Three levels of access or three roles govern Customer Journey Analytics: Product administrator role, Product profile administrator role, and user-level access. This topic explains these roles in more detail.
In addition, this article discusses more granular ways to limit access, such as Workspace curation and row-level as well as value-level access control.
The following role-based access control levels are available.
Users who are assigned the Product administrator role are given the necessary permissions to perform most tasks within Customer Journey Analytics by default. However, some tasks require additional permissions.
To add a user as a Product administrator:
Go to the Admin Console.
Select Customer Journey Analytics > Admins tab > Add Admin.
The users that you added are given the Product administrator default permissions. You can also grant them additional permissions if needed.
Product administrators have permissions to complete most tasks within Customer Journey Analytics.
Product administrators are granted the necessary permissions to perform the following tasks by default:
In addition to being added as a Product administrator in the Customer Journey Analytics Product Profile in the Admin Console, additional permissions are required to complete the following tasks within Customer Journey Analytics:
Create, update, and delete data Connections
To perform this task, users must be part of an Experience Platform Product Profile that provides the following permissions:
Category | Permission | Description |
---|---|---|
Data Modeling | View Schemas | Read-only access to schemas and related resources. |
Data Modeling | Manage Schemas | Access to read, create, edit, and delete schemas and related resources. |
Data Management | View Datasets | Read-only access for datasets and schemas. |
Data Management | Manage Datasets | Access to read, create, edit, and delete datasets. Read-only access for schemas. |
Data Ingestion | Manage Sources | Access to read, create, edit, and disable sources. |
Identity Management | View Identity Namespaces | Read-only access for identity namespaces. |
For more information on Experience Platform permissions, see Manage permissions for a product profile.
If Adobe Journey Optimizer was integrated with CJA where AJO Connections exist, then Journeys permissions must also be added in order to access Connections:
Category | Permission | Description |
---|---|---|
Journeys | View Journeys Events, Data Sources and Actions | Read-only access to journey events, journey custom actions, and journey data sources. |
Journeys | Manage Journeys Events, Data Sources and Actions | Read, create, edit, and delete events, sources, or actions. |
Journeys | View Journeys | Read-only access to journeys. |
Journeys | Manage Journeys | Read, create, edit, and delete journeys. |
Export datasets to destinations
To perform this task, users must be part of an Experience Platform Product Profile that provides the following permissions:
Category | Permission | Description |
---|---|---|
Destinations | Manage Destinations | Access to read, create, and delete destination connections and destination accounts. |
Destinations | Activate Destinations | Allow users to activate segments to existing destinations. Enables the mapping step in the activation workflow. This permission also requires the View Destinations permission to be granted to the user who wants to activate data to destinations. |
For more information on Experience Platform permissions, see Manage permissions for a product profile.
Use the BI extension
For users to use the BI extension, a Product administrator
must ensure the Experience Platform permissions for the user include a role that has the Query Service resource with the Manage Queries and Manage Query Service Integration options. For more information on Experience Platform permissions, see Manage permissions for a product profile.
Category | Permission | Description |
---|---|---|
Query Service | Manage Queries | Access to read, create, edit, and delete structured SQL queries for Platform data. |
Query Service | Manage Query Service Integration | Access to create, update, and delete non-expiring credentials for Query Service access. |
must ensure the proper Customer Journey Analytics permissions for the user:
A product profile is a set of permissions. Product administrators create product profiles and can assign Product profile administrators to manage one or more product profiles. A Product profile administrator can then:
Manage the assigned product profiles. Such as adding or removing users or user groups and modify the permissions for the product profiles.
In Customer Journey Analytics, edit data views that are part of an assigned product profile. Product profile administrators cannot create new data views.
The table below outlines the main access permissions for different Customer Journey Analytics capabilities that you can configure for relevant users. You can manage different level of user access through product profiles. A product profile combines a number of permissions, which you then can assign to individual users or user groups.
The Permissions tab is part of each product profile in the Admin Console.
Category | Permission | Description |
---|---|---|
Data Views | data view name | If you toggle Auto-Include to On, users that are part of this product profile can view all existing and newly created data views. If this setting is set to Off, you can select specific data views that users have access to. |
Reporting Tools | Analysis Workspace Access | Let users access Analysis Workspace. |
Reporting Tools | Guided Analysis Access | Let users access Guided Analysis. |
Reporting Tools | Calculated Metrics Creation | Let users create calculated metrics. Users can tag, share, delete, rename, approve, unapprove only the calculated metrics they create or the calculate metrics shared with them. |
Reporting Tools | Filter Creation | Let users create filters. Users can tag, share, delete, rename, approve, unapprove only the filters they create or the filters shared with them. |
Reporting Tools | Labs Access | Let users access the Labs tab in Customer Journey Analytics. |
Reporting Tools | Annotation Creation | Let users create annotations. Users can tag, share, delete, and rename only the annotations they create or annotations shared with them. |
Reporting Tools | Audience View | Let users view audiences. |
Reporting Tools | Audience Creation | Let users create audiences. |
Reporting Tools | Audit Logs Access | Enforce the permission check on the API and the audit logs UI. |
Reporting Tools | Share Project Links With Anyone | Let users share projects with anyone. |
Reporting Tools | Forecasting | Let users access the Forecasting feature in Analysis Workspace |
Reporting Tools | AI Assistant: Product Knowledge | Let users access the AI Assistant for product knowledge. |
Reporting Tools | Intelligent Captions | Let users access Intelligent captions. |
Data View Tools | Full Table Export | Let users export full tables to the cloud. |
Data View Tools | CJA BI Extension | Let users use the BI extension. |
Another level of access control can be used at the Workspace reporting level. You can limit access to specific components for certain users. For more information on how to limit components (dimensions, metrics, filters, date ranges) at the Workspace project level, and how curation is tied to data views, see Curate projects.
You cannot grant or deny permissions for individual metrics or dimensions in Customer Journey Analytics like you can in traditional Adobe Analytics. Metrics and dimensions can be modified in data views and are thus subject to change in Customer Journey Analytics. Changing them also retroactively changes reporting.
Here are a few use cases that illustrate how access control can be used in real-life scenarios.
You can provide Product profile administration access to a team lead of a third party that your company works. This admin can add users on the company’s team to this product profile. This Product profile administrator can give access to specific data views and add other users within the third party to this product profile. The Product profile administrator can modify data views to fit the third party team’s requirements.
You want to give users access to data from one day only. Here is how you would limit access to those specific rows:
Users who have access to a data view can only work with the metrics and dimensions that the administrator has included in this data view. Administrators can use the Include/Exclude functionality or Value bucketing component settings in a data views to exclude or aggregate certain dimension values from a data view.
For example: You create a metric called Hypertension in a data view from a component that contains individual patient data from the dataset. You use value bucketing to provide only access to bucketed values, so users of the data do not see the individual patients data.