CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Configuring Policies and Email Templates in SAP Customer Data Cloud

17 min read

Quickly configure Policies and Email Templates for implementing SAP Customer Data Cloud


SAP Customer Data Cloud provides a user-friendly interface to quickly configure the policies and email templates within the Admin Console.

This article presents an easy-to-implement approach highlighting the Configuration Policies and Email Templates of the SAP Customer Data Cloud site and which is also expansible enough to accommodate future-states.

Table of Contents

What are Policies in SAP Customer Data Cloud?

Policies define the characteristics of a typical site (api key).

Where to Configure Policies ?

The  Policies  of a typical site or api key are configured in the Policies page of the Settings area in the SAP Customer Data Cloud Console. Major site policies are defined on this user-friendly interface and extended list of site policies can be accessed via the API methods : accounts.setPolicies and accounts.getPolicies.

What Are the Various Policies ?

Login Identifier

This is the option provided for a user to select any of the below identifiers for logging into CDC environment:

Link Accounts Support

This setting determines if the account linking is required when a user logins with an unregistered social network, that shares an email with a registered account.

  • Disabled  indicates the accounts are not linked --> a new account is created in which the email is not used as a login identifier.

  • Site identities only  enables user to link the social network to an existing account which uses the same email as a login identifier, only if that account is a  registered site account .

           Also, the user can choose to create a new unlinked account which will not use the email as a login identifier. 

  • All identities  - If any account on the system uses the email entered by the user as a login identifier, the user is prompted to link the social network to that account. The user can choose to create a new unlinked account which will not use an email as a login identifier.

Double Opt-In

As part of subscription management feature of Customer Data Cloud, the below settings are to be configured if the subscriptions require double opt-in :

  • Customize redirection URL -->the subscribers will be redirected to this URL after successfully confirming their subscription.

  • Customize confirmation link expiration time (hours) --> this is the length of time for which the confirmation link is valid.

Default Login and Registration Screen-Set

The user can select the default "RegistrationLogin" screen-set that is to be used in web and mobile.

It is important to note that the child sites as part of the site groups automatically inherit default screen-sets from their master site.

The below setting is to be selected to override the default screen-sets per child site :

Email Verification

When this setting is selected by user, the email verification process considers the configuration options when the user registers to a site.

The email can contain a verification link, or a code but not both. The additional configuration options here are -- the addition of the Redirection URL, configure link expiration time and automatically being able to login users upon email verification.

While screen sets are not discussed in detail in this document, it is vital to add email field on the Complete Registration screen set as a Required field in order for users to complete registration.

The link appearing in the verification email automatically navigates to the landing page to finalize the registration process.

Link Verification Configuration Options:

Once email link verification has been selected, the below options are available :

  • Require email verification after social login --> opted when social login users are to verify their email addresses.

  • Use code verification --> when set, users will receive an email with a code after submitting the registration screen. And on the next screen, user is required to enter that code.

  • Customize redirection URL --> this is the page to which the user will be redirected after verifying their email.

  • Customize verification link expiration time --> this is the number of hours that verification emails are valid.

  • Automatically login users upon email verification --> enables automatic login post email verification when this option is selected. The customized redirection URL needs to be specified in this case.

The format of the verification email could be customized using the Email Template page on the Console. The Email templates topic is documented at the end of this section.

A point to note here is when using  site groups , Child sites automatically inherit email verification policy from their master site which can be overridden by email verification settings per child site, as indicated in the below :

Authentication Types

Users can use the below authentication types on the sites. 

  • Password authentication is always enabled

  • Push notifications allow your users to authenticate with a notification sent to their mobile phones.

Password Strength

The password strength is defined by: minimum number of characters, character groups and regular expression.

Min Character Groups indicates the number of the different character groups (capital letters, lowercase letters, numbers and special characters) that must be included in the password.
And Regular Expression is an alternative/additional way to specify password strength by defining a string pattern that the passwords must match.
The supported regEx syntax can be found here.

Password Change

This section is for specifying the details around password change which includes :

  • The number of days after which password needs to be changed

  • Details about forbidding reusing a specified number of previous passwords.  (CDC will remember the previous 7 passwords)

Also the password can  never  be reset to the current one.

COPPA Compliance

This setting is enabled to apply COPPA compliance and force a minimum age limit on new registered users to the site:

This option is disabled by default and when enabled, each time a user registers with the site, SAP Customer Data Cloud will check their age.

Additional Security Measures

These options are chosen when additional security measures should be employed when users register on the site


SAP Customer Data Cloud implements Google's Invisible reCAPTCHA freeware.

In order to ensure proper registration form validation, the CAPTCHA widget should be included in every registration screen.

  • Account Harvesting

The process of grabbing legitimate user IDs to gain access to target systems for illegal or malicious purposes, is called Login identifier harvesting, also known as account harvesting.

Enabling this option aids in protection against the login identifier harvesting and is disabled by default.

A point to note is -- when a login ID doesn't exist and/or a password is incorrect, the Login screen   always   displays a generic error message, regardless of the Account Harvesting setting.

Account Harvesting Via Account Update

Account harvesting may be attempted by logged in users attempting to change the email identifier of their account, at times. In such a case, enabling the below listed policies would protect against account harvesting attempts : 

  • Protect against login identifier harvesting

  • Require email verification --> Use code verification

Automated Emails

Prior to enabling this option, templates must be defined for the relevant emails. 

  • New user welcome --> mail is sent once the user successfully completes registration

  • Password reset confirmation --> mail is sent after the user successfully resets their password

  • Account deletion confirmation --> mail is sent after the user successfully deletes their account

Account Progression

This setting is enabled when implementing Lite Registration. While this documentation will not cover Lite Registration topic in detail, it is worth to note that these options enable user to decide how to handle lite user data, when a user progresses from a lite to a full account.

Site Policies, Site Groups and SSO

Certain policies configured for the master site, can be overridden in individual sites in a site group. 

While Site Groups and SSO are not documented in detail in this section, here is a quick explanation of the Site Groups and SSO functionalities, to quickly understand their association with Policies :

Site Groups are used incase of multiple sites where the users wish to have a different experience in each site, but at the same time have a unified database of all users and a centralized place for settings configuration. A site group consists of one Parent site and one or more Child   sites. All sites in the group share the same user database, hosted on the Parent site, so that a user's data is available to all member sites. The Child sites inherit most of their settings from the Parent, including permissions, policies, and more.  

Single Sign-On (SSO)  allows a user to be seamlessly signed in to one site after signing in to another.

The master configurations for a child site can be overridden by selecting the Override master settings checkbox for the relevant configurations in the Policies page for the relevant child site as indicated below :

Below provided are the settings that can be overridden by a child site: 

  • Default login and registration screen-sets

  • Email verification

  • CAPTCHA requirement for new registrations

  • The sending of the following automated emails: 

    • New user welcome

    • Password reset confirmation

    • Account deletion confirmation


Th REST API accounts.setPolicies allows for a greater range of flexibility for customizing the policies further, besides the built-in policy schemas and options.

How to Configure Email Templates?

The Email Templates page in the console is used to design the emails that are sent out to users and can be accessed under Registration-as-a-Service as highlighted below :

 These templates are fully customizable  and can be added in multiple languages. In case of site groups, child sites automatically inherit email templates from their parent site which could be overridden by selecting Override master settings in the individual child sites.

Each type of email template is displayed as a tab on the Email Templates page :

  • Email Verification
  • Code Verification
  • Password Reset
  • Double Opt-In Confirmation
  • Password Reset Confirmation
  • New User Welcome
  • Account Deletion Confirmation
  • TFA Email Verification

Each template is displayed in a tabular format and additional templates can be added using the Add Template  button. If there are many templates, a default template must be selected.

The default language is English, and different languages could be selected while adding the templates.

The list of supported languages and their codes can be found in the  Language Support  guide.

SAP Customer Data Cloud determines which language email template to use when sending a verification email according to the  profile .locale on the user's account.

These templates are setup as an HTML template with META tags and Placeholders .

Placeholders --> variables that are replaced with actual values when the email is sent

META tags --> define the header of the email.

          META Tags

The supported META tags are :

  • <META name="from" content="Name <noreply@ " />
    • The default sender for all emails is '', and the emails are sent out from a 'gigya-raas' domain.
  • <META name="subject" content="Account Activation" /> 
    • Defines the  subject  of the email.


The following placeholders are supported by all email templates except the email code verification. (Individual emails may support additional placeholders) :

  • $firstName  - The user's first name *
  • $lastName  - The user's last name *
  • $nickname  - The user's nickname *
  • $username  - The user's name as defined in the  loginIDs.username  field in the  Account object  *
  • $name  - The user's name *
  • $birthDay  - The day on which the user was born
  • $birthMonth  - The month in which the user was born
  • $birthYear  - The year in which the user was born
  • $age  - The user's age
  • $UID  - The user's UID
  • $email  - The user's email address (not supported for DOI emails, Double Opt-In email templates must use $
  • $gender  - The user's gender
  • $city  - The user's city
  • $state  - The user's state
  • $zip  - The user's postal code
  • $country  - The user's country
  • $photoURL  - A url pointing to the user's profile photo
  • $thumbnailURL  - A url pointing to a thumbnail of the user's profile photo
  • $profileURL  - A url pointing to the user's profile

Password Reset

The reset password flow can be setup by defining the template of the reset password email received by the user, and the landing page to which the user is redirected when clicking the reset password link. 

After a user successfully resets their password, they will be presented with the Reset Password Success screen.

Password Reset Email

Password reset emails are sent whenever a user chooses to reset their password and this email is valid for 1 hour by default.

This definition can however be changed by using the  passwordReset.tokenExpiration  parameter of  accounts.setPolicies .

It is important to note that, regardless of which placeholders are used in the email template, SAP Customer Data Cloud will always append the API key to the URL.

Policies related email templates

Email Verification

If specified in the site policy, the verification emails are sent and this email will be sent to every new email address added by the user. 

The email verification policy can also be set via the accounts API, using  accounts.setPolicies  and  accounts.getPolicies  methods.

Code Verification

If specified in the site policy, the "Code Verification" template sends out a verification code to the user, to be entered in an  email verification flow , and not the link verification, which is a separate template. (Only one of these policies can apply to a given site)

Double Opt-In Confirmation

If  Subscription Management is enabled on the account, the created subscriptions may require user email confirmation (double opt-in). The Email Templates page can be edited which is sent automatically to potential subscribers.

New User Welcome

New User Welcome emails are sent when this option is enabled as part of the site policy (mentioned under Policies section above),  A default template is not provided in this case and a template in the New User Welcome tab is to be setup.

Password Reset Confirmation

Password Reset Confirmation emails are only sent if they are required by site policy. A default template is not provided and a template in the Password Reset Confirmation tab is to be setup.

Account Deletion Confirmation

The Account Deletion Confirmation emails as well are only sent if they are required by site policy. In this case too, a default template is not provided and a template in the Account Deletion Confirmation tab is to be setup.

TFA Email Confirmation

This template is used when implementing  Risk Based Authentication (RBA).

Risk Based Authentication is an added layer of account security that can prevent malicious attacks and hacking attempts on the site.

Though RBA is not covered in detail as part of this documentation, it is worth to note that Two-factor authentication(TFA) emails are sent when a login attempt is assigned a relatively high risk level and when RBA policy AuthLevel is set to 10. The template related to the TFA is configured in the TFA Email Verification tab.

Emails via Customer Data Cloud Servers (Default)

The default configuration for all Customer Data Cloud customers is to send system (account) emails to users using Customer Data Cloud's email servers and requires no additional setup.

Emails via Your Own SMTP Server

This option allows Customer Data Cloud to send system (account) emails via the respective organization's email server.

The steps that are needed to be performed in this case are as follows:

  • The IP or IP's of email server or servers., are to be provided to SAP Customer Data Cloud
  • The server credentials (i.e., username and password), are to be provided to SAP Customer Data Cloud
  • At least one email  From  address is to be provided to SAP Customer Data Cloud
  • SAP Customer Data Cloud will then provide the information to complete the setup process which is a list of IPs of the mail servers that will forward the emails to the organization's SMTP server that will need to add to their allowlist, if using one.

Related Videos


Upon reading this article, you should be in a position to  Configure Policies and Email Templates to be signed-off ready for implementation. 

For more information on policy configuration and email templates, please references the SAP CDC Developers Guide