The following example policies describe typical policy structures that manage:
a subsidiary or subvendor
employee security clearance levels that dictate access to data
project-centered, cross functional teams that demands role-based policies
In these scenarios, we specify the database permissions in a separate table because database permissions are assigned at the user level, not the policy level in TD Console. TD Console Legacy refers to accounts with no Advanced Permissions enabled.
- Scenario 1 Vendor Lead Marketing Campaigns
- Scenario 2 Separate Marketing Analyst Work
- Scenario 3 Upgrading from the Standard Permissions Set
Your company works with a vendor and the vendor is responsible for the marketing campaigns in a specific region. You want the vendor to view a specific master segment (a collection of user profiles based on a physical region) and work with full access to segments that are applicable to the specific region. The company manages multiple master segments with each region having its own master segment. In this scenario, we are dealing with just one region.
The team does not work with databases or workflows.
One policy.
User role:
- Vendor - access to all segments within a specified master segment
User personas:
- Jorge, Christian, Kerry, Zach and Dominique are all Marketing Analyst. Permissions: View to only a specific marketing segment,
Region 1. Full control to specified segment folders
Within the specific master segments, the vendor has full access including, to create, modify, and delete all segment folders and segments in the specified master segment.
The vendor can view profiles and can use the predictive scoring and create profile APIs to feed data back into the segment.
Workflow is not enabled for this scenario and database activity is not applicable.
Policies and Permissions configuration for Scenario 1:
| Policy Name | Workflow | All Master Segments in Data Workbench view | Audience Studio: Master Segment | Audience Studio: Specific Folders Segments | Policy Applied To: |
|---|---|---|---|---|---|
| WeCanCompany Region 1 Segment Access | Do not select any permission | Do not select any permission | Select Limited Access and select Region 1 master segment from the drop-down list of master segments; select View permission for master segment config and select View and Full Control for All Folders | n/a By selecting All Folder, you don't need to drill down to specify further permissions | Jorge Christian Kerry Zach Dominique |
Database access for WeCan Company
| User Name | Database Name | Level |
|---|---|---|
| Each user in WeCan Company | n/a | n/a |
You want to separate marketing analyst work areas by policies and permissions and apply additional restrictions to the new analyst. The account includes two master segments.
Four policies. Two policies for each master segment. Within each master segment, one policy is for regular users and a second policy is for new employees.
The team does not work with databases or workflows.
User roles:
Regular Marketing Analyst - a view of all master segments, full access to a specific master segment, and full access to all folders in the specific segment folders.
New Marketing Analyst - no view of any master segments in data workbench; access to a specific master segment, and a mix of access to specified segment folders
User personas:
George, Silas, Reba: Regular Marketing Analyst - full control to master segment
Retailand full access to specified segment folders:current,churn,trendKarin, Hoaxing, Rupa: Regular Marketing Analyst - full control to master segment
Commercialand full access to specified segment folders:current,churn,trendNicki, Ted: New Marketing Analyst - Access to the master segment
Retail; full access to the segment foldercurrentand view only to segment folders:churnandtrendLaura, Paul, Gina, Derek: New Marketing Analyst - Access to master segment
Commercial; full access to the segment foldercurrentand view only to segment folders:churnandtrend
Regular marketing analyst can view the behaviors and attribute specifications for all master segments. Access to Audience Studio is limited to their specified master segment (either Retailor Commercial).
Within their master segment, they can view and act upon all features of Audience Studio, including, profiles, segment folders, predictive scoring, and API tokens. They create, delete, and modify all segment folders in the specified master segment (named current, churn, and trend), each folder contains multiple subfolders and the subfolders contain multiple segments. Hence, regular marketing analysts can view, analyze and activate segments.
New employees are assigned view access to specific segment folders (churn and trend). The intent is for new employees to monitor and report on segment data.
Workflow is not enabled for this scenario and database activity is not applicable.
Policies and Permissions configuration for Scenario 2:
| Policy Name | Workflow | All Master Segments in Data Workbench view | Audience Studio: Master Segment | Audience Studio: Specific Folders Segments | Policy Applied To: |
|---|---|---|---|---|---|
Retail Regular Analyst | Do not select any permission | View | Select Limited Access and select Retail master segment; select View and Full Control permission for master segment config and in All Segment Folders: select View and Full Control | n/a | George Silas Reba |
Retail New Analyst Access | Do not select any permission | Do not select any permission | Select Limited Access and select Retail master segment; for master segment config do not select any permission. In All Segment Folders: Do not select any permission | Folders and Segments: Select View for segments: churn and trend | Nicki Ted |
Commercial Regular Analyst | Do not select any permission | View | Select Limited Access and select Commercial master segment; select View and Full Control permission for master segment config and in All Segment Folders: select View and Full Control | n/a | Karen Hoa Rupa |
Commercial New Analyst Access | Do not select any permission | Do not select any permission | Select Limited Access and select Commercial master segment; for master segment config do not select any permission. In All Segment Folders: Do not select any permission | Folders and Segments: Select View for segments: churn and trend | Laura Paul Gina Derek |
Database access for Retail
| User Name | Database Name | Level |
|---|---|---|
| Each marketing analyst | n/a | n/a |
You currently use Treasure Data and have standard permission set. You are now adding the policies feature and have more variances in how permission must be set for users. This scenario focuses on the gaming group.
Current user roles:
Manager (CMO) - periodically checks master segment and segment data; guides data initiatives and campaigns
Data Engineers - work on data ingestion and extract-transform-load, and perform some data cleansing. Require access to databases (full access or import only), workflows for ingesting (view, edit, run). Data Engineer is the only role who works with workflows.
Data Analysts - review data across different sets, clean data by using job queries, create master segments. Merge data or create new dns (domain name system) databases, and view database access to all other databases. Require full access to master segments in data workbench.
Marketing Analysts - review master segments, create segments and subsegments and prepare segments for activation. Requires full access to only specific master segments. Must have full access to segments within their specified master segment.
Establish policies. Distinguish employees from contractors.
Four policies for the Gaming group. Plus a policy for the Chief Marketing Officer (CMO) of the company.
User roles:
Marketing management (CMO and executive team) - full access to all master segments in data workbench, full audience studio access
Data Engineer Gaming Group - full access to specific dbs; full access to workflow. No access to audience studio.
Data Analyst Gaming Group - a variety of database permissions, which is OK because database permissions are specified at the user permissions (not policy) level. View only to workflow and full access to data workbench master segments. Limited access to Audience Studio, with access to only Gaming segments. Data Analyst don't create or activate segments.
Marketing Analyst Gaming Group - view to all master segments. Requires full access to only specific master segments but within the specific segments, full control with full permission to create segments and subsegments and prepare segments for activation.
Consultant Marketing Analyst - full access to a specific master segment, and full access to all folders in the specific segment folders.
User personas:
Kelly: Manager (CMO) - full access to all master segments, including
Gaming. Also has full access in Audience Studio. Cam: Director of GamingCathy, Steve, Eke: Data Engineer - full access to specific dbs:
us_customers,us_support, andus_marketing; full access to workflow. No access to audience studio.Josh: Data Analyst - database query permission:
us_customers,us_support, andus_marketing; view only to workflow and full access to data workbench master segments and can look at Gaming segments in Audience StudioAugust, Gina: Marketing Analyst - limited access to data workbench master segments, with full access to the master segment
US-West, and view access to all other master segments such as:US-Central, US-East, Asia-East, Europe-West). Full access to segments in US West as well.Petra: Consultant Marketing Analyst - Limited access to master segments in data workbench with only full access to
US-Westmaster segment specified. Full access to theCaliforniasegment folder. And view access to the other folders inUS-Westmaster segment (Oregon,Arizona)
The marketing analysts can view profiles and can use the predictive scoring and create profile APIs to feed data back into the segments that they have permission to access. In other words, the vendor can view, analyze and activate segment
Workflow is enabled for two policies in this scenario: Data Engineer - full access and Marketing Analyst - view only.
The data analyst and marketing analyst are also given permission by other users to access databases.
Policies and Permissions configuration for Scenario 3:
| Policy Name | Workflow | All Master Segments in Data Workbench view | Audience Studio: Master Segment | Audience Studio: Specific Folders Segments | Policy Applied To: |
|---|---|---|---|---|---|
| Full Access Executive Office | Do not select any permission | Full Access | Full Access | n/a | Kelly Cam |
| Data Engineers | View Run User-defined Edit User-Defined | Do not select any permission | Do not select any permission | n/a | Cathy Steve Eke |
| Data Analysts | View | Full Access | Select Limited Access and select Gaming US-West master segment; in All Segment Folders: select View | n/a | Josh |
| Marketing Analysts | Do not select any permission | View | Select Limited Access and select Gaming US-West master segment; in All Segment Folders: select View and Full ControlSelect US-Central master segment; in All Segment Folders: select ViewSelect US-East master segment; in All Segment Folders: select ViewSelect Asia-East master segment; in All Segment Folders: select ViewSelect Europe-West segment; in All Segment Folders: select View | n/a | August Gina |
| Consultant: Marketing Analyst | Do not select any permission | Do not select any permissions | Select Limited Access and select Gaming US-West master segment; in All Segment Folders: select ViewThen click to edit US-West master segment and select - California, Arizona and Oregon segment folders | For each segment folder, specify the permissions:California - View, Full ControlArizona - ViewOregon - View | Petra |
Database access for Scenario 3
| User Name | Database Name | Level |
|---|---|---|
| Each marketing analyst: Cathy, Steve, Eke | us_customersus_supportus_marketing | full access |
| Consultant marketing analyst: Josh | us_customersus_supportus_marketing | query access |