User permissions for tags
User permissions for tags in Adobe Experience Platform are assigned to users through Adobe Admin Console. Rather than being assigned to individual users, different sets of permissions are configured separately as product profiles. Users are then assigned to these product profiles in order to be granted the permissions they’ve been configured for.
This guide provides an overview of the different types of permissions available for tags, the functionalities they grant access to, and some basic implementation strategies for different business use cases.
Permission types
Within a product profile, permissions for tags are divided into four categories:
- Platforms
- Properties
- Property Rights
- Company Rights
Platforms
Each tag property has a platform. There are currently two platforms that you can use for tags: Web and Mobile. You can use this permission type to restrict or grant access to a particular type of property. This can be useful when the team that manages your mobile apps is different from the one that manages your websites.
Properties
By default, product profiles grant access to all properties that exist within your company, both currently and in the future. Using this permission type, you can restrict or grant access to specific existing properties by name.
Property rights property-rights
Any tag property that you create in the UI becomes available in Admin Console, allowing you to group the property with specific property rights in the same product profile.
For example, if a given product profile does not have access to Property A1, users who belong to that profile cannot see or modify any settings within Property A1.
If a user belongs to a profile that does have access to Property A1, the actions they can perform within Property A1 are determined by the rights they have been granted from this profile. If a user has permissions for Property A1 but has no assigned rights, then they have read-only access for that property.
The following table outlines the available property rights and the functionalities they grant access to:
This allows you to perform the following actions:
- Create rules and data elements
- Create libraries and build them in existing development environments
- Submit a library for approval
Most day-to-day tasks in the UI require this right.
This allows you to perform the following actions:
- Install new extensions to a property
- Modify the configuration for an already installed extension
- Delete an extension
See the extensions overview documentation for more information on extensions. This role typically belongs to IT or Marketing, depending on your organization.
Company rights
Company rights apply to permissions that span multiple properties. These are outlined in the table below:
This allows you to perform the following actions:
- Create new properties
- Modify metadata and settings at the property level
- Delete properties
Administrators usually perform this role. See the properties documentation for more information.
Total user permissions
An individual user’s total permissions are determined by their total membership in different product profiles. If a user belongs to multiple product profiles, the permissions from each profile are added together rather than multiplied.
For example, Product Profile A grants you the Develop right for Property 1. Product Profile B grants you the Publish right for Property 2. In this case, you can Develop in Property 1 and Publish in Property 2, but you cannot publish in Property 1 or Develop in Property 2 because you have not been granted explicit rights to do so.
Rights scenarios
Different companies have different needs when creating new product profiles. These needs vary based on company size, organization structure, the number of sites, the number of people involved in managing tags, and so on.
Below are a few common scenarios and a recommended starting point as you think about creating product profiles and adding users to them.
One-person show
If you run a small company that has one person in charge of everything, grant this user permissions for all properties and assign them all rights listed above.
Separation of duties
Consider a situation where many people in your organization are involved in tagging. You have one set of people (such as an external consultant) that creates rules and data elements, but you do not want them to have access to the production environment. In this case, you want to make sure that nobody deploys to Production except the IT team.
To accomplish this:
- Create an account for your consultants and grant them only the Develop right.
- The consultant builds and tests within the confines you set.
- If the consultant wants a new extension or is ready to go live, a representative from your organization (with the appropriate rights) performs those actions.
Enterprise
An enterprise company might have multiple sites divided geographically, with different teams responsible for each geo. Within those teams, different individuals develop and publish.
This is similar to “Separation of duties” above, but organized by geographic areas. For example, you can create a “Develop” profile and a “Publish” profile for North America, and create separate “Develop” and “Publish” groups for Europe.
Example roles
The following table provides some examples of the types of roles you might have in your organization and which permissions you should assign them:
- Develop
- Manage Extensions
- Manage Properties
- Develop
- Manage Extensions
-
Manage Properties
-
Manage App Configurations
- Approve
- Publish
- Manage Environments
- Develop
- Manage Properties
- Develop Extensions
- Develop
- Approve
- Publish
- Manage Extensions
- Manage Environments
- Manage Properties
Next steps
This document provided an overview of the available permissions for tags in Experience Platform. For steps on how to configure product profiles for tags in Adobe Admin Console, see the guide on managing user permissions for data collection.