Scenario 2: Allows access to only some other employees' folders and objects
Your company has two business divisions, Eastern and Western, that do not share data between them. Within each division, people performing different jobs need to access the same objects (campaigns, offers, templates) but with differing permissions to act on these objects, depending on their job. Access is restricted both by the employees' roles within the organization and by their division.
Solution: Create a custom security policy for each division
Define two separate security policies, one for each division. Each policy has the roles and permissions appropriate for its division.
For most employees, assign roles within their division's policy only. Do not assign any role in the global policy. Create top-level folders that belong to each policy, to hold campaigns, offers, and so on. These folders are specific to each division. Users with roles in one policy cannot see the objects belonging to the other policy.
The default Owner and Folder Owner roles automatically allow users full permissions on the objects they create. The other roles you define can allow restricted access to the objects created by other users within the same division and policy.
For employees who need to work across both divisions (for example, the controller, cross-divisional managers, or the CEO), assign a role in the global policy and modify it if necessary to grant the desired permissions. Users with roles in the global policy can see the objects in both divisions.
The following table illustrates a subset of the roles and permissions you can configure for a division's security policy.
| Folder Owner role | Owner role | Manager role | Designer role | Reviewer role | |
|---|---|---|---|---|---|
| Campaigns |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Offers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|