Ensure that only the right people have access to personal data or specific Exponea module. Define dedicated persons, who can modify, view, export customer data and execute campaigns. Set separated access with the explicit purpose for each user either on a project or account level. To do this go to
Project settings >
Access management where you can select from the following access rights options:
Note that in each project there is a limit of 1000 users.
You can invite new users to your project and decide, which role is suitable for their work. They will have to accept your invitation. Until they do so, they will appear in the pending invitations. Do not worry if you accidentally invite someone as an administrator. Even if they should not have total access, you can still make changes to this while the invitation is still pending. Furthermore, you can also further refine their access after they have already accepted the invitation.
Administrators are able to decrease the risk of major mistakes and security breaches by carefully restricting the access of the users to perform only the tasks that they really need.
Once the user is in the project, you can adjust his/her project role by clicking on
edit. You can select multiple roles from a list of roles (some of which are described in the table below) predefined by Exponea or create your own custom roles.
You can assign multiple roles to each user by scrolling down his or her individual access permission set up and selecting
add role group. Then, in
project team you can see all individual roles and their descriptions under that person´s name.
The administrator can grant the user a temporary role by setting an expiration date in the user interface. Select the icon
Add expiration and select the exact day and time that the user´s role will expire. Expired roles are visible in the interface, but are not active and do not grant any permissions. We recommend setting expiration for highly sensitive roles, such as Admin roles and Personal Data Viewer.
There are 3 basic levels of roles: Viewer, Editor and Admin.
Then there are special complementary roles: Exporter, Publisher, Requester, Approver.
full access on data, objects and settings; a user can change settings that impact wider scope; manipulate customer consents; edit and delete data in bulk.
write and delete access; a user can modify and delete objects
execute access; a user can trigger action that may have an immediate impact on end customers or make objects publicly available (public sharing)
a user can export or download data from Exponea application
user can only approve specific actions
user can create a request
read-only access; a user cannot modify objects
Stand-alone role required
Each user must have at least one stand-alone role to be able to access the project. These would be roles like
Campaign Admin. If a user does not have any stand-alone role, for example, only being only a
Viewer, they will have a problem with logging into the project.
There are levels of roles with an increasing set of permissions. Higher-level roles inherit all permissions from lower ones and lower levels never allow functions from higher-level roles. For instance, while an Admin has access to all other functions, sole editors cannot publish or export from Exponea (they can only do the task they are assigned and abilities hierarchically beneath them).
To see which specific roles are inherited, find the role in
Access management ->
Exponea has a few predefined roles which you are assigned by default. You can read more about their function in the App itself (each role has a description written right next to it). Note, that those roles cannot be deleted or modified.
While there are roles predefined by Exponea, you can set up your own custom roles. Go into
+ Create custom role in the right top corner. Select
+ Add inherited role. Custom roles are stacked from predefined roles and inherit all their permissions and scope level.
When there is a team with the same responsibilities and permissions operating the Exponea application, we recommend creating a custom role. This custom role would inherit all required roles - then only this single role will be assigned to all team members. It would also be easier to see who is currently a member of this role on the Custom role's
Custom roles (user-defined) can be combined from multiple roles, but it's not possible to remove a permission from a particular role.
Project Safety and Permission Scope
Be aware of the hierarchy between Instance, Accounts, and Projects. Roles granted on a higher scope (account) are applied to all lower scopes (project). Similarly, if users operate on their own private instance, that instance has the highest hierarchy (instance -> account -> project)
For instance, if a user is granted "Analyses Viewer" on Account scope, the user will have "Analyses Viewer" in all projects under that Account.
This might be critical, as you might be granting Account rights to someone, who is supposed to see/edit one Project ONLY.
Roles assigned to users on an instance scope are applied to all accounts and projects within the instance. Roles assigned to users on account scope are applied to all projects within the account.
Access to private fields (personal data, PII) is granted by the special role "Personal Data Viewer". Exponea predefined roles never include this role. Personal Data Viewer must be granted explicitly or included in your custom roles.
When user roles are changed, there is a small delay before the new permissions are applied. Be aware that permission changes are not applied immediately – it may take up to 1 minute to propagate changes into all components. If you are still getting the error after waiting a few minutes and reloading the application, and you think you should have access/permissions for this action, please contact our support.
Updated 23 days ago