# Policies Example Scenarios

The following example policies describe typical policy structures that manage:

* a subsidiary or subvendor
* employee security clearance levels that dictate access to data
* project-centered, cross functional teams that demands role-based policies


In these scenarios, we specify the database permissions in a separate table because database permissions are assigned at the user level, not the policy level in TD Console. TD Console Legacy refers to accounts with no Advanced Permissions enabled.

* [Scenario 1 Vendor Lead Marketing Campaigns](#scenario-1-vendor-lead-marketing-campaigns)
* [Scenario 2 Separate Marketing Analyst Work](#scenario-2-separate-marketing-analyst-work)
* [Scenario 3 Upgrading from the Standard Permissions Set](#scenario-3-upgrading-from-the-standard-permissions-set)


# Scenario 1 Vendor Lead Marketing Campaigns

Your company works with a vendor and the vendor is responsible for the marketing campaigns in a specific region. You want the vendor to view a specific master segment (a collection of user profiles based on a physical region) and work with full access to segments that are applicable to the specific region. The company manages multiple master segments with each region having its own master segment. In this scenario, we are dealing with just one region.

The team does not work with databases or workflows.

## Policy Plan

One policy.

User role:

* Vendor - access to all segments within a specified master segment


User personas:

* Jorge, Christian, Kerry, Zach and Dominique are all Marketing Analyst. Permissions: View to only a specific marketing segment, `Region 1`. Full control to specified segment folders


Within the specific master segments, the vendor has full access including, to create, modify, and delete all segment folders and segments in the specified master segment.

The vendor can view profiles and can use the predictive scoring and create profile APIs to feed data back into the segment.

Workflow is not enabled for this scenario and database activity is not applicable.

## Policy Implementation

Policies and Permissions configuration for Scenario 1:

| **Policy Name** | **Workflow** | **All Master Segments in Data Workbench view** | **Audience Studio: Master Segment** | **Audience Studio: Specific Folders Segments** | **Policy Applied To:** |
|  --- | --- | --- | --- | --- | --- |
| WeCanCompany Region 1 Segment Access | Do not select any permission | Do not select any permission | Select **Limited Access** and select Region 1 master segment from the drop-down list of master segments; select **View** permission for master segment config and select **View** and **Full Control** for All Folders | n/aBy selecting All Folder, you don't need to drill down to specify further permissions | JorgeChristianKerryZachDominique |


Database access for WeCan Company

| **User Name** | **Database Name** | **Level** |
|  --- | --- | --- |
| Each user in WeCan Company | n/a | n/a |


# Scenario 2 Separate Marketing Analyst Work

You want to separate marketing analyst work areas by policies and permissions and apply additional restrictions to the new analyst. The account includes two master segments.

## Policy Plan

Four policies. Two policies for each master segment. Within each master segment, one policy is for regular users and a second policy is for new employees.

The team does not work with databases or workflows.

User roles:

* Regular Marketing Analyst - a view of all master segments, full access to a specific master segment, and full access to all folders in the specific segment folders.
* New Marketing Analyst - no view of any master segments in data workbench; access to a specific master segment, and a mix of access to specified segment folders


User personas:

* George, Silas, Reba: Regular Marketing Analyst - full control to master segment `Retail` and full access to specified segment folders: `current`, `churn`, `trend`
* Karin, Hoaxing, Rupa: Regular Marketing Analyst - full control to master segment `Commercial` and full access to specified segment folders: `current`, `churn`, `trend`
* Nicki, Ted: New Marketing Analyst - Access to the master segment `Retail`; full access to the segment folder `current` and view only to segment folders: `churn` and `trend`
* Laura, Paul, Gina, Derek: New Marketing Analyst - Access to master segment `Commercial`; full access to the segment folder `current` and view only to segment folders: `churn` and `trend`


Regular marketing analyst can view the behaviors and attribute specifications for all master segments. Access to Audience Studio is limited to their specified master segment (either `Retail`or `Commercial`).

Within their master segment, they can view and act upon all features of Audience Studio, including, profiles, segment folders, predictive scoring, and API tokens. They create, delete, and modify all segment folders in the specified master segment (named `current`, `churn,` and `trend`), each folder contains multiple subfolders and the subfolders contain multiple segments. Hence, regular marketing analysts can view, analyze and activate segments.

New employees are assigned view access to specific segment folders (`churn` and `trend`). The intent is for new employees to monitor and report on segment data.

Workflow is not enabled for this scenario and database activity is not applicable.

## Policy Implementation

Policies and Permissions configuration for Scenario 2:

| **Policy Name** | **Workflow** | **All Master Segments in Data Workbench view** | **Audience Studio: Master Segment** | **Audience Studio: Specific Folders Segments** | **Policy Applied To:** |
|  --- | --- | --- | --- | --- | --- |
| `Retail` Regular Analyst | Do not select any permission | **View** | Select **Limited Access** and select `Retail` master segment; select **View** and **Full Control** permission for master segment config and in All Segment Folders: select **View** and **Full Control** | n/a | GeorgeSilasReba |
| `Retail` New Analyst Access | Do not select any permission | Do not select any permission | Select **Limited Access** and select `Retail` master segment; for master segment config do not select any permission. In All Segment Folders: Do not select any permission | Folders and Segments: Select **View** for segments: `churn` and `trend` | NickiTed |
| `Commercial` Regular Analyst | Do not select any permission | **View** | Select **Limited Access** and select `Commercial` master segment; select **View** and **Full Control** permission for master segment config and in All Segment Folders: select **View** and **Full Control** | n/a | KarenHoaRupa |
| `Commercial` New Analyst Access | Do not select any permission | Do not select any permission | Select **Limited Access** and select `Commercial` master segment; for master segment config do not select any permission. In All Segment Folders: Do not select any permission | Folders and Segments: Select **View** for segments: `churn` and `trend` | LauraPaulGinaDerek |


Database access for `Retail`

| **User Name** | **Database Name** | **Level** |
|  --- | --- | --- |
| Each marketing analyst | n/a | n/a |


# Scenario 3 Upgrading from the Standard Permissions Set

You currently use Treasure Data and have standard permission set. You are now adding the policies feature and have more variances in how permission must be set for users. This scenario focuses on the gaming group.

## Current Permissions Plan

Current user roles:

* Manager (CMO) - periodically checks master segment and segment data; guides data initiatives and campaigns
* Data Engineers - work on data ingestion and extract-transform-load, and perform some data cleansing. Require access to databases (full access or import only), workflows for ingesting (view, edit, run). Data Engineer is the only role who works with workflows.
* Data Analysts - review data across different sets, clean data by using job queries, create master segments. Merge data or create new dns (domain name system) databases, and view database access to all other databases. Require full access to master segments in data workbench.
* Marketing Analysts - review master segments, create segments and subsegments and prepare segments for activation. Requires full access to only specific master segments. Must have full access to segments within their specified master segment.


## Policy Plan

Establish policies. Distinguish employees from contractors.

Four policies for the Gaming group. Plus a policy for the Chief Marketing Officer (CMO) of the company.

User roles:

* Marketing management (CMO and executive team) - full access to all master segments in data workbench, full audience studio access
* Data Engineer Gaming Group - full access to specific dbs; full access to workflow. No access to audience studio.
* Data Analyst Gaming Group - a variety of database permissions, which is OK because database permissions are specified at the user permissions (not policy) level. View only to workflow and full access to data workbench master segments. Limited access to Audience Studio, with access to only Gaming segments. Data Analyst don't create or activate segments.
* Marketing Analyst Gaming Group - view to all master segments. Requires full access to only specific master segments but within the specific segments, full control with full permission to create segments and subsegments and prepare segments for activation.
* Consultant Marketing Analyst - full access to a specific master segment, and full access to all folders in the specific segment folders.


User personas:

* Kelly: Manager (CMO) - full access to all master segments, including `Gaming`. Also has full access in Audience Studio. Cam: Director of Gaming
* Cathy, Steve, Eke: Data Engineer - full access to specific dbs: `us_customers`, `us_support`, and `us_marketing`; full access to workflow. No access to audience studio.
* Josh: Data Analyst - database query permission: `us_customers`, `us_support`, and `us_marketing`; view only to workflow and full access to data workbench master segments and can look at Gaming segments in Audience Studio
* August, Gina: Marketing Analyst - limited access to data workbench master segments, with full access to the master segment `US-West`, and view access to all other master segments such as: `US-Central, US-East, Asia-East, Europe-West). Full access to segments in US West as well.`
* Petra: Consultant Marketing Analyst - Limited access to master segments in data workbench with only full access to `US-West` master segment specified. Full access to the `California`segment folder. And view access to the other folders in `US-West` master segment (`Oregon`, `Arizona`)


The marketing analysts can view profiles and can use the predictive scoring and create profile APIs to feed data back into the segments that they have permission to access. In other words, the vendor can view, analyze and activate segment

Workflow is enabled for two policies in this scenario: Data Engineer - full access and Marketing Analyst - view only.

The data analyst and marketing analyst are also given permission by other users to access databases.

## Policy Implementation

Policies and Permissions configuration for Scenario 3:

| **Policy Name** | **Workflow** | **All Master Segments in Data Workbench view** | **Audience Studio: Master Segment** | **Audience Studio: Specific Folders Segments** | **Policy Applied To:** |
|  --- | --- | --- | --- | --- | --- |
| Full Access Executive Office | Do not select any permission | **Full Access** | **Full Access** | n/a | KellyCam |
| Data Engineers | **View****Run User-defined****Edit User-Defined** | Do not select any permission | Do not select any permission | n/a | CathySteveEke |
| Data Analysts | **View** | **Full Access** | Select **Limited Access** and select Gaming `US-West` master segment; in All Segment Folders: select **View** | n/a | Josh |
| Marketing Analysts | Do not select any permission | **View** | Select **Limited Access** and select Gaming `US-West` master segment; in All Segment Folders: select **View** and **Full Control**Select `US-Central` master segment; in All Segment Folders: select **View**Select `US-East` master segment; in All Segment Folders: select **View**Select `Asia-East` master segment; in All Segment Folders: select **View**Select `Europe-West` segment; in All Segment Folders: select **View** | n/a | AugustGina |
| Consultant: Marketing Analyst | Do not select any permission | Do not select any permissions | Select **Limited Access** and select Gaming `US-West` master segment; in All Segment Folders: select **View**Then click to edit `US-West` master segment and select - `California`, `Arizona` and `Oregon` segment folders | For each segment folder, specify the permissions:`California` - **View**, **Full Control**`Arizona` - **View**`Oregon` - **View** | Petra |


Database access for Scenario 3

| **User Name** | **Database Name** | **Level** |
|  --- | --- | --- |
| Each marketing analyst: Cathy, Steve, Eke | us_customersus_supportus_marketing | **full access** |
| Consultant marketing analyst: Josh | us_customersus_supportus_marketing | **query access** |