Permissions
Provide Salesforce users access to Campaign Monitor for Salesforce.
Use predefined permission sets to control access to Campaign Monitor for Salesforce.
Restrict what access users have within the Campaign Monitor application.
Define the data users see in Salesforce via sharing rules and client configuration.
video overview
Upon initial installation of our product, access is restricted to system administrators by default. While it is possible to modify this during the installation process, we advise against it. For enhanced security and functionality, it's best to assign one of our predefined permission sets to other Salesforce users after installation. These permission sets offer flexibility, allowing you to grant or restrict access as needed.
For a deeper understanding of permission sets, please continue reading.
We've rigorously tested our application with Salesforce's standard user profiles who have our permission sets assigned. Our permission sets are tailored to provide all necessary access to our integration. However, be aware that custom or limited profiles might lack access to certain platform features that our application leverages, which is common for all third-party Salesforce apps.
For our integration to work correctly Salesforce users need to be assigned one of our permission sets. We have several permission sets which can be assigned for different scenarios.
There is a tab called Campaign Monitor which allows a person to access Campaign Monitor without leaving Salesforce, for most companies all Salesforce users are allowed to access Campaign Monitor without restriction. However, if you want to change that so some users see a restricted view then please review this Section.
The Campaign Monitor tab will connect/display as the Campaign Monitor user who initially connect the two systems. The Campaign Monitor connecting user can be found on the general settings tab within the sync page.
Campaign Monitor for Salesforce includes custom objects to store Campaign Monitor data in Salesforce records.These obey standard Salesforce security and ownership rules. If you want a Salesforce user to have access to our application but want to control the records they see please check out this Section.
It is important than when connecting Campaign Monitor to Salesforce the user has full access permissions. This article explains how Campaign Monitor permissions work - https://help.campaignmonitor.com/permission-settings
Permission Sets
Limited Access
This set provides access to our objects and allows code and triggers to run. It does not allow the user to see any part of our product in Salesforce. This is useful if you want users that are edit or adding Salesforce records but don't need to see Campaign Monitor for Salesforce.
Standard Access
This set is similar, and gives all the features above, to the limited permission set but gives the user access to also see our application .
This is the most popular permission set for people that want to use our application but that should not have access to our Admin app which allows you to make changes to settings.
Full Access
This set is the same as standard but it also gives access to our Campaign Monitor for Salesforce Admin App. This allows a user to make various setting changes.
Guest Access
Salesforce as of Spring 21 have made significant security changes to how the Salesforce Guest User accounts work. This set is specially designed so that you can apply it against Salesforce Guest Access users.
Salesforce platform users are generally not supported due to their limited license type. Platform user lack access to standard Salesforce marketing features and objects. This means automation, for example our import wizard, will not run under that user type.
Adding a permission set
In Salesforce go to the Campaign Monitor admin app.
Click on the General settings tab.
Then select User security.
Search and select for the user(s) you want to assign the permission set to.
Click the Edit permissions button.
Select the Standard or full access option and click Assign permission set.
If you cannot see the Campaign Monitor app in Salesforce, you can manually add yourself to the permission set in Salesforce.
1. Setup, users, permission sets.
2. Select Campaign Monitor full access manage assignments.
3. Add assignments.
Removing a permission set
In Salesforce go to the Campaign Monitor admin app.
Click on the General settings tab.
Then select User security.
Search and select for the user(s) you want to assign the permission set to.
Click the Edit permissions button.
Select the None and click Assign permission set.
If a user does not have access to either permission set then automation will not be triggered. So for example if a record is updated by a user who does not have a permission set our products triggers will not fire.
Security Rules
Security rules allows you to automate managing Campaign Monitor for Salesforce Permission Sets based on Salesforce profiles.
The rules will automatically add and remove Salesforce users from the permission sets by using the Run & schedule button. This will run the rules instantaneously and schedule them to be run in the background every 12 hours.
The common use case for this is to automatically assign the Limited access permission set to general Salesforce users who don't need to directly interact with Campaign Monitor. The Limited Access permission set allows Salesforce users to access to the underlying processes required to perform actions such as renaming an email and have it reflect in Campaign Monitor, or push field mappings to Campaign Monitor - but without seeing any Campaign Monitor screens within Salesforce.
When you create a security rule it is will both add Salesforce user records that meet the criteria and remove the ones that don't.
Access to the Campaign Monitor tab
The Campaign Monitor tab allows you to access Campaign Monitor as if you logged into the application directly (i.e. single sign on). Salesforce users who have access to the tab will view it as the connected user which can be found via sync settings within our general settings tab.
If you’d prefer a Salesforce user has a restricted view you can set an override user in Salesforce for that person. An override user is another Campaign Monitor user that has a different access to the connected user. It is worth noting that you can link Salesforce users to the same user in Campaign Monitor. This avoids the need to setup lots of Campaign Monitor users. In the context of the integration think of a Campaign Monitor user as a Salesforce profile.
To do this first go to user security settings.
From here select one or more users then click the Link Campaign Monitor User button. Once clicked first select the Campaign Monitor client then the user within that client you want to link to, finally click Link User.
Direct Campaign Monitor account
This is the most common type of Campaign Monitor account. The account can have one or more users linked to a Salesforce user to restrict what they can do in Campaign Monitor. See the section below on adding an override user.
Agency Campaign Monitor account
Some customers will either be part of a marketing agency, or a large company that uses this style of account. An agency account allows a company to have a parent Campaign Monitor client and linked sub clients beneath. In this case you may want to limit Salesforce users to a particular Campaign Monitor client and/or with limited permissions. Campaign Monitor's security model is quite different to Salesforce's. In terms of the integration you can think of a Campaign Monitor user more like a Salesforce profile. It is possible to create one Campaign Monitor user that has access to a client with either full, standard or custom permissions and link it to many Salesforce users.
Due to limitation on the Campaign Monitor API you will only see the administrator that setup the integration, we will not show other administrators.
The ideal setup is to have Campaign Monitor users created for each client in the agency that you need access to. Simply use the same email address when creating those users. They will then appear when linking Campaign Monitor users to Salesforce users.
Subscriber rules
Subscriber rules are built using standard Salesforce triggers and Apex code. Salesforce requires users to have permission to fire triggers and execute Apex code. The key point is if you have set up subscriber rules, all users should have one of our permission sets so that they can trigger correctly.
This also applies if you have one or more guest site users they will also need permissions for our code to run. The guest site user is a special type of Salesforce user generally linked to a force.com site or application that uses force.com. Like other users, it can create or update Salesforce records. To help we have created a special permission set Campaign Monitor - Guest Access which can be assigned to Salesforce guest site users. For more information please click here.
Adding the override user
In Salesforce go to the Campaign Monitor admin app.
Click on the General settings tab.
Then select User security.
Search and select for the user(s) you want to link to.
Click the Link Campaign Monitor user button.
Select the Campaign Monitor client.
Select the Campaign Monitor user, if you don't have a user you can create one by clicking Create new Campaign Monitor user.
If you don't see the Campaign Monitor user, check:
a) they have the "Limit account access" checkbox checked (along with the extra permissions they need.)
b) they are not an admin user (if using an Agency account).If you have selected a Campaign Monitor user or created a new one you just need to click the Link user button.
Records created within Salesforce are controlled by the Campaign Monitor client record. Adding a Salesforce user will assign the client and all related records. This enables you to use Salesforce security controls to make records private or make visible to a group with sharing rules.
Salesforce Security Owner
The Salesforce Security Owner can be found on sync settings page as illustrated below. This the Salesforce user that will become the record owner for the Campaign Monitor records we create in Salesforce. If you need to change the Salesforce security owner please click on the dropdown and select change user. This change will only affect new records, you can however run a full sync which will update all records.
If you have more than one Campaign Monitor client you can choose a Salesforce Security Owner for each. Record ownership can be used in standard Salesforce security for example you could make our subscriber list, subscriber list membership and email tracking history objects private. This would mean only the record owner (Salesforce Security Owner) can see the Salesforce records. Access to other users can be given using Salesforce standard sharing settings.
Sharing Settings
With the record owner settings updated you just need to use standard Salesforce Sharing settings. Start by making the following objects private:
1. CM Client
2. Campaign Monitor Campaign
3. CM Subscriber List
4. Subscriber List Member
5. Email Tracking History
6. Suppression List
7. Smart Email
Once private only the record owner will see them. You can allow other Salesforce users access via sharing rules.
Salesforce security and sharing rules our standard features and outside of the support we provide.
Salesforce site user
External security is a complex topic and may require assistance from your Salesforce admin or one of our partners.
As of Spring 21, Salesforce are making potentially breaking changes to how Guest access works. By default the guest user can no longer update or delete rows in Salesforce. You can read more on this via their support site: Guest User Security Policies and Timelines
The Salesforce site user runs different permissions to a normal Salesforce user. If you are using the process builder with transactional emails or directly calling Salesforce from an external website (using Sites), then you may need to assign the site user our Campaign Monitor - Guest Access permission set.
The Guest Access permission set can be added via the User Security screen (see: Adding a permission set).
Alternatively, you can manually add the permission set using the steps below.
Click Setup.
In the search box type in sites and then click on Sites.
Click on the value under the site label (i.e. the name you gave to the site).
Click on the button Public access settings (at the top of the page). This will open the profile for the site user.
Click on the button Assigned users (sometimes called 'View Users').
Click on the Full name (i.e. the name under the label - something like site guest user).
Click on Permission set assignments.
Edit assignments and add the Campaign Monitor - Guest Access permission set (this permission set only allows creation of new records and reading of some records).
This assigns the Campaign Monitor for Salesforce related objects (E.g. queue items).
As of Spring 21, triggering automatic subscriptions/subscriber rules via a guest user may not work in some cases (given update and delete are no longer supported).
If your code or transactional setup also read and writes to other Salesforce objects then the sharing settings need to be enabled for external access to the root object that is used by any transactional emails or your code (i.e. opportunity, account, contact):
Navigate to security controls, then select sharing settings, finally click edit.
Set default internal access and default external access to public read only (for contact, you typically need to do this at the account level).
If you have enabled tasks with transactional emails, you may also need to set the sharing settings for tasks (i.e. activity) to be controlled by parent.
