Who can use this feature?
- All roles with access level "high"
- Available to beta participants
Account permissions allow you to set up reusable permission sets for purposes of granting users access to varying subsets of accounts. Users can only access the accounts if they are granted permission (either as part of a user group or assigned individually).
Create a permission set
Once a permission set is applied (and account permissions are enabled), Catalyst will no longer display accounts outside of that permission set within search and link-backs for the relevant user(s) and/or group(s).
- Navigate to the Settings sidebar > Permissions.
- Click the Account Permissions tab at the top.
- Click Create Permission Set in the upper right corner.
- Assign a name (required) and description (optional).
- Choose the accounts that are included in the scope of the permission set:
- All Accounts: Grant access to all accounts in Catalyst. Before you enable account permissions, we recommend that you set up one permission set with access to all accounts, if you have users who should have access to everything.
-
Specific Accounts: Choose accounts using filters. Example: All accounts where
Region
isEMEA
. Once a filter is applied, Catalyst displays the number of matching accounts and a link to preview the records.
- Choose named user(s) or group(s) to apply this permission set to.
If a selected user or group is also named in another account permission set, these users will get access to all accounts that belong to at least restrictive of the permission sets assigned to them ("joined sets").
- Click Save.
Enable / disable account permissions
Enable account permissions when you're ready for the account permission sets to take effect. Users can only access accounts if they are granted permission.
Ensure you have a permission set defined for "All Accounts" if you have users who should have access to everything.
You can also disable account permissions to turn off all permission sets.
FAQ
Q: Are there any areas in the application when an account can be shown to a user who doesn't have access to it?
A: There are two known areas in the system when the account names can get exposed:
- Jira: The "associated accounts" column exposes account names, regardless of permission set.
- Engagement module: Emails sent to multiple accounts could show email addresses in the To/From/CC/BCC field but will not identify them as contacts.
Q: What should I consider when designing permission sets?
A: Generally speaking, there are several topics to keep in mind:
- Make sure that the fields you're using in the permission sets are visible (have read permissions assigned to them) to the affected users. These fields should not necessarily be available for everyone; however, if you limit the accounts available for "Andy" by "Region," then Andy needs to have at least read access to region field.
- Make sure every non-admin user has at least some permission set assigned to them, otherwise these users will have no access to *any* accounts.
- Administrators always have access to all accounts that exist in Catalyst.
Q: What happens when a user belongs to several user groups, and thus got assigned several different permission sets (some are overlapping, some are completely different)?
A: Such users will get access to all accounts that belong to at least restrictive of the permission sets assigned to them ("joined sets").