• Use predefined permission sets to control access to Campaign Monitor for Salesforce.

  • Restrict what access users have within the Campaign Monitor application.

  • Define the data users see in Salesforce via sharing rules and client configuration.

For most companies when you first install the application only system administrators will have full access. They can however assign one of our two predefined permission sets to other Salesforce users. The standard permission set allows a user to see our application, the full permission set gives an additional settings tab.

There is a tab called Campaign Monitor which allows a person to access Campaign Monitor without leaving Salesforce, for most companies all Salesforce users are allowed to access Campaign Monitor without restriction. However, if you want to change that so some users see a restricted view then please review this Section.

The Campaign Monitor tab will connect/display as the Campaign Monitor user who initially connect the two systems. The Campaign Monitor connecting user can be found on the general settings tab within the sync page.  

Campaign Monitor for Salesforce includes custom objects to store Campaign Monitor data in Salesforce records.These obey standard Salesforce security and ownership rules. If you want a Salesforce user to have access to our application but want to control the records they see please check out this Section.

Adding a permission set

There are two types of permission set. Standard access which gives a user access to all features excluding settings. Full access which gives a user access to all settings as well as all features.

  1. In Salesforce go to the Campaign Monitor admin app.

  2. Click on the General settings tab.

  3. Then select User security.

  4. Search and select for the user(s) you want to assign the permission set to.

  5. Click the Edit permissions button.

  6. Select the Standard or full access option and click Assign permission set.

If you cannot see the Campaign Monitor app in Salesforce, you can manually add yourself to the permission set in Salesforce.

1. Setup, users, permission Sets.
2. Select Campaign Monitor full access manage assignments.
3. Add assignments.

Removing a permission set

  1. In Salesforce go to the Campaign Monitor admin app.

  2. Click on the General settings tab.

  3. Then select User security.

  4. Search and select for the user(s) you want to assign the permission set to.

  5. Click the Edit permissions button.

  6. Select the None and click Assign permission set.

If a user does not have access to either permission set then automation will not be triggered. So for example if a record is updated by a user who does not have a permission set our products triggers will not fire.

Access to the Campaign Monitor tab

The Campaign Monitor tab allows you to access Campaign Monitor as if you logged into the application directly (i.e. single sign on).

Salesforce users who have access to the tab will view it as the connected user which can be found via sync settings within our general settings tab. If you’d prefer a Salesforce user has a restricted view you can set an override user in Salesforce for that person.  
An override user is another Campaign Monitor user that has a different access to the connected user.  It is worth noting that you can link Salesforce users to the same user in Campaign Monitor. This avoids the need to setup lots of Campaign Monitor users.  In the context of the integration think of a Campaign Monitor user as a Salesforce profile.

Direct Campaign Monitor account
This is the most common type of Campaign Monitor account. The account can have one or more users linked to a Salesforce user to restrict what they can do in Campaign Monitor. See the section below on adding an override user.

Agency Campaign Monitor account
Some customers will either be part of a marketing agency, or a large company that uses this style of account. An agency account allows a company to have a parent Campaign Monitor client and linked sub clients beneath. In this case you may want to limit Salesforce users to a particular Campaign Monitor client and/or with limited permissions. Campaign Monitor's security model is quite different to Salesforce's. In terms of the integration you can think of a Campaign Monitor user more like a Salesforce profile. It is possible to create one Campaign Monitor user that has access to a client with either full, standard or custom permissions and link it to many Salesforce users.

Due to limitation on the Campaign Monitor API you will only see the administrator that setup the integration, we will not show other administrators.

The ideal setup is to have Campaign Monitor users created for each client in the agency that you need access to. Simply use the same email address when creating those users. They will then appear when linking Campaign Monitor users to Salesforce users.

Adding the override user

  1. In Salesforce go to the Campaign Monitor admin app.

  2. Click on the General settings tab.

  3. Then select User security.

  4. Search and select for the user(s) you want to assign the permission set to.

  5. Click the Link Campaign Monitor user button.

  6. Select the Campaign Monitor client.

  7. Select the Campaign Monitor user, if you don't have a user you can create one by clicking Create new Campaign Monitor user.
    If you don't see the Campaign Monitor user, check:
    a) they have the "Limit account access" checkbox checked (along with the extra permissions they need.)
    b) they are not an admin user (if using an Agency account).

  8. If you have selected a Campaign Monitor user or created a new one you just need to click the Link user button.

Records created within Salesforce are controlled by the Campaign Monitor client record. Adding a Salesforce user will assign the client and all related records.  This enables you to use Salesforce security controls to make records private or make visible to a group with sharing rules.

Restricting record access within Salesforce

When the primary sync runs, the Salesforce owner records created by the sync will be set to the connected user, you can see who this is via the general settings tab under sync settings.

The Salesforce record owner can be changed by going to a Campaign Monitor client record (usually there is only one, but if you have sub clients in Campaign Monitor there will be many) and entering a Salesforce username under the field named Salesforce user. This will then update the ownership of the Campaign Monitor client record and going forward will update related records:

  1. Subscriber list.

  2. Subscriber list member.

  3. Email tracking history.

If you would like this change to affect all related records then you need to perform a full refresh.

Salesforce site user

The Salesforce site user runs different permissions to a normal Salesforce user. If you are using the process builder with transactional emails or directly calling into sites from an external website, then you may need to perform the following steps:

  1. Click Setup.

  2. In the search box type in sites and then click on Sites.

  3. Click on the value under the site label (i.e. the name you gave to the site).

  4. Click on the button Public access settings (at the top of the page). This will open the profile for the site user.

  5. Click on the button Assigned users (sometimes called 'View Users').

  6. Click on the Full name (i.e. the name under the label - something like site guest user).

  7. Click on Permission set assignments.

  8. Edit assignments and add the Campaign Monitor for Salesforce set.

  9. This assigns the Campaign Monitor for Salesforce related objects (i.e. queue items).

Updating site user security settings is an advanced topic and requires a deep understanding of Salesforce security. See: Public access settings for sites.

Incorrectly setup site user security settings is a common cause for automatic subscriptions/subscriber rules not firing when the contacts or leads are being created via an external website.

If your code or transactional setup also writes to other Salesforce objects then the sharing settings need to be enabled for external access to the root object that is used by any transactional emails or your code (i.e. opportunity, account, contact):

  1. Navigate to security controls, then select sharing settings, finally click edit.

  2. Set default internal access and default external access to public read only (for contact, you typically need to do this at the account level).

If you have enabled tasks with transactional emails, you may also need to set the sharing settings for tasks (i.e. activity) to be controlled by parent.

In this article