to multiple business units, and the same business unit can be assigned to several users.
Users assigned to a business unit can access all data which was created in that business unit. Data can also be shared across business units, by placing items into the Shared Items folder.
Roles and permissions allow control access to Marketing Cloud features. They can be assigned to users and business units, and access is determined based on the combination of those assignments.
Roles define access to a set of Marketing Cloud features. There are a number of standard roles of common user types and additional custom roles can be created.
A user can be assigned to multiple roles, and the same role can be assigned to several users. In addition, roles can also be assigned to business units.
Permissions define access to a single Marketing Cloud feature. A permission can either allow or deny access to a feature.
Individual permissions can be defined separately for each user. This allows to override permissions granted to users via roles.
A user can be assigned to several business units and have multiple roles and permissions. The business unit itself can also have one or more roles.
Whether a user has access to a Marketing Cloud feature within a business unit therefore depends on the combination of the following settings:
A user has access to a feature in a business unit, if any of those settings define allow access to the feature. However, if some settings allow access and others deny access, then the deny access overrules the allow access.
For example, a user has a role that allows access to export reports, but the business unit has a role which denies this access, then the user will not be able to export reports in that business unit. The user might however be able to export reports in another business unit.
Several security settings can be configured to implement additional security measures in Marketing Cloud. In Enterprise 2.0 accounts, some of those settings can be configured at either enterprise or business unit level.
The session settings allow to set the time after which users need to re-authenticate to Marketing Cloud. Furthermore, HTTPS can be enforced to encrypt all browser traffic between the user and Marketing Cloud. The clickjacking protection setting prevents Marketing Cloud from loading pages from untrusted domains, which could result unauthorized access to confidential information.
Usernames and logins to Marketing Cloud can be controlled with multiple security settings.
The minimum length for usernames can be defined, and whether users can grant Salesforce support login access to Marketing Cloud.
Furthermore, the time after which users need to login again can be set, as well as after how many invalid logins they are locked out.
Logins to Marketing Cloud can also be restricted to certain IP addresses. A Login IP Whitelist can be created with specific IP addresses or IP ranges. In Enterprise 2.0 accounts, this list can either be defined at enterprise or business unit level.
Identity verification can be enabled to send a verification code to users when logging in from an unknown browser or outside the Login IP Whitelist. The lifetime of this verification can be configured, as well as the time after which a browser needs re-verification. In Enterprise 2.0 accounts, different verification settings can be configured at enterprise and business unit level.
API authentication to Marketing Cloud can be restricted to OAuth Access Token by disabling the Username and Password for Web Services setting.
Several settings allow to define password requirements for Marketing Cloud user accounts.
The minimum length and password complexity can be defined, as well as when passwords need to be changed, and after how many changes passwords can be reused. API and FTP users can be excepted from password expirations, to avoid breaking integrations.
To detect unauthorized changes, an email notification can be enabled to notify users when their password has been changed.
Marketing Cloud data exports such as subscribers, tracking data, or tracking reports can be delivered via email. To control who can receive such exports, the Enforce Export Email Whitelist setting can be enabled.
This allows to create an Export Email Whitelist List with email addresses or domains. Only email addresses matching this list can then be used in exports. In Enterprise 2.0 accounts, this list can either be define at enterprise or business unit level.
The Connection Security settings allows to block certain types connections to Marketing Cloud, such as TLS 1.0. Those settings can also be enforced by Salesforce for security reasons.
To log user activities such as logins or changes in security, roles, or permissions settings, the Audit Trail Data Collection setting can be enabled.
Logging data recorded with this feature can be exported from Marketing Cloud to a SFTP location using an Audit Trail Data Extract activity in Automation Studio. Alternatively, logging data can also be retrieved via the Marketing Cloud REST API.
Salesforce recommends following security configuration for Marketing Cloud accounts.
|Session Timeout||20 minutes|
|Login Expires After Inactivity||90 days or less|
|Invalid Logins Before Lockout||3|
|Count Invalid Logins Across Sessions||Yes|
|Minimum Username Length||8 characters|
|Minimum Password Length||8 characters or more|
|Enforce Password History||8 passwords remembered|
|User Passwords Expire In||90 days|
|Send Password Change Confirmation Email||Enable|
|Enforce Export Email Whitelist||Enable|
|Enable Audit Logging Data Collection||Enable|