Platform Permissions (Expanded Early Access)

The Platform Permissions feature provides centralized management of permissions across Tealium products and services. You can control access to Tealium and Tealium features, and personal identifiable information (PII) data.

Platform Permissions is in Expanded Early Access and is only available to select customers. If you are interested in trying this feature, contact your Tealium Support representative.

How it works

The Platform Permissions feature provides three categories of permissions:

• Admin role permissions are assigned to users to allow them to manage groups, users, privacy, and product configuration.
• Group permissions control the areas and features of Tealium that users can access as well as the profiles users can access. Users are assigned to one or more groups, and have the permissions and access associated with the groups.
• User-based permissions control the user’s access to PII (Personally Identifiable Information) data, MFA (Multi-Factor Authentication) access, and API key generation.

After you have created the necessary groups and assigned account role permissions to users, turn on Permissions Enforcement to enforce the permission settings for the account.

Before turning on Permissions Enforcement, make sure that users have been added to groups and admin role permissions have been assigned to users that manage users, groups, and PII permissions. If you turn on permissions enforcement before you assign users to groups or admin roles to users, you may lose access to your account.

Admin role permissions

Admin role permissions are for users that perform administrative tasks (configuration, adding new users, and so on) and allow these users to manage Platform Permissions. You can assign multiple admin role permissions to a user.

The following admin role permissions specify the administrative tasks a user can perform:

• Account Admin: The user has full permissions on the account.
• Account Viewer: The user can view everything in the account with read-only access. This role is useful for auditing or legal review purposes.
• User Admin: The user has access to the following features:
  • Manage Permissions: Can add, edit, and remove groups and user permissions.
  • Manage Users: Can add, edit, and remove account users.
  • Multi-Factor Authentication: Can enable or disable MFA on the account.
  • Reset MFA for other users: Can grant users the ability to generate an authorization key.
  • Set Password Policy: Can update the password policy.
  • SSO Management: Enable, disable, and manage Single-Sign On (SSO).
• Profile Admin: Profile admins have access to the following features:
  • Create New Profile: Can create new profiles in iQ Tag Management and assign permission groups to them.
  • Manage Profiles: Can manage an existing profile.
  • Manage Profile Libraries: Can manage profile libraries.
• Privacy Admin: Requires User Admin permission. In addition to having full access to PII data, privacy admins have access to the following features:

  • Consent Management: Can manage global consent parameters and languages, which apply to all profiles that use consent management.

  • PII View & Manage: Can set PII permissions for groups and set up and manage data sources, connectors, attributes, enrichments, and rules.

    PII permissions management will be moving from group-based management to user-based management in the GA release.

  • Tag Marketplace policy: Can update the Tag Marketplace Policy.

• Technical Admin: The user has access to the following features:
  • First-Party Domains: Can manage first-party domains, including entering domain names and updating certificates.
  • GitHub Account: Can link the account to a GitHub account for use with the Advanced JavaScript Code extension.

To allow administrative users to manage groups and permissions, account role permissions must be assigned to users before Permissions Enforcement is turned on.

Admin roles permissions matrix

	Account Admin	Privacy Admin	Profile Admin	Technical Admin	User Admin	Account Viewer
Accounts	View, Edit					View
First-Party Domains	View, Create, Edit, Delete			View, Create, Edit, Delete		View
GitHub Account	View, Create, Edit, Delete			View, Create, Edit, Delete		View
Global Consent Management	View, Create, Edit, Delete	View, Create, Edit, Delete				View
Initiate CDN Purge Request	View, Edit					View
MFA Reset For Others	View, Edit				View, Edit	View
MFA Toggle	View, Edit				View, Edit	View
Password Policy	View, Create, Edit, Delete					View
Permission Groups	View, Create, Edit, Delete				View, Create, Edit	View
PII and Restricted Data	View, Create, Edit, Delete	View, Create, Edit, Delete				View
Permissions Enforcement	View, Edit					View
Profile Libraries	View, Create, Edit					View
Profiles	View, Create, Edit, Delete		View, Create, Edit		View	View
SSO	View, Edit					View
Tag Marketplace Policy	View, Create, Edit, Delete	View, Create, Edit, Delete				View
TiQ Profile Publish Dev	View, Edit		Edit			View
TiQ Profile Publish Prod	View, Edit		Edit			View
TiQ Profile Publish QA	View, Edit		Edit			View
Users	View, Create, Edit, Delete				View, Create, Edit	View

Group permissions

Permissions and profiles are assigned to groups. Users are assigned to one or more groups, and have the permissions for those groups and can access the profiles for those groups. User without an admin role must be assigned to at least one group to be able to access Tealium.

If a user is in multiple groups with different permissions, the highest permissions apply. For example, if a user is in group A, which has View permission on a profile, and is in group B, which has Edit permission in that profile, the user has Edit permission.

Also, a user’s admin roles may affect profile permissions. For example, a user with the Account Admin role will have full permission on all profiles in the account.

There are two categories of group permissions:

• Server-Side Publish
• Product permissions that specify the products and product features that users can access.

Server-side publish permission

When Server-side Publish Enabled is selected for a group, users in that group can publish server-side changes. This permission is not specific to products or product features.

Product and feature permissions

Product access permissions specify the Tealium products and features that users can access.

To access Tealium, users must either have an admin role or must be assigned to one or more groups that provide the necessary product and feature permissions. If you turn on permissions enforcement before you assign users to groups or admin roles to users, you may lose access to your account.

Currently, the following product permissions can be assigned to a group:

• Tealium iQ Tag Management
• AudienceStream
• EventStream
• Data Access
• Data Connect
• Predict
• Functions
• Server-Side Tools
• Server-Side (Others)

Feature permissions that can be assigned to a group vary depending on the product permissions assigned to the group, as shown in the following table:

Users that have View & Edit or View, Edit & Delete permission also have Save permission.

Product	Features	Available Permissions
iQ Tag Management (Phase 2)	JavaScript Extension Advanced JavaScript Extension - Promote to Dev Advanced JavaScript Extension - Promote to QA Advanced JavaScript Extension - Promote to Prod Publish to Dev/Custom Publish to QA Publish to Prod Save Publish Settings Code Settings Resource Lock	No Access View, Edit & Delete
iQ Tag Management (Phase 2)	Client-Side Versions Tag Templates	No Access View View & Edit
iQ Tag Management (Phase 2)	Tags Extensions Load Rules Data Layer	No Access View View & Edit View, Edit & Delete
AudienceStream	Dashboard Discovery/Sizing	No Access View
AudienceStream	Audiences Audience Connectors Visitor/Visit Attributes	No Access View View & Edit View, Edit & Delete
EventStream	Data Sources Event Attributes Event Connectors Event Specs Live Events Omnichannel	No Access View View & Edit View, Edit & Delete
DataAccess	Access Keys Data Insight EventStore Legacy	No Access View
DataAccess	AudienceDB EventDB	No Access View View & Edit View, Edit & Delete
Data Access	AudienceStore EventStore	No Access View View & Edit View, Edit & Delete
DataConnect	Tables	No Access View View & Edit View, Edit & Delete
DataConnect	Dashboard Integrations	No Access View
Predict	All features	No Access View View & Edit View, Edit & Delete
Functions	Credentials/Authentications Global Variables	No Access View View & Edit View, Edit & Delete
Server-Side Tools	Manage Rules Visitor Delete Visitor Lookup	No Access View View & Edit View, Edit & Delete
Server-Side Tools	Visitor Profile Sampler	No Access View
Server-Side (Others)	Labels	No Access View View & Edit View, Edit & Delete
Server-Side (Others)	Trace Versions	No Access View

EventStream and AudienceStream share some elements, such as rules and labels. If a user has Publish permission and only has access to EventStream, publishing changes also affect AudienceStream if changes were made to shared elements. Similarly, if a user has Publish permission and only has access to AudienceStream, publishing changes also affects EventStream if changes were made to shared elements.

How a user’s permissions change the user interface

When a user does not have permission for a product or feature, the user interface changes as follows:

• When a user does not have access to a product, that product does not appear in the navigation.
• When a user has access to some features, but not others, they only see the features they can access in the navigation.
• When a user does not have Edit permission for a feature, the Edit button is not displayed on pages for that feature.

Managing Permissions Enforcement

After you have created the necessary groups, assigned users and profiles to groups, and assigned account role permissions to users, the Account Admin can turn on Permissions Enforcement to enforce the permission settings for all assigned groups and profiles for the account.

Permissions Enforcement was released in two phases:

• Phase 1: Server-side permissions and the privacy admin, technical admin, and user admin roles.
• Phase 2: Client-side permissions, the Account Admin role, and the Profile Admin role.

Before turning on Permissions Enforcement, make sure that users have been added to groups and admin role permissions have been assigned to users that manage users, groups, and PII permissions. If you turn on permissions enforcement before you assign users to groups or admin roles to users, you may lose access to your account.

If Permissions Enforcement is turned on before users have been added to groups, users will not have access to Tealium. If Permissions Enforcement is turned on before admin role permissions are assigned, users will not be able to manage groups, users, and permissions.

To turn on Permissions Enforcement:

1. In the admin menu, click Manage Permissions.
2. In the Permissions Enforcement section, click Manage.
3. Toggle ON permissions enforcement for Phase 2 (and Phase 1) or Phase 1.
4. A success message will appear, and the platform will enforce permissions for the sides of the platform that you selected.

To revert the account to the legacy permission settings, toggle that side OFF. You cannot revert Phase 1 permissions without also reverting Phase 2 permissions.

Managing groups

To manage groups, users must have server-side User Admin permission.

View groups

To view the groups for an account, use the following steps:

1. In the admin menu, click Manage Permissions.
   A list of the existing groups is displayed. By default, the list is sorted by Group name in ascending alphabetical order.
2. To sort the list by Group name (alphabetic, ascending or descending), click the Group column heading.
3. To sort the list by number of profiles (ascending or descending), click the Profiles # column heading.
4. To sort the list by the number of members in the group (ascending or descending), click the Users # column heading,
5. To sort the list by creation date (ascending or descending), click the Date Created column heading.

Create a new group

Perform the following steps to create a group:

1. In the admin menu, click Manage Permissions. The Manage Permissions screen will appear.
2. Click + New Group. The New Permission Group dialog appears.
3. In the Group Name box, enter a name for the group.
4. Select what the new group will initially contain:
   • Blank Group - Start a new group without any existing settings.
   • Duplicate an Existing Group - Start a new group with the same permissions, profiles, and users of the group that you select.
5. Click Next. The Set Account Permissions dialog appears.
6. If you want to give the group permissions to publish server-side profile changes, under Server-Side select Publish Changes.
7. Select the products you want the group to access.
8. Click Next. The Set Feature Permissions dialog appears.
9. Select the access level for each product and its features.
   • Some features appear in multiple products. Feature access levels apply to the feature, regardless of which product it appears in.
   • Edit access for a feature or product includes the ability to save changes to the profile.
10. Click Next. The Assign Profile Access to Group dialog appears.
11. Select profiles to assign group access.
12. Click Next. The Add Users to Group dialog appears.
13. To add users to the group, select the appropriate checkboxes next to their email addresses.
14. Click Finish.
    • If you do not add any users to the group, a warning dialog will appear. If you want to add users later, click Continue. Otherwise, click Cancel and add users to the group.

The Manage Permissions screen will appear, and the new group will appear in the list.

Edit a group

Perform the following steps to edit an existing group.

1. In the admin menu, click Manage Permissions. The Manage Permissions screen will appear.
2. Click the Groups tab.
3. Click the permission group you want to edit. The group’s details will appear.
4. Select the information you want to edit:
   • Features - You can add or remove product features from the permission group, and you can set the permission group’s access levels for product features.
   • Users - You can add or remove users from the permission group.
   • Profiles - You can add or remove profiles from the permission group, and you can set the permission group’s access levels for that profile.
5. Click Save.

Remove a group

When a group is removed, user in the group no longer have the permissions associated with that group. To remove a group or groups, use the following steps:

1. In the admin menu, click Manage Permissions.
2. Select the checkboxes associated with the groups you want to remove.
3. Click Bulk Actions, and then click Remove.
4. In the confirmation dialog, click Remove.

You can also remove a group with the additional actions button at the end of the group’s row.

Managing users

To manage users, users must have the User Admin or Account Admin role.

Export users

The Export Users function allows you to download a comma-separated value (CSV) file with the account’s users, profiles, and legacy user permissions for each profile. This makes it easy to audit your users and their permissions to build permission groups and assign admin roles in the new platform permissions system.

View user details

To view the current list of users, use these steps:

1. In the admin menu, click Manage Permissions.
2. Click the Users tab.
   The list of users shows the email address and first and last name, as well as the account roles, the number of groups for the user, PII permissions, and the last login time.
3. To sort the list of users, click any column heading.
4. To view details for a user, click a user in the list.

The User Details dialog appears with the following three tabs:

• Overview - The user’s name, email address, and account memberships. This tab also displays the user’s MFA and API Key settings.
• Permissions- The user’s admin roles and a table of product features within a profile and the user’s permissions on those features.
• Groups- The user’s permission groups.

Diagnosing profile permissions issues

In the Permissions tab, select a profile from the Profile dropdown to view this user’s permissions for product features on that profile. This information can help you diagnose any access issues your users have with profiles or ensure that users only have access to the features they require.

Permissions are cumulative between the user’s permission groups and admin roles. So, if a user is a member of a group with View rights, another group with View & Edit rights, and the Account Admin role, the table will display a checkmark in the View, Edit & Delete column.

Add new users

When you add new users, you will add email addresses to an invitation queue, assign user roles to the users, and then add the users to permission groups. When you are done assigning them roles and adding them to groups, you can send out the invitations.

To add new users to your Tealium account:

1. In the admin menu, click Manage Permissions. The Manage Permissions screen appears.
2. Click the Users tab.
3. In the User Manager dialog, click + New User. The Add New Users dialog appears.
4. In the Invite New User box, enter up to 25 email addresses.
   • You cannot send an invitation to a user that already exists in your Tealium account. If you want to change an existing user’s admin roles or permission group membership, edit the user from their User Details dialog.
5. To send the user invitations, click Add Users.

The Manage Permissions screen will appear, and the Customer Data Hub will send out email invitations to the new users. They will need to accept the invitation and set a password.

Edit a user

To edit a user:

1. In the admin menu, click Manage Permissions. The Manage Permissions screen appears.
2. Click the Users tab.
3. Click the user you want to edit. The Overview tab will appear.

• Select a profile from the dropdown list to review the user’s permissions on products and features.

1. To change to the user’s admin roles, click the Permissions.
   • Select the admin roles that you want to grant or remove from the user.
2. To change to the user’s permission group membership, click Groups.
   • Select the groups to add or remove from the user’s membership list.
3. Click Save. The Manage Permissions screen will appear.

You can also use the checkboxes and Bulk Actions to perform changes to multiple users at once.

Users without an admin role and are not a member of any permission groups will not be able to access any profile

PII permissions

Only account admins and privacy admins can set PII permissions for a user.

PII permissions control who can see PII data and who can edit the Restricted Data property that identifies PII data. Only one level of PII permissions can be assigned to a user. The three levels of PII permissions are as follows:

• No PII: Users can view PII attributes, but cannot see the values of these attributes. PII is obscured wherever it is shown, including Trace and Live Events.
• View: Users can view the values of PII attributes, data but cannot edit or manage PII data.
• Manage & View: Users can view, edit, and manage PII data.

Privacy admins have Manage & View access to PII data.

To edit the Restricted Data property for an attribute, users must have the Manage & View PII permission and View, Edit & Delete permission for that feature.

For more information on the Restricted Data property, see About Restricted Data.

Remove a user

If a user no longer requires access to the account, you can remove that user from the account. This functionality will remove their group membership, admin roles, and settings for this account. However, this will not remove the user from the Tealium platform and any other accounts they have access to.

This action cannot be undone. If you remove the user and then need to re-add them, you will need to set up their group memberships and admin roles again.

To remove a user from your account:

1. In the admin menu, click Manage Permissions. The Manage Permissions screen appears.
2. Click the Users tab.
3. Select the appropriate checkboxes for the user or users you wish to remove.
4. Click Bulk Actions, and then click Remove Access.
5. A confirmation dialog will appear. Click Remove Access to continue.

The Manage Permissions screen will appear, and the Customer Data Hub will remove the user from the account.

You can also remove a user from the account through the additional actions menu at the end of the user’s row in the table or from the Edit User dialog.