This article describes admin roles in the platform permissions system.
Platform Permissions is in GA for new customers and in EEA (Expanded Early Access) for select customers. If you are interested in trying this feature or need to migrate from EA to EEA, contact your customer success manager. For more information, see the project rollout plan.
How it works
An admin role defines a set of account access levels for administering client-side and server-side users, managing account-level functions, and managing the membership and structure of profiles. Account managers can use admin roles to delegate management of an account and the product features to other users.
Users without admin roles receive only the access to the account they obtain through their membership in permissions groups.
The difference between admin roles and permission groups is that admin roles manage aspects of the account while permission groups manage aspects of profiles.
Default account admin
When account administrators turn on permissions enforcement, the system automatically assigns the account admin role to all users who previously had the manage account permission in the legacy permissions system.
This automatic permissions assignment ensures that at least one user will have the account admin role when platform permissions is turned on.
You can grant the following admin roles to users in your account:
The account admin role has full power and access to the account. The account admin role includes all account-level permissions and all profile-level permissions, including both client-side and server-side publishing permissions.
In addition, Account admins control permissions enforcement on the account, which changes the account from legacy to platform permissions. For more information, see Permissions Enforcement
At least one user in your account must have the account admin role. If you are the only user with the account admin role in your account, you cannot remove this role from yourself.
The user admin role has access to the following settings:
Manage Permissions: Create, edit, and delete permission groups. Also can add and remove users from permission groups, and assign profiles to permission groups.
Manage Users: Add, edit, and remove users from the account.
PII View and Manage: Manage Personally Identifiable Information (PII) user permissions and view and edit attributes with restricted data.
Tag Marketplace Policy: Enable, disable, and configure the tag marketplace policy to control which tags are available for use on this account.
The profile admin role has access to manage profiles and profile settings. This role does not include profile editing or publishing permissions; those are granted through rights in a permission group, which the profile admin can set.
Create New Profile: Create new profiles and assign permissions groups to them.