Contact security
Many organizations want to manage the contacts that marketers and sales users have access to. Contact security, also known as Label-Based Access Control (LBAC), allows you to use labels to manage access to contacts in your database.
Note: Contact security is part of the Oracle Eloqua Security Administration Cloud Service and is included in the Standard and Enterprise trims. It is also included as part of the HIPAA Advanced Data Security Add-on Cloud Service and the Advanced Data Privacy Cloud Service.
With contact security, contacts and security groups are assigned labels. Security group members can then only access contacts that have the same labels as their security group.
Determining what labels are applied to which contacts depends on your current business processes and the needs of your organization. For example, you can create labels based on geographical region. After applying labels, you can ensure your marketing and sales teams can only access contacts from their region. You can apply labels in any combination.
In addition, contact security is also honored in data exports. Data exports will honor contact security based on the Eloqua user that creates the export. The Eloqua user that creates the export will now be added to the Data Export area. If you are using contact security, confirm that the user who creates the contact export has access to all required labels.
Note: To access this feature, administrator rights are required.
Labels and categories
All labels are categorized. This allows you to easily group labels based on your needs. For example, categorize labels by region or country. If your organization has divisions, sales organizations, channels, or user responsibilities, then you could categorize using that structure, and define labels for each division or channel. Learn more about creating categories and labels.
How to assign labels
You can assign one or more labels to security groups. Learn more about assigning labels to a security group.
Labels are assigned to contacts through a program created in the label assignment workflow canvas. This canvas functions similarly to the program canvas, but is specific to label-based access control. Contacts are pulled into the program by a data source step and labels are applied based on your program flow.
Note: You can use program builder to assign labels. However, it is recommended that you use the workflow canvas. It offers a more streamlined user interface and faster processing.
A label-based program can be designed in a number of ways. For example, you can use the Contact Creation listener step to listen for new contacts as they enter your database and process them in your program in near real-time. Learn more by watching the video!
Optionally, you can create a basic default label and assign it to only the administrator security group. As new contacts enter your database, Oracle Eloqua assigns them the default label. This restricts access to all new contacts until they are processed by your label assignment program. Learn more about assigning a default label.
How labels impact campaigns, programs, and segments
A campaign or program inherits the labels of the user who activates it. Only contacts that the activating user has access to can enter the campaign or program. If you need to activate a campaign as another user, use the run as user feature. Segment calculations reflect the contacts that the user has access to. This means that segment totals could be different between different users.
For example, if a user with Security Label A activates a campaign, only contacts with Security Label A enter the campaign. However, if a user with Security Label B deactivates and reactivates the same campaign, all of the contacts with Security Label A are removed from the campaign and contacts with Security Label B enter the campaign. This ensures that a user cannot access contacts for whom they have no security rights.
How labels impact reports
Contact Security applies to any attribute in the Contact Folder, Integration Fields, and Custom Fields. You will be able to view and interact with all data accessible based on your Contact Security settings.
After you implement labels, any contact related report in Insight is limited to the contacts that a user can access. If you then drill through to a report that includes contact details, you will see only those contacts that you can access. This could result in differences between reports and between users. Every user will see the same information in the Dashboards no matter their label set up.
Certain contact based reports are still accessible with Contact Security enabled. For example, the Contact Field Value report is accessible with Contact Security and will only show total level contact data. Any report or dashboard that shows total level data will remain visible to customers with Contact Security enabled.
How labels impact apps
If the app is exporting the contacts, then the user that installs the app must be provided access to the contacts.
If the app is receiving data from Eloqua through the app's Notification URL, then the user that activates the canvas must be provided access to the contacts.
How labels impact the Bulk API
The user creating Bulk API export syncs must be provided access to the contacts.
Bulk API imports, including app feeder services, are not impacted by contact security.
Recommendations
Overall, there are a few general recommendations for enabling contact security for the first time:
- Keep it simple. We recommend no more than 2 or 3 categories when starting out.
- Define criteria for the division of contacts in advance, and set business rules within your own sales divisions (if applicable).
- Assign all labels to your administrator security group. This ensures that administrators can access the complete contact database and that all contacts can be processed by the label assignment program.
contact level security, CLS
Next steps
Assigning labels to security groups
Setting default labels for new contacts
Creating a label assignment program using the workflow canvas
Assigning security labels to contacts using the program builder