Documentation Experience Platform Access Control Guide

Use access labels to manage user access to destination dataflows

Last update: Tue Feb 18 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Access Control

CREATED FOR:

Developer
Admin
User

As part of the attribute-based access control functionality in Real-Time CDP, you can now apply access labels to destination dataflows. This way, you can ensure that only a subset of users in your organization get access to specific destination dataflows.

When you add an access label to a particular destination, only users who have access to a role which has that label assigned are able to see and edit that destination dataflow. If a destination dataflow is not marked with any labels, it is visible to all users belonging to your organization.

Read this page to understand sample use cases, prerequisites before you can apply access labels to destination dataflows, and other important callouts when using this functionality.

Prerequisites

Note the following prerequisites to complete before you start using this functionality. To familiarize yourself with attribute-based access control, Adobe also recommends that you read the following articles:

Access to the permissions UI

Permissions is the area of Experience Cloud where administrators can define user roles and policies to manage permissions for features and objects within a product application. Read the permissions section to get started.

Create roles, labels, and assign users

After getting access to the permissions UI, you or a member of your team must set up roles and add the required labels to those roles. Finally, the users who should access resources labeled with the specific labels must be added to the role. Consult the following documentation sections:

Create destination dataflows

You first need to connect to the desired destination and create a dataflow to export data, before you can apply access labels to the dataflow.

Read the guides on connecting to a destination and activating data to the destination. Then, select the desired destination from the catalog of available connectors.

Already available: Apply access labels to other Experience Platform resources

While this release enables you to grant users object-level access to specific destination dataflows, the functionality to grant access control on an object level is already generally available for other Experience Platform resources, such as audiences.

Use case example

With object-level access control for destinations, limit specific teams of marketers to get access to their specific destinations only. For example, if your organization has customer data in several geographical locations, like the United States and the United Kingdom, you can limit a marketing team to view and edit the dataflows for the US location only, and another marketing team to view and edit the dataflows for the UK location.

Apply access labels to destination dataflows

To apply access labels to a specific dataflow:

Navigate to Destinations > Browse and locate the destination dataflow for which you are looking to limit user access.
Select the ellipsis (...) in the Name column and use the Apply access labels control to add new labels and manage the existing labels for the dataflow.
Select the labels that you want to add to the destination dataflow and select Save.
Notice how the dataflow now has an access label displayed in the UI.

If a destination dataflow is not marked with any labels, it is visible for all users. If the dataflow is marked with one or more access labels, it is only visible for users belonging to a role that has the same label or combination of labels.

You can add standard and custom labels to destination dataflows. After you add a label to destination dataflows:

Users who are assigned to roles with access to the same label can view the dataflow with the new label in the UI. They can view and edit the destination dataflow in the user interface or via APIs.
Users who are not assigned to roles with access to the same label do not have access to the destination dataflow to view or edit it in the user interface or via APIs.

Important callouts and items to know

Currently, access labels can only be applied to existing dataflows. This means that you need to create a dataflow to a destination before you can apply access labels.

You cannot apply an access label to a destination dataflow if you do not have access to that label.

When adding multiple labels to a destination dataflow, users who should be able to view and edit the dataflow must be added to a role with at least the same combination of labels. For example, if you apply the labels C1, I2, and another custom label to a destination dataflow, only users added to roles with access to the combination of these three labels are able to view and edit this specific destination dataflow.

NOTE

When searching for destination dataflows using the search box at the top of the Experience Platform user interface, the results may include destination dataflows which your user access labels restrict you from seeing. This behavior will be corrected in a future update.

Venn diagram showing how only certain users have access to destinations with multiple labels applied.

Next steps

By following the steps in this document, you now know how to apply access labels to destination dataflows so that only a subset of users in your organization get access to specific destination dataflows.

Next, you can read more about other functionality supported by attribute-based access control when activating data to destinations. For example, you can limit users’ access to view and activate specific fields only.

recommendation-more-help