User Roles

Viewer Role

Users with Viewer role can:

• View.
• Compare snapshots.
• Submit Find jobs.
• Preview Restore jobs.
• Preview Anonymization templates and jobs.
• View Job History.
• Seeding - View seeding template configuration.
• Seeding - View seeding job status, seeding job reporting.
• Archive - Users can view the status and health of the Archive services in their Business Unit.

Read-Only Role

Users with Read-Only role can:

• View.
• Export and download data.
• Compare snapshots.
• Submit Find jobs.
• Preview Restore jobs.
• Preview Anonymization templates and jobs.
• View Job History.
• Seeding - View seeding template configuration.
• Seeding - View seeding job status, seeding job reporting, and download log files.
• Seeding - Export seeding template object hierarchy.
• Archive - Users can view the status and health of the Archive services in their Business Unit.

Seeder Role

Users with Seeder role can:

• Add, rename, and archive Sandbox services in their Business Unit
• Seeding - seed Sandboxes/non-Prod instances using templates of non-production data (meaning, those services having the service contains production data option unchecked).
  

  Note A Seeder user can only seed from a Production org into a sandbox destination, if they're using a seeding template that includes an anonymization template. In this scenario, their seed job uses the provided anonymization template to first anonymize the data defined in the seeding template and only then seeds the data.
  

  Note Likewise, a Seeder user can only seed from a non-production service, which is marked in Salesforce as containing production data, into a sandbox destination, if they're using a seeding template that includes an anonymization template. In this scenario, their seed job uses the provided anonymization template to first anonymize the data defined in the seeding template and only then seeds the data.
• Preview anonymization templates and Anonymize jobs

Developer Role

Users with Developer role can:

• Add, rename, and archive Sandbox services in their Business Unit
• Submit Restore jobs on Sandbox services
• Submit Anonymize jobs on Sandbox services
• Preview anonymization templates and Anonymize jobs
• Seeding:
  • Create, clone, edit and delete seeding templates of non-production data
  • Seed Sandboxes/non-Prod instances using templates of non-production data (meaning, those services having the service contains production data option unchecked)
    

    Note A Developer user can only seed from a Production org into a sandbox destination, if they're using a seeding template that includes an anonymization template. In this scenario, their seed job uses the provided anonymization template to first anonymize the data defined in the seeding template and only then seeds the data.
    

    Note Likewise, a Developer user can only seed from a non-production service, which is marked in Salesforce as containing production data, into a sandbox destination, if they're using a seeding template that includes an anonymization template. In this scenario, their seed job uses the provided anonymization template to first anonymize the data defined in the seeding template and only then seeds the data.
  • Export and import seeding template object hierarchy
• Archive:
  • Add, remove and edit services in their Business Unit
  • Import records from other services in their Business Unit

DevOps Role

Users with DevOps role can:

• Add and rename Sandbox services in their Business Unit.
• Submit Restore jobs on Sandbox services.
• Manage Anonymization templates and run anonymization jobs on sandbox services.
• Seeding - Create, clone, edit, and delete seeding templates.
• Seeding - Seed Sandboxes and non-production instances using templates of data.
• Seeding - Export and import seeding template object hierarchy.
• Archive - Add, remove and edit services in their Business Unit.
• Archive - Users will be able to import records from other services in their Business Unit.

Admins Role

Users with Admins role can:

• Add, rename, archive and delete services in the Business Unit they administer.
• Submit all Jobs on Production and Sandbox services.
• Access the Account Settings (Read-only mode).
• Add and remove users from Business Units they administer.
• Manage users and their roles in the Business Unit they administer.
• Manage services in the Business Unit they administer.
• Seeding - Create, clone, edit and delete seeding templates.
• Seeding - Seed Sandboxes and non-production using templates of data.
• Seeding - Export and import seeding template object hierarchy.
• Manage Anonymization templates and run anonymization jobs on sandbox services.
• Archive - Add, remove and edit services in their Business Unit.
• Archive - Users will be able to import records from other services in their Business Unit.
• Submit Data Privacy Requests.

Audit Viewer Role

Users with Audit Viewer role can view, filter, and export relevant audit logs, including:

• User logins and logouts.
• Jobs or reports viewed by users.
• On-demand backups.
• Creation of smart alerts.
• Data Privacy subject requests.
• Adding, deleting, and archiving services.
• Initiation of jobs for data restore, data compare, and replicate.

Note If the role is set at the Business Unit level, users can view only actions related to services under that Business Unit.

Note If the role is set at the account level, users can see actions for all Business Units in the account. They can also see more details like who logs in, who logs out, and what settings are set at the account level.

Security Admin Role

The Security Admin role manages account and security settings restricting access to sensitive data, such as backups or services ensuring data integrity.

Users with Security Admin roles can:

• Manage Advanced Key (Archive key management is excluded).
• Manage Account Settings.
• Manage Account Security Settings.
• Replace the Master Admin through the Master Admin’s actions.

Limitations:

• Can't manage Business Units (although BUs are visible, no action can be taken).
• Can't see audit logs related to services in the Audit tab.
• You can't update an existing user's role to Security Admin. To assign this role, remove the user and re-invite them as a Security Admin.
• The Security Admin role, like the Master Admin role, applies to the account level and not the region level. As a result, when adding a new Security Admin user, they cannot be assigned to a Business Unit.
• Once assigned to at least one region, the Security Admin can manage security settings for the whole account (since it impacts all the regions).
• To change a Security Admin user's role remove the user and re-add them with the desired role.

Master Admin Role

A Master Admin User can:

• Do anything that a Security Admin can, but can’t be demoted or deleted by a Security Admin.
• Manage Advanced Key, IP Restrictions.
• Do anything that an Admin can, but can’t be demoted or deleted by an Admin.
• Manage the Account Settings.
• Manage the Account Security Settings.
• Seeding - Create, clone, edit and delete seeding templates.
• Seeding - Seed to any instance using templates of data.
• Seeding - Export and import seeding template object hierarchy.
• Manage Anonymization templates and run anonymization jobs on sandbox services.
• Archive - Manage BYOK capabilities.
• Submit Data Privacy Requests.