Updates to Marketo Permissions

Steven_Vanderb3
Marketo Employee
Marketo Employee

We are making updates to the Marketo Engage permissions structure to offer more granular access control to your users. During these updates we will be introducing new permissions and redefining some existing permissions. While we are aiming to be as minimally disruptive as possible, these updates may require your business to update existing users and roles to avoid interruptions of tasks in some circumstances.

 

Need the TL;DR? Here's the short version:

  • We will be introducing and enforcing new permissions for creating Lists/Smart Lists, Report assets, and exporting Smart Campaign results on May 21, 2024. These permissions will be automatically given to any user that can already take these actions today. Admins can later update their permissions structures to granularly assign them to or remove them from roles.
  • We will be enforcing the need for create or edit permissions on an asset to move that asset (e.g. Create Email is needed to move an Email) on June 7, 2024.

 

Throughout May and June 2024 we will be rolling out these new changes to all Marketo Engage environments to support this new structure. Please read below to see the full details of our schedule and what you may need to change for your users.

 

New Permissions for Lists, Reports, and Campaign Export

We will be introducing new permissions for creating Lists and Smart Lists, creating Report assets, and exporting Smart Campaign results. These permissions will be automatically assigned to users who already possess the ability to take these actions today. We anticipate no impact to users during this enablement. After enablement, administrators can remove these permissions from roles if desired. Full details of these changes can be found below.

 

Create List

Behavior as of May 1, 2024

Users can create Lists and Smart Lists in Database and Marketing Activities if they were assigned the Access Database permission.

 

Behavior as of May 21, 2024

The new Create List permission will be required to create Lists and Smart List assets in Database and Marketing Activities.

 

Action Required

On May 16, 2024 we will automatically enable the Create List permission for all users that currently have the Access Database permission. On May 21, 2024 we will begin enforcing this new permission as being required to create List and Smart List assets.

There should be no interruption to existing users that can create List and Smart List assets today. Only users that can create List and Smart List assets today will receive the new Create List permission. Admins can remove this permission from roles after May 21st if needed.

 

Create Report

Behavior as of May 1, 2024

Users can create Report assets in Analytics and Marketing Activities if they were assigned the Access Analytics permission.

 

Behavior as of May 21, 2024

The new Create Report permission will be required to create Report assets in Analytics and Marketing Activities.

 

Action Required

On May 16, 2024 we will automatically enable the Create Report permission for all users that currently have the Access Analytics permission. On May 21, 2024 we will begin enforcing this new permission as being required to create Report assets.

There should be no interruption to existing users that can create Report assets today. Only users that can create Report assets today will receive the new Create Report permission. Admins can remove this permission from roles after May 21st if needed.

 

Export Campaign Activity

Behavior as of May 1, 2024

Users can export the results of Smart Campaigns if they were assigned the Edit Marketing Asset permission.

 

Behavior as of May 21, 2024

The new Export Campaign Activity permission will be required to export Smart Campaign results.

Action Required

On May 16, 2024 we will automatically enable the Export Campaign Activity  permission for all users that currently have the Edit Marketing Asset permission. On May 21, 2024 we will begin enforcing this new permission as being required to export Smart Campaign results. There should be no interruption to existing users that can create export Smart Campaign results today. Only users that can export Smart Campaign results today will receive the new Export Campaign Activity permission. Admins can remove this permission from roles after May 21st if needed.

 

Change in Permissions to move assets

Permissions to move assets around app areas are generally associated with the top level Access App Area permission for the asset. For instance, the Access Design Studio asset grants access to move Forms, Landing Pages, and Emails in Design Studio and Marketing Activities. This results in an inability to give users access to view an App Area without giving them the ability to move all of the assets in that app area.

 

Generally, users that are granted only top-level access to an app area and no edit permissions for assets are expected by their administrators to not be able to make any type of change to those assets. We anticipate very little impact to users in most use cases. However, there is some chance of disruption in tasks if a user needs to move assets in Marketo Engage but does not have edit access to that asset once this new permission structure is enforced after June 7, 2024. Please review your permission structures of your users to avoid any potential negative impact.

 

Behavior as of May 1, 2024

Permissions to move assets around app areas are generally associated with the top level Access App Area permission for the asset. For instance, the Access Design Studio asset grants access to move Forms, Landing Pages, Emails, etc. This results in an inability to give users access to view an App Area without giving them the ability to move all the child assets.

 

Behavior as of June 7, 2024 (June 4, 2024 for LON/NLD datacenters)

The permission to move an asset will be tied to Edit permissions for that asset. For instance:

  • Moving an Email asset will require the Edit Email permission
  • Moving a Smart Campaign asset will require the Edit Marketing Asset permission
  • Moving a Report asset will require the Create Report permission
  • Moving a Smart List asset will require the Create List Asset

 

Action Needed

On June we will enforce the requirement to have create or edit permissions for an asset in order to be able to move the asset throughout Marketo Engage. If a user performs tasks that requires them to move assets around Marketo Engage then an administrator should assign them a relevant create or edit permission for that asset before June.

 

Questions?

We anticipate  minimal impact to the access of users as this change rolls out and users can revoke the new permissions as needed after enablement. If you have questions or concerns, please leave them in the comments for Product Management to help with.

15120
3
3 Comments
Dave_Roberts
Level 10

This is great, keep it coming! We get caught in the security/IT circus too often with clients trying to work around layers of permissions and having this kind of thing be more granular in Marketo should help us to navigate some of those choppy waters. Thanks again and keep cranking out the hits! 🙌

Josh
Level 4 - Champion

@Steven_Vanderb3 This is great stuff, the more granularity the better. thank you!

 

Are there any plans / do you see a future where we can add permission levels at the flow action level?  For example if I don't want specific roles to be able to add the "delete person", "call webhook" to a smart campaign or run one that contains these.  This would be even more valuable with the Self-Service Flow Steps where you could have functionality you want really want to limit.

Vlada_Prasolova
Level 5

thank you! 

it would be also great to have:

1. read-only access. we often get request where people just want to take a loot at marketo and you don't want to spend time expaining the basics, but fear the person might accidentally "break" something

2. view access to a certain page/asset. again, we often get asked to see a certain campaign/performance or the person is just working on 1 program type (webinars) so it's not needed to provide access for the entire section "marketing activities" where, again, we have so many things going on and so many automations set that i'm somewhat reluctant to provide access to all of it