Access Management

Ensure that only the right people have access to personal data or specific Exponea module. Define dedicated persons, who can modify, view, export customer data and execute campaigns. Set separated access with the explicit purpose for each user either on a project or account level. To do this go to Settings > Project settings > Access management where you can select from the following access rights options:

📘

Project limit

Note that in each project there is a limit of 1000 users.

Role-based access control (RBAC)

You can invite new users to your project and decide, which role is suitable for their work. They will have to accept your invitation. Until they do so, they will appear in the pending invitations. Do not worry if you accidentally invite someone as an administrator. Even if they should not have total access, you can still make changes to this while the invitation is still pending. Furthermore, you can also further refine their access after they have already accepted the invitation.

🚧

Administrators are able to decrease the risk of major mistakes and security breaches by carefully restricting the access of the users to perform only the tasks that they really need.

User interface

Once the user is in the project, you can adjust his/her project role by clicking on edit. You can select multiple roles from a list of roles (some of which are described in the table below) predefined by Exponea or create your own custom roles.

Here you can adjust user´s project role by selecting Role group

Assigning multiple roles

You can assign multiple roles to each user by scrolling down his or her individual access permission set up and selecting add role group. Then, in project team you can see all individual roles and their descriptions under that person´s name.

Temporary roles

The administrator can grant the user a temporary role by setting an expiration date in the user interface. Select the icon Add expiration and select the exact day and time that the user´s role will expire. Expired roles are visible in the interface, but are not active and do not grant any permissions. We recommend setting expiration for highly sensitive roles, such as Admin roles and Personal Data Viewer.

Project roles naming

There are 3 basic levels of roles: Viewer, Editor and Admin.
Then there are special complementary roles: Exporter, Publisher, Requester, Approver.

Role type

Description

Admin

full access on data, objects and settings; a user can change settings that impact wider scope; manipulate customer consents; edit and delete data in bulk.

Editor

write and delete access; a user can modify and delete objects

Publisher

execute access; a user can trigger action that may have an immediate impact on end customers or make objects publicly available (public sharing)

Exporter

a user can export or download data from Exponea application

Approver

user can only approve specific actions

Requester

user can create a request

Viewer

read-only access; a user cannot modify objects

🚧

Stand-alone role required

Each user must have at least one stand-alone role to be able to access the project. These would be roles like Admin, Editor, Campaign Admin. If a user does not have any stand-alone role, for example, only being only a Viewer, they will have a problem with logging into the project.

There are levels of roles with an increasing set of permissions. Higher-level roles inherit all permissions from lower ones and lower levels never allow functions from higher-level roles. For instance, while an Admin has access to all other functions, sole editors cannot publish or export from Exponea (they can only do the task they are assigned and abilities hierarchically beneath them).

To see which specific roles are inherited, find the role in Access management -> Roles

📘

Exponea has a few predefined roles which you are assigned by default. You can read more about their function in the App itself (each role has a description written right next to it). Note, that those roles cannot be deleted or modified.

Custom role

While there are roles predefined by Exponea, you can set up your own custom roles. Go into project -> roles -> + Create custom role in the right top corner. Select + Add inherited role. Custom roles are stacked from predefined roles and inherit all their permissions and scope level.

When there is a team with the same responsibilities and permissions operating the Exponea application, we recommend creating a custom role. This custom role would inherit all required roles - then only this single role will be assigned to all team members. It would also be easier to see who is currently a member of this role on the Custom role's Members tab.

📘

Limitations

Custom roles (user-defined) can be combined from multiple roles, but it's not possible to remove a permission from a particular role.

❗️

Project Safety and Permission Scope

Be aware of the hierarchy between Instance, Accounts, and Projects. Roles granted on a higher scope (account) are applied to all lower scopes (project). Similarly, if users operate on their own private instance, that instance has the highest hierarchy (instance -> account -> project)

For instance, if a user is granted "Analyses Viewer" on Account scope, the user will have "Analyses Viewer" in all projects under that Account.

This might be critical, as you might be granting Account rights to someone, who is supposed to see/edit one Project ONLY.

Roles assigned to users on an instance scope are applied to all accounts and projects within the instance. Roles assigned to users on account scope are applied to all projects within the account.

Access to private fields (personal data, PII) is granted by the special role "Personal Data Viewer". Exponea predefined roles never include this role. Personal Data Viewer must be granted explicitly or included in your custom roles.

Troubleshooting

error "Forbidden 403":

When user roles are changed, there is a small delay before the new permissions are applied. Be aware that permission changes are not applied immediately – it may take up to 1 minute to propagate changes into all components. If you are still getting the error after waiting a few minutes and reloading the application, and you think you should have access/permissions for this action, please contact our support.

Updated 23 days ago


Access Management


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.


We rely on cookies

to optimize our communication and to enhance your customer experience. By clicking on the Accept and Close button, you agree to the collection of cookies. You can also adjust your preferences by clicking on Manage Preferences. For more information please see our Privacy policy.

Manage cookies
Accept & close

Cookies preferences

Accept & close
Back