User access management from Campaign Standard to Campaign v8
Both Adobe Campaign Standard and Adobe Campaign v8 enable users to define and manage permissions for different users/operators. These permissions consist of specific rights that grant users access to various features of the product. However, the two products use distinct approaches and implementations for managing user access.
The following concepts are used in Adobe Campaign Standard and Campaign v8 to achieve user access management:
| Campaign Standard | Campaign v8 |
|---|---|
| User | Operator |
| Role | Named Right |
| Security Group | Operator Group |
| Organizational unit | Folder Permission |
Migration approach from Security group to Operator group
IMPORTANTThe table below outlines the migration approach for user role groups when transitioning from Adobe Campaign Standard to Campaign v8. In Campaign Standard, a Security group, referred to as an Operator group in Campaign v8, is used to assign a set of roles to a user. While some security groups/operator groups are available out-of-the-box, users can create new groups or modify existing ones if needed.
| Campaign Standard | Campaign v8 | |
|---|---|---|
| Terminology | Security Group | Operator Group |
In both Adobe Campaign Standard and Campaign v8, Security groups and Operator groups are mapped to Product profiles in the Admin console. If you want to assign a Security group or Operator group to a user, you can link the corresponding Product profile in the Admin console. This association is synchronized when the user logs in. Learn more about Product profile
| Campaign Standard Security group | Campaign v8 Operator group |
|---|---|
| Administrators | Administrators |
| Delivery supervisors | Administrators |
| Workflow supervisors | Workflow supervisors |
Migration approach from User roles to Named rights
IMPORTANTIn Adobe Campaign Standard, the term User role is referred to as Named right in Campaign v8. The table below outlines the terminology used for Named rights in Campaign v8 corresponding to User roles in Campaign Standard.
| Campaign Standard User role | Campaign v8 Named right | Description |
|---|---|---|
| Administration | Administration | User with the Administration right has full access to the instance. |
| Data Model | Administration | Right to run publications and create custom resources. Schema creation related functionality available to Admin in Campaign v8. |
| Deliverability | Administration | Right to approve previously analyzed deliveries. |
| Export | Export | Right to export data. |
| File Access | Files Access | Right to approve previously analyzed deliveries. |
| Generic import | Import | Right for generic data import |
| Prepare deliveries | Prepare deliveries | Right to create, modify, prepare and delete deliveries. |
| SQL Script Execution | SQL Script Execution | Right to execute any SQL command directly on the database. |
| Start deliveries | Start deliveries | Right to approve previously analyzed deliveries. |
| System Command Execution | Program Execution | Right to execute system commands on the server. |
| Workflow | Workflow | Right to manage the execution of workflows start, stop, pause etc. |
Migration approach from Organizational unit
IMPORTANTUsers in multiple security groups are assigned the organizational unit of the highest-ranking security group. If multiple groups have parallel top-level units, the system selects the organizational unit for the user in Campaign Standard and the user would only have access to the system selected organizational unit and its children. In Campaign v8 after migration, the user would have access to all the assigned organizational units and their children, potentially escalating privileges. To prevent this, avoid assigning users to security groups with parallel organizational units. Learn more about parallel organizational unit assignment.
In Adobe Campaign Standard, the Organization unit is mapped to the existing Folder hierarchy model in Campaign v8 to maintain similar access control. Learn more about folder management
| Campaign Standard | Campaign v8 | |
|---|---|---|
| Terminology | Organizational unit | Folder |
About parallel organizational unit assignment
A parallel organizational unit assignment occurs when a user has access to multiple units (assigned via security groups) that exist in separate branches of the hierarchy without having access to a common parent org unit. This creates a security risk during migration.
For example, consider the following organizational unit hierarchy:
An assignment without parallel organizational units would look like:
Here, the user has access to organizational units A, A1, and A2-1, all connected under the parent org unit A. The user can access everything under A.
The following assignment contains parallel organizational units:
The user has access to A1-1, A2 and A2-1, which exist in separate branches with no common assigned parent.
Security implications
- In Campaign Standard, the system selects one top level organizational unit (either A1-1 or A2) for the user, limiting access to just that unit and its children.
- After migration to Campaign V8, the user gains access to resources in all the assigned organizational units and their children.
Resolution
Parallel organizational unit assignment can be resolved by ensuring all organizational units assigned to a user fall under a single, common parent unit that is also assigned to the user.
Some ways to achieve this are mentioned below:
- Remove access to multiple branches: Revoke access to multiple parallel branches and ensure all access is under a single parent.
- Assign a common parent: Grant access to an appropriate common parent org unit that includes all needed access points.
- Restructure the hierarchy: Modify the org unit structure to place all needed access under a single branch.
For the example above where a user has access to A1-1, A2, and A2-1, specific resolutions steps are:
-
Remove access to multiple branches:
- Revoke access to A1-1, leaving only access to A2 (which includes A2-1), or
- Revoke access to A2 and A2-1, leaving only access to A1-1
-
Assign a common parent:
- Grant access to org unit A, which is the common parent of both A1-1 and A2, or
- Grant access to All, which covers the entire hierarchy
-
Restructure the hierarchy:
- Move A1-1 under A2, or
- Move A2 and A2-1 under A1-1
Migration approach from Program
In Campaign v8, Programs are represented as Folders. Campaign v8 enables the creation of folders and allows restricting access to them.
By using Groups and Named rights, Operators can be granted access to specific Folders within the navigation hierarchy, with the ability to assign read, write, and delete permissions. Learn more about folder management
Since a Program is treated as a Folder in Campaign v8, its access can be managed in the same way as any other folder. After migration, Campaign Standard administrators can follow these steps:
-
From the explorer, right-click on any folder and select Properties….
-
Navigate to the Security tab.
-
Modify the operator group permissions as per the desired access model.
Product profile mapping to access REST APIs
To access transactional APIs from the execution instance in Campaign v8, a new Product profile is required, in addition to the Administrator and Message Center product profiles. This new Product profile will be added to existing or pre-created technical accounts in Campaign Standard.
After migration, Campaign Standard users should review their Product Profile mappings and assign the appropriate Product Profile if they do not wish to link their Technical accounts to the Administrator Product Profile. For future integrations, we recommend using the Campaign v8 Tenant ID in the REST URL instead of the previous Campaign Standard Tenant ID.
