Synchronized Data Extensions Data Access Updates for Business Units Query Activities

Salesforce is built from the ground up to protect your data and applications. As part of our our ongoing commitment to customer trust and security, we will be making changes to the logic around access to Synchronized Data Extensions through Query Activity. We will require that the Query Activity data access honors the same data access as what is enforced through the UI when Synchronized Data Extensions are visible in the Data Extensions tab in Contact Builder for a particular Business Unit. This enforcement will occur in the Spring 2023 release.

Changes being made:

This change impacts customers who are using the Multi-Org Account Configurations and leveraging Query Activity that references Marketing Cloud Synchronized Data Extensions (SDE). Today, Query Activities run at Enterprise can access all the SDEs in the organization including those ones created at Business Unit level. After this change is implemented, when SDEs are referenced in Query Activity, queries will enforce proper access permission and only allow access to SDEs visible to that Business Unit and this will also apply to Enterprise. 

Note that the access rules are determined by the tracking user in the Connected App integration. If Business Units or Enterprise share the same tracking user, the SDE’s will be shared among all the Business Units associated to that tracking user and all the Business Units will have access to them.

All synchronized data extensions are always created at the Enterprise level independent of where the Salesforce integration exists. When the integration is done only at Business Unit level, to be able refer to the synchronized data extension in queries, the ENT. prefix needs to be used. Note that the proper permissions will be enforced. In the case that the integration is done at the Business Unit level and the enterprise doesn’t have access to the synchronized data extension, the ENT. prefix needs to be used in the query but access from the enterprise won’t be allowed.

For more information on the configuration options access Multi-Org Account Configuration in Marketing Cloud Connect in Salesforce help. 
 

Accounts impacted:

The following customers are impacted by this change:

• Customers with a multi-org configuration who are referencing SDE’s in their Query Activities which crosses Business Units that do not share a Connected App tracking user. 
• Customers who are using ENT in the Query Activities to access Enterprise SDE’s within a Business Unit where the Connect App tracking user differs from the Enterprise to that Business Unit.