Hi All,

I recently inherited a marketo database and am new to administrating the platform in general. I come from a salesforce background and have been spoiled at having the ability to look up what each permission does and exactly what it controls. I've searched out there for something similar with marketo and haven't had a whole lot of luck finding a consolidated document that describes the roles well. I have tried compiling my own and there were a few things I didn't know, but if there is an expert out there, can you take a glance at this and let me know if I've misunderstood any of the permissions?

Thank you!

Kelly

  1. Access Admin
    1. Access Admin: Ability to click on ‘Admin’ in the upper right corner of Marketo. Also allows user to see Admin | My Account.
    2. Access Channels: Ability to see and manage Admin | Tags | New Channels or Tag Actions. Note this only applies to channel type tags.
    3. Access Communication Limit: Ability to see and manage Admin | Communication Limits.
    4. Access CRM: Ability to see and manage Admin | Database Management | Salesforce Objects Sync and Admin | Integration | Salesforce.
    5. Access Data.com: no current subscription, assuming this assists in downloading leads from data.com
    6. Access Email Admin: Ability to see and manage Admin | Email.
    7. Access Event Partners: Ability to see and manage Admin | Integration | LaunchPoint.
    8. Access Field Management: Ability to see and manage Admin | Database Management | Field Management.
    9. Access File Upload: not sure what this does
    10. Access Landing Pages: Ability to see and manage Admin | Integration | Landing Pages.
    11. Access Location: Ability to see and manage Admin | Location.
    12. Access Login Settings: Ability to see and manage Admin | Security | Login Settings.
    13. Access MK Denial: no current subscription - not sure what this is
    14. Access Munchkin: Ability to see and manage Admin | Integration | Munchkin
    15. Access Revenue Cycle Analytics: Ability to see and manage Admin | Revenue Cycle Analytics.
    16. Access Roles: Ability to see and manage Admin | Security | Users & Roles | Roles.
    17. Access Sales Insight: Ability to see and manage Admin | Integration | Sales Insight.
    18. Access Single Sign-on: Ability to see and manage Admin | Single Sign-On.
    19. Access Smart Campaign: Ability to see and manage Admin | Smart Campaign.
    20. Access SOAP API: Ability to see and manage Admin | Integration | Web Services.
    21. Access Tags: Ability to see and manage Admin | Tags | New or Tag Actions. Note this only applies to non-channel tags.
    22. Access Treasure Chest: Ability to see and manage Admin | Treasure Chest.
    23. Access Users: Ability to see and manage Admin | Security | Users & Roles | Users.
    24. Access Webhook: Ability to see and manage Admin | Integration | Webhooks.
    25. Access Workspaces and Partitions: Ability to see and manage Admin | Security | Workspaces & Partitions


Marketo Custom Objects: only granted to the standard Admin role.

  1. Access Analytics
    1. Access Analytics: Ability to access the Analytics module. Includes the ability to see all reports, create new reports, and modify existing reports. Can create new folders and archive content.
    2. Access Revenue Explorer: Grants full access to the Revenue Explorer module. (Includes export from Revenue Explorer).
    3. Delete Report: Ability to delete existing reports in the Analytics module.
    4. Export Analytics Data: Ability to export reports to Excel in the Analytics module.
  2. Access Calendar Presentations - Requires a Marketing Calendar License
    1. Access Calendar Presentations: Ability to access the Calendar module and view the details of calendar events. Can view Calendar Presentations. Can create new Calendar Presentations
    2. Edit Calendar Presentations: getting odd behavior, would assume additional permissions required for this to work correctly
  3. Access Design Studio
    1. Access Design Studio: allows access to the design studio tab and to view the tree. This access alone does not allow the users to see the details of the asset.
    2. Access Email
      • Access Email: allows the user to view the details of the email.
      • Approve Email: allows the user to approve the email.
      • Delete Email: allows the user to delete an email.
      • Edit Email: allows the user to create an email and update an existing email.
    3. Access Email Template
      • Access Email Template: allows the user to view the details of an email template and use it.
      • Approve Email Template: allows the user to approve the email template.
      • Delete Email Template: allows the user to delete an email template
      • Edit Email Template: allows the user to create an email template and update an existing email template.
    4. Access Form
      • Access Form: allows the user to view the details of a form.
      • Delete Form: allows the user to delete a form.
      • Edit Form: allows the user to create and update an existing form.
    5. Access Image
      • Access Image: allows the user to view the details of an image or file.
      • Delete Image: allows the user to delete an image or file.
      • Upload Image: allows the user to upload an image, including overwriting existing ones.
    6. Access Landing Page
      • Access Landing Page: allows the user to view the details of a landing page.
      • Approve Landing Page: allows the user to approve a landing page.
      • Delete Landing Page: allows the user to delete a landing page.
      • Edit Landing Page: allows the user to create and edit a landing page.
    7. Access Landing Page Template
      • Access Landing Page Template: allows the user to view the details and use a landing page template.
      • Approve Landing Page Template: allows the user to approve a landing page template.
      • Delete Landing Page Template: allows the user to delete a landing page template.
      • Edit Landing Page Template: allows the user to edit a landing page template.
    8. Access Snippet: snippets are reusable blocks of rich text and graphics that can be used in emails and landing pages.
      • Access Snippet: allows the user to view the details of a snippet and use it.
      • Approve Snippet: allows the user to approve a snippet.
      • Delete Snippet: allows the user to delete a snippet.
      • Edit Snippet: allows the user to create and edit a snippet.
    9. Access Social App: these are typically accessed under Marketing activities and not design studio.
      • Access Social App: allows the user to view the details of social buttons and use them.
      • Approve Social App: allows the user to approve social apps/buttons.
      • Delete Social App: allows the user to delete social apps/buttons.
      • Edit Social App: allows the user to edit social apps/buttons.
  4. Access Lead Database
    1. Access Lead Database: grants access to the Lead Database module
    2. Access Segmentation
      • Access Segmentation: grants the user access to view the details of a segment and use them.
      • Approve Segmentation: allows the user to approve a segment.
      • Delete Segmentation: allows the user to delete a segment.
      • Edit Segmentation: allows the user to create or edit a segment.
    3. Advanced List Import:
    4. Delete Lead: allows the user to be able to delete a lead record from the Lead Actions list.
    5. Delete List: allows the user to be able to delete a list (static or smart).
    6. Edit Lead: allows the user to be able to edit a lead record by double clicking on a lead. Also allows the user to be able to add to other programs.
    7. Export Lead: allows the user to be able to export a list of leads from marketo.
    8. Import Custom Object: if there are custom objects in marketo, this allows the user to be able to import the data for custom objects.
    9. Import List: allows the user to import data into marketo via right click on group list | Import List.
    10. Merge Leads: allows the user to be able to merge lead records from the Lead Actions list.
    11. Run Single Flow Actions: extends the edit lead functionality by allowing access to single flow actions that can sync with salesforce.
    12. View Opportunity Data: allows the user to see the opportunity tab when viewing a lead record.
  5. Access Marketing Activities
    1. Access Marketing Activities: grants access to the Marketing Activities module. Requires additional access from the design studio to view the design assets. Requires additional access from the lead database to view smart lists and results.
    2. Access Push Notification: requires a webhook to a 3rd party that uses SMS distribution. Once that’s been established then push notifications can be accessed.
      • Approve Push Notification: allows a user to approve a push notification.
      • Delete Push Notification: allows the user to delete a push notification.
      • Edit Push Notification: allows the user to create and edit a push notification.
    3. Access Awards: not sure what this is, possibly requires a subscription
    4. Activate Trigger Campaign: allows the user to activate a triggered campaign.
    5. Approve Email Program: allows the user to approve an email program.
    6. Clone Marketing Asset: allows the user to clone a marketing asset.
    7. Delete Marketing Asset: allows the user to delete an individual marketing asset.
    8. Edit Marketing Asset: allows the user to create and edit a marketing asset (think programs).
    9. Import Program: allows the user to mass clone all assets under a program to create a new one.
    10. List Import: allows the user to create a new list and import members into it.
    11. Schedule Batch Campaign: allows the user to schedule and run a batch campaign.
  6. Access SEO: need to review this more, not sure of all of the differences between the two dashboards.
    1. Access SEO: grants access to the SEO module. Requires one of the following two permissions in addition.
    2. Administer SEO: grants admin access to the SEO Dashboard.
    3. Standard SEO: grants read-only access the SEO Dashboard.
  7. Workspace Administration – requires a subscription to workspaces & partitions
    1. Workspace Administration – cannot confirm, could be that it grants the user access to all workspaces
    2. Move Assets Between Workspaces – if a subscription is active, allows the user to move assets from one workspace to another.
  8. Access Mobile Application
    1. Access Mobile Application – grants the user to two mobile apps: Event Check-in and Marketo Moments

Hi Kelly,

First off, thanks for taking the initiative to share this! I feel like Marketo's own documentation is a little weak in this respect, since it only lists permissions without explaining what those permissions actually control. To answer a few of your questions:

1e/1m. For whatever reason, Marketo has the permissions for data.com and MKDenial​ defined even on instances that do not subscribe to either service.

1i. I believe this specifically refers to the ability to upload files other than images in Design Studio, but would love clarification from Marketo.

7a. This specifically refers to the ability to create and administer workspaces themselves; granting a user access to workspaces is actually done when assigning individual users roles (since you may want someone to be an admin of one workspace, but have less permissions on another, for instance.)

Also, throwing this one out there: what is "Access/Administer Vespa"?


I completely realized I posted this under my test user's account and not my own. *sigh* Is there anyway to change the ownership of the thread? If not, no worries.


Wow, this is a great summary!  While I haven't verified every role to be correct, I would highly encourage the Marketo documentation/education team to add this to product docs.


Hi Frank Passantino​,

Might be interesting to you

-Greg


Hi:

Thanks for publishing this!  As a word of warning: I was recently told by Support that certain rights are not entirely dependent on that check box in the role.  For instance, if you have a user you would like to manage communication limits and the global footer, they need to be the default Admin, despite checking that box when creating a custom role.  I would really like to see an easier way to manage access in the application.  I have users I want to empower for every Marketing-related functionality, but, because we are fully integrated with several other databases within our company, I need to keep tight restraints on mass edits to the database, field creation/additions, etc.  This is the first application I worked with that makes administration this murky.

I haven't run full tests on each of the admin functions you outlined, but I know communication limits and the footer are dependent on the user having full admin rights.  Channel Tags are not; you can give a user access to these without granting full admin privileges. 


Noted. Thank you for mentioning that.


Hi Kelly,

Thank you for documenting all of this!  Quick question..

  1. Clone Marketing Asset: allows the user to clone a marketing asset.

Does this permission encompass cloning entire programs?  I'm researching the possibility of allowing an international user who works in one work space the ability to clone programs from the US work space.


Yes, Anna, when cloning a Program, it will clone all assets/items underneath.

The ability to Clone items under Marketing Activities encompasses this as well.


Sharing a document page I came across today, as I'm researching what permissions/access each role has. Looks like you got the list covered!

Descriptions of Role Permissions - Marketo Docs - Product Docs

  • Access Admin - view and make changes to settings in the Admin section.
    • Access Audit Trail
    • Access Channels - access only to modify the Channel tag, not other custom tags
    • Access Communication Limit
    • Access CRM
    • Access Data.com
    • Access Email Admin
    • Access Event Partners
    • Access Field Management
    • Access File Upload
    • Access Landing Pages
    • Access Location
    • Access Login Settings
    • Access Marketo Custom Activity
    • Access Marketo Custom Object
    • Access MK Denial
    • Access Munchkin
    • Access Revenue Cycle Analytics
    • Access Roles - access to manage and edit roles, but not users
    • Access Sales Insight
    • Access Single Sign-on
    • Access Smart Campaign
    • Access SOAP API
    • Access Tags - access to all custom tags except the Channel tag
    • Access Treasure Chest
    • Access Users - access to edit and manage users, but not roles
    • Access Webhooks
    • Access Workspaces and Partitions

  • Access API
    • Approve Assets
    • Execute Campaign
    • Read-Only Activity
    • Read-Only Activity Metadata
    • Read-Only Assets
    • Read-Only Campaign
    • Read-Only Company
    • Read-Only Custom Object
    • Read-Only Lead
    • Read-Only Opportunity
    • Read-Only Sales Person
    • Read-Write Activity
    • Read-Write Activity Metadata
    • Read-Write Assets
    • Read-Write Campaign
    • Read-Write Company
    • Read-Write Custom Object
    • Read-Write Lead
    • Read-Write Opportunity
    • Read-Write Sales Person

  • Access Analytics - see the Analytics tabs, view and edit reports
    • Access Revenue Explorer
    • Delete Report
    • Export Analytics Data
  • Access Calendar Presentations
    • Edit Calendar Presentations

  • Access Design Studio - see the Design Studio tab
    • Access Email - view Emails
      • Edit Email - edit, create, and clone emails
        • Make Email Operational
      • Approve Email
      • Delete Email
      • Set Branded Domain
    • Access Email Template - view Email Templates
      • Approve Email Template
      • Delete Email Template
      • Edit Email Template - edit, create, and clone email templates
    • Access Form - view Forms
      • Delete Form
      • Edit Form - edit, create, and clone forms
    • Access Image - view Images
      • Delete Image
      • Upload Image
    • Access Landing Page - view Landing Pages
      • Approve Landing Page
      • Delete Landing Page
      • Edit Landing Page - edit, create, and clone landing pages
    • Access Landing Page Template - view Landing Page Templates
      • Approve Landing Page Template
      • Delete Landing Page Template
      • Edit Landing Page Template - edit, create, and clone landing page templates
    • Access Snippet - view Snippets
      • Approve Snippet
      • Delete Snippet
      • Edit Snippet
    • Access Social App - view Social App
      • Approve Social App
      • Delete Social App
      • Edit Social App

  • Access Lead Database - view the Lead Database, view and edit Smart Lists and static lists
    • Access Segmentation
      • Approve Segmentation
      • Delete Segmentation
      • Edit Segmentation
    • Advanced List Import
    • Delete Lead
    • Delete List
    • Edit Lead - prevents manual editing and running single flow actions. You can still edit leads by running campaigns against them
    • Export Lead - export spreadsheets with from your Lead Database lists
    • Import Custom Object
    • Import List
    • Merge Leads
    • Run Single Flow Actions - Enable users to run 'Change Data Value' action on Leads from the Lead Database
    • View Opportunity Data - hides the opportunity info on the lead detail page

  • Access Marketing Activities - view the Marketing Activities tab, campaigns, and campaign folders
    • Access SMS Message
      • Approve SMS Message
      • Delete SMS Message
      • Edit SMS Message
    • Access Push Notification
      • Approve Push Notification
      • Delete Push Notification
      • Edit Push Notification
    • Access Awards
    • Activate Trigger Campaign
    • Approve Email Program
    • Clone Marketing Asset
    • Delete Marketing Asset
    • Edit Campaign Restrictions
    • Edit Marketing Asset
    • Import Program
    • List Import
    • Schedule Batch Campaign

  • Access SEO
    • Administer SEO
    • Standard SEO

  • Targeting and Personalization
    • Administer Web Personalization
    • CRE Campaign Editor
    • CRE Campaign Launcher
    • Web Campaign Editor
    • Web Campaign Launcher

  • Workspace Administration - Admin access for a specific Workspace (only if you have Workspaces enabled)
    • Move Assets between Workspaces - (only if you have Workspaces enabled)

  • Access Mobile Application

This document was generated from the following discussion: