CX Works

A single portal for curated, field-tested and SAP-verified expertise for your SAP C/4HANA suite. Whether it's a new implementation, adding new features, or getting additional value from an existing deployment, get it here, at CX Works.

Creating and Implementing an Authorization Concept for SAP Marketing Cloud


Creating and Implementing an Authorization Concept for SAP Marketing Cloud


Before implementing SAP Marketing Cloud, you should consider creating an authorization concept outlining the different roles and responsibilities within your organization. This not only allows you to tailor the available features and functionalities (for example, marketing apps) but also the visibility of different data entities (for example, contacts, segmentation profiles, campaigns, and more) per role according to your needs. While SAP Marketing Cloud comes with a variety of pre-delivered business roles, we recommend to assign only relevant business users to the customizable roles based on a clear role concept. Limiting the number of available features, functionalities, and data will make working in SAP Marketing Cloud even more enjoyable as only relevant content will be available per user. This article will help you to define an authorization concept for your SAP Marketing Cloud solution.

Table of Contents


Concept of Roles, Catalogs, and Groups in SAP Marketing Cloud

Before coming up with the authorization concept, it is crucial to understand the different settings and authorization functionalities SAP Marketing Cloud provides you. Below, we will explain in more detail the business roles, business catalogs, and business catalog groups. Please note that Marketing Areas offer additional functionality to segregate and restrict data in terms of access and process control. The concept of Marketing Areas is outlined in the following CX Works article: Set Up Marketing Areas for SAP Marketing Cloud and will not be further elaborated in this article.


Relationship Between Business Users and Business Roles/Catalogs

  • The business catalog groups contain the tiles to be presented to the business user by default, whereas the business catalogs contain all the accessible tiles for the business user.
  • The business role template comprises multiple business catalogs, business groups, and catalog roles.

  • The user administrator creates business roles based on the business role template and, if required, defines restricted read or write access for business users by means of restriction type (for example, Marketing Areas and Country).

The illustration below explains the cardinalities and connection of roles, catalogs, and groups:



Business Roles

Business roles are used to control access to SAP Marketing Cloud business applications. Typically, business roles can broadly be categorized into business catalog groups as listed below. The access to different applications can be assigned to these business roles based on the nature of the work these roles perform and through the assignment of business catalogs.

Kindly refer to the SAP help documentation for an overview of all pre-delivered Business Roles and Apps in SAP Marketing Cloud. You can either create new business roles or use the standard roles and adapt them to your needs by creating new roles using the standard roles as role template in the Maintain Business Roles app.


We recommend to create business roles based on pre-delivered role templates using the Create From Template option.


Here's how you can create new roles based on a template:



In the app, click on Create From Template:



On the next screen, you can then edit the business catalog assignment for the new role. When using the Create From Template option, the business catalogs of the chosen template will be pre-assigned and can be edited accordingly:



Using Maintain Restrictions, you can specify what kind of access level the business role should have:



For more information about restrictions, please refer to the following documentation: Edit Restrictions in Marketing. If you want to learn more about Marketing Areas, then please read Set Up Marketing Areas for SAP Marketing Cloud.


Business Catalogs

The business catalogs are pre-delivered in SAP Marketing Cloud and each business catalog is associated with one or numerous business applications. Please refer to the following documentation to learn more: Business Catalogs for Business Scenarios.

If you want to add apps to the business catalogs, you can leverage the Custom Catalog Extensions functionality, which is described in the following CX Works article: Extensibility Overview for SAP Marketing Cloud. Business Catalogs available in your system can be seen in the Business Catalogs app in SAP Marketing Cloud:



In the details of each catalog, you can learn more about the business catalog, such as apps, restrictions, and more:



Business Catalog Groups

The following business groups come pre-delivered with SAP Marketing Cloud and are used to split catalogs (and underlying apps) on a functional level:


  • Marketing Manager
  • Marketing Expert
  • Agency
  • Admin


How to Deal With Changes After Upgrades

SAP Marketing Cloud comes with four upgrades per calendar year and each upgrade brings new functionality and apps. Some of the pre-delivered business catalog groups will be changed, added, or deprecated. Please read through the following documentation to learn what you should do: Changes to Business Groups, Tiles, and Business Roles.

Master and Derived Business Roles

International corporations with marketing teams spread across multiple subsidiaries may need to create business roles with access to the same functionality yet different data sets. Best practice is to define a business master role and derive further business roles by different restrictions. An example could be different business users who need to use the same Marketing Cloud apps, but need access to separate customer or segmentation data. Master and derived roles provide an easy way to map these use cases.

Where data visibility has to be strictly separated, the concept of master and derived business roles is the more efficient approach compared to setting up duplicate roles for each Marketing Area. Before setting up Marketing Areas, we recommend you to study the following article: Set Up Marketing Areas for SAP Marketing Cloud.

How to Create Master and Derived Business Roles

Let's have a look at an example: An international retailer plans their marketing strategy and related marketing activities (for example, campaigns) at the head office, while execution takes place through the national subsidiaries, which have their own marketing teams.  

The “Marketing Expert” role is therefore required both as a global role at headquarters with visibility of contact data at a global level, as well as for marketing experts at the subsidiaries, who use the same applications with restrictions on contact data for their country or region. This is a common requirement for many organizations, and can be set up as follows:


Through the Identity & Access Management group of tiles, the Business Roles Templates App can be launched to access pre-delivered role templates for SAP Marketing Cloud.



As of SAP Marketing Cloud's most recent release, there are 16 pre-delivered templates, which can be used to create business roles or master roles. In our example, we will use the Marketing Expert template and create a master role out of it.  First, we select the "Marketing Expert" template and click on "Create Business Role".



The Flag "Is Master Business Role" must be set, which triggers the label "Master Business Role". Business users who hold the marketing expert role on a global level at head office can now be assigned directly to the master role. On the master role level, it's possible to add additional business catalogs to the pre-delivered template. Furthermore, global restrictions can be maintained. Please note that all business catalogs and restrictions which have been maintained at master level can't be changed in derived roles. 



Restrictions should not be maintained at master role level. Otherwise, they can't be added to the derived roles. However, it's essential to change the permissions to "Restricted" for write and read access, even if the selection is left blank. Once business users, business catalogs, and restrictions are maintained, the master role can be saved and closed.



In the "Maintain Business Roles" app, derived roles can now be created by selecting the master role and clicking on "Created Derived Business Role". In this example, we will create a derived role "Marketing Expert DACH". 



The assigned business catalogs will be derived from the master role and cannot be changed. In the restrictions, however, additional values can be maintained to control data visibility for each country, marketing areas, segmentation objects, and more, for write and read authorizations. For more information about restrictions, please refer to the following documentation: Edit Restrictions in Marketing.



Once the derived business role has been created and restrictions have been maintained, the regional business users can be assigned.


Authorization Concept Proposal for SAP Marketing Cloud

When coming up with an authorization concept, the following three control dimensions should be considered:



The Functional Control can be configured and restricted through business roles as previously described in this article. The Data and Process Control can then be applied to the business role by configuring the restriction, for example, ‘Marketing Area’ and ‘Country for marketing contacts’. By combining the Access Control to business applications, data and process control, the business role represents a collection of privileges to access functions, data, and processes. This can be done using the application ‘Maintain Business Roles’.

During business user creation/maintenance, the privilege of the business user can be configured by assigning the business user to one or several business roles. This can also be done using the application ‘Maintain Business Users’.


It is crucial to document the authorization concept, for example, in an Excel spreadsheet (or any other format), before configuring SAP Marketing Cloud accordingly. Below, you will find a template which covers all three dimensions: functional control, data access control, and process control. 


Download the SAP Marketing Cloud Authorization Concept Template

You are free to use the following template for your project and adjust it to your specific needs:


Conclusion

In this article, you learned how to create and implement an authorization concept for your SAP Marketing Cloud solution. You should now be able to come up with an authorization concept based on the three dimensions (functional, data access, and process control). You also learned how to apply the concept in SAP Marketing Cloud by leveraging marketing areas, business roles, and business catalogs. Furthermore, the concept of master and derived business roles was explained. 

As a follow-up, we recommend that you look at the Marketing Area concept as well as the SAP Marketing Cloud help documentation:

If you are interested in learning more on whether you are utilizing the user authorization features of SAP Marketing Cloud correctly, we offer the following Technical Design Guidance service.