TransWikia.com

Complete Data Separation between Child BUs

Salesforce Asked on October 4, 2021

We have 2 independent teams using the same MC Account. Each have their own child BU (A and B) and need to be able to run automations, create ampscript, run SSJS, etc.

The issue we are facing is that even after creating a custom role to be used by users in the Child BUs (A) , they are still able to access the data that is used in the shared infrastructure of the Marketing Cloud solution. Specifically, creating a SQL or Ampscript such as "select X from ent_Subscribers " from the child BU (A) returns subscribers from another child BU (B). There are strict compliance requirements where the data in child BU B should not be identified (no PII). Note that we can block at the UI level using subscriber filters but this specific need is related to preventing access to the data via the backend.

We’ve spoken to a few support resources but there appears to be no way to completely block access to system data views from a child BU?

Has anyone had a similar use case and potential solution other than getting 2 separate MC Accounts ?

2 Answers

Has anyone had a similar use case: Yes

I am aware there have been multiple occurrences of this topic in the partner ecosystem and have done research with some input by SF myself on it.

Is there potential solution other than getting 2 separate MC Accounts? The consensus is - Not at this time. According to all the research and inquiries with Salesforce done independently by the individual parties from the ecosystem, you can limit the UI, but you cannot enforce a hard data separation for AMPscript, SSJS, SQL without essentially making the system useless for actual work (even if you ban cloudpages and automation studio, think of all the places where e.g. AMPScript is allowed).

You will always have at least the All Subscribers list (ENT._Subscribers) accessible from Child BUs, even with SYSTEM_DATA_VIEWs business rule disabled. This was confirmed to me by Support.

Subscriber Filters as you mention, only affect the UI. The same is true for Shared data extensions (sharing settings affect only the UI - Sharing a DE for one BU means it's potentially accessible for all. You can verify this easily in a system with more than one child BUs).

The only potential workaround seems to be Field Level Encryption, but you will have a hard time finding anyone who recommends that as a solution with a straight face. For starters about that topic, check this: Drawbacks of Marketing Cloud field level encryption?

Correct answer by Jonas Lamberty on October 4, 2021

Support should be able to block access to System Data Views from child BUs. Just request Support to disable the SYSTEM_DATA_VIEWS business rule for the MIDs of your Child BUs.

Answered by Eliot Harper on October 4, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP