I am diving deeper into the Roles & Rights of a site that uses PP Tag Manager and Analytics. And I am puzzled…
Examples:
The “Edit” right is needed to give somebody the right to create a Custom Report. But the same right also gives the person the right to change everything in Tag Manager! Why are rights for the Tag Manager and Analytics in the same roles bucket?
If you want somebody to create a harmless segment or calc metric in PP, that person needs the Edit & Publish role. But that same right allows them to change and even Publish stuff in Tag Manager AND they can also completely edit (and destroy your Site Settings, e.g. toggle scroll depth tracking on without anybody noticing and thus increase your Events and bill manifold), change Session Settings, Privacy Settings (deactivate Consent Manager) etc…
The easiest quick-fix would be to allow people with “View” rights to at least create Custom Reports (but not share them with All). No harm can be done by creating a Custom Report. But with Tag Manager or Consent Manager, I can kill the website or destroy the whole tracking…
Let me try to help you here, because it is not as straightforward is you put it here.
Usually the roles of the ppl you add to the Platform are either Technical or not that technical.
A not technical person doesn’t need to have access to, for instance, the Tag Manager.
Therefore we have the option to enable / disable modules for every account you add to the instance, as seen here:
Did you notice that? Because in many cases that’s the key for user management.
Ah ok, I must have forgotten about that. Very confusing. That should be in the same place as rights & roles. To change a user’s permission, I now have to go to 2 places for everyone.
Still, somebody with Analytics access should be able to create segments without giving them the right to change the whole site settings…
Yeah, I know.
So many things to do, so little time… You must know the feeling
Truth is, it will not be changed in the near future, because there are more important and impactful task waiting to be completed.
Good thing you created a topic that will draw ppl to the explanation in case they have similar questions.
User management can never be detailed enough, thanks for pointing us to the details where the most confusion is about. It helps our team to improve it.
Apart from that, it seems impossible to see which group a user is part of. I have to go into each group and check the whole list. Or am I missing sth again?
Yes, you can check the ppl that are part of the group, not the other way around, you are correct.
Those users can have individual access to the different modules, so a user, having edit rights, can have access to either TM or Analytics, or both.
