Access Management

To protect your data from unauthorized access, Bloomreach Engagement has developed Role-based access control. Having the access minimization principle in mind, this system allows you to make sure that only the right people have access to personal data or specific modules.

With Bloomreach Engagement, you can define and manage dedicated persons with specific permissions, such as to modify, view, or export customer data and execute campaigns. You can set separate access with the explicit purpose for each user either on a project or account level.

To do this go to Settings > Project settings > Access management where you can select from, assign, and modify specific access rights.


Project limit

Note that in each project there is a limit of 1000 users.

Role-based access control (RBAC)

Role-based access control groups small sets of certain permissions and accesses under "roles" that can be assigned to team members by the Admin. This way, administrators are able to decrease the risk of major mistakes and security breaches by carefully restricting the access of the users to perform only the tasks that they really need.

Inviting a new project member

You can invite new users to your project and decide, which role is suitable for their work, as shown on the picture below. They will have to accept your invitation, and until they do so, they will appear within pending invitations.

You can make changes to the specific role and permissions while the invitation is pending, and you can further refine user accesses even after the invitation has been accepted. Thus, do not worry if you accidentally invite someone with an incorrect role or permissions, as the role can be changed anytime by the Project Administrator.

Configuring permissions

Once the user is in the project, you can adjust their project role by hovering over their name and clicking on the Edit button on the right side in the Project team tab. Here, you can select multiple roles from a list of roles (some of which are described in the table below). There are several roles predefined by Bloomreach Engagement, and you can also create your own custom roles to suit your specific needs.

Assigning multiple roles

You can assign multiple roles to each user by scrolling down his or her individual access permission set up and selecting add role group. Then, in project team you can see all individual roles and their descriptions under that person´s name.

Temporary roles

The administrator can grant the user a temporary role by setting an expiration date in the user interface. Select the icon Add expiration and select the exact day and time that the user´s role will expire. Expired roles are visible in the interface, but are not active and do not grant any permissions. We recommend setting expiration for highly sensitive roles, such as Admin roles and Personal Data Viewer.


Roles naming and hierarchy

There are several access roles in Bloomreach Engagement out of the box. To make it easy for you to quickly understand the scope of the role, all of them abide by the following naming convention: The first word or two represents the section of the application, and the later the extent of the permission.

When it comes to the extent of the permission, there are 3 basic levels of roles with an increasing set of permissions, creating a kind of hierarchy of roles, as described in the flowchart below. Higher-level roles inherit all permissions from lower ones and lower levels never allow functions from higher-level roles. For example, while an Admin has access to all other functions, sole Editors cannot publish or export from Bloomreach Engagement (they can only do the task they are assigned and abilities hierarchically beneath them). All standalone roles follow this hierarchy and naming.

Admin: has full access to data, objects, and settings; can change settings that impact wider scope; can manipulate customer consents; can edit and delete data in bulk.
Editor: can write and delete access; can modify and delete objects.
Publisher: can execute access; can trigger an action that may have an immediate impact on the end customers or make objects publicly available.
Exporter: can export or download data from the Bloomreach Engagement application.
Approver: can only approve specific actions.
Requester: can create a request.
Viewer: read-only access; cannot modify objects.

Predefined roles

There are several predefined standalone and non-standalone roles that come out of the box and that can be assigned to the members/users of your project. All standalone roles follow the naming and hierarchy of roles described above. In addition to those, there are several non-standalone roles set up by Bloomreach Engagement that allow access to specific actions. Remember, a user can have multiple roles assigned, but each user must have at least one stand-alone role to be able to access the project. The following is the list of all predefined roles in Bloomreach Engagement.

Role type



Project Admin

Has full access to everything in projects; has full access to the project access management; can edit customer data - including consents.


Project Developer

Has full access to imports, catalogs, and integrations; can change selected project settings; can view customer data.


Analyses Viewer

Can view all analyses.


Analyses Editor

Can view, edit, and delete all analyses; can edit customer data - excluding consents.


Analyses Exporter

Can view and export all analyses.


Campaigns Viewer

Can view Campaigns and their evaluations.


Campaigns Editor

Can view, edit, and delete Campaigns; can edit customer data - excluding consents.


Campaigns Admin

Has full access to Campaigns (can view, edit, delete, start and stop all Campaigns; can edit running Campaigns; can change Campaigns settings); can edit customer data.


Customer Data Exporter

Can export customer data in bulk.


Personal Data Viewer (flag)

Has view access to private fields (personal data, PII).


Project User (Legacy)

Can open project and view customer data.


Exports Module Admin

Has full access to setup Exports of customer data including PII.


Technical Support

Has roles: Analyses Editor and Analyses Exporter, Campaigns Admin and Customer Data Exporter


IAM Admin

Role allows administration of Identity and Access Management (Roles, Policies and Service Accounts).


Temporary Access Approver

Can approve temporary access requests.


Email Campaigns Editor

Can view, edit and delete Email Campaigns.


Email Campaigns Publisher

Can view, edit, delete and publish Email Campaigns.


Email Campaigns Viewer

Can view Email Campaigns and their evaluations.


Weblayers Editor

Can view, edit and delete Weblayers.


Weblayers Publisher

Can view, edit, delete and publish Weblayers.


Weblayers Viewer

Can view Weblayers and their evaluations.


Experiments Editor

Can view, edit and delete Experiments.


Experiments Publisher

Can view, edit, delete and publish Experiments.


Experiments Viewer

Can view Experiments and their evaluations.


Access to private fields (personal data, PII) is granted by the special role "Personal Data Viewer". Bloomreach Engagement predefined roles never include this role. Personal Data Viewer must be granted explicitly or included in your custom roles.

To read more about the roles and see which specific roles are inherited, find the role in Access management -> Roles


Stand-alone role required

Remember that each user must have at least one stand-alone role to be able to access the project. If a user does not have any stand-alone role, for example, only being a Personal Data Viewer, they will have a problem with logging into the project.

Instance level roles

Bloomreach Engagement offers three main types of instances for your projects: shared, private and exclusive instance. These contain different features and configurations of data layers. In each of these instances, data is separated and access management is enabled to ensure your security. You can learn more about our Security architecture in its separate article.

What is important for Access management, is that the additional layers of security within the more sophisticated types of instances, such as the private or exclusive instance, will require some additional roles and accesses or permissions compared to the shared instance. For projects running on a private instance, there are these additional roles, as described in the table below.




Super Admin

Has full access to all accounts (Account Admin), projects (Project Admin) and customer data (including PII); has full access to instance specific settings; has full access to instance access management.


Sales (Legacy)

Will be added shortly


Temporary Access Requester

Can request a temporary access.


Instance Manager

Has full access to all accounts (Account Admin), projects (Project Admin) and customer data (including PII); has full access to instance specific settings.


AccessLockedProjects (flag)

Will be added shortly


DebugImf (flag)

Will be added shortly


OverrideSqlAccess (flag)

Will be added shortly


ListAllProjects (flag)

Will be added shortly



Project Safety and Permission Scope

Be aware of the hierarchy between Instances, Accounts, and Projects. Roles granted on a higher scope (account) are applied to all lower scopes (project). Similarly, if users operate on their own private instance, that instance has the highest hierarchy (instance -> account -> project)

For example, if a user is granted "Analyses Viewer" on Account scope, the user will have "Analyses Viewer" in all projects under that Account.

This might be critical, as you might be granting Account rights to someone, who is supposed to see/edit one Project ONLY.

Roles assigned to users on an instance scope are applied to all accounts and projects within the instance. Roles assigned to users on account scope are applied to all projects within the account.

Custom role

While there are roles predefined by Bloomreach Engagement, you can set up your own custom roles. This allows you to add and combine several inherited roles to create a single role that would suit your specific needs. In other words, custom roles are stacked from predefined roles and inherit all their permissions and scope level.

To do so, go into project -> roles -> + Create custom role in the right top corner. Select + Add inherited role.

When there is a team with the same responsibilities and permissions operating the Bloomreach Engagement application, we do recommend creating a custom role. This custom role would inherit all required roles - allowing you to then only assign this single role to all team members. Furthermore, this makes it easier to see who is currently a member of this role on the Custom role's Members tab.



Custom roles (user-defined) can be combined from multiple roles, but it's not possible to remove a permission from a particular role.


error "Forbidden 403":

When user roles are changed, there is a small delay before the new permissions are applied. Be aware that permission changes are not applied immediately – it may take up to 1 minute to propagate changes into all components. If you are still getting the error after waiting a few minutes and reloading the application, and you think you should have access/permissions for this action, please contact our support.