Scenario 2: Company with multiple separate divisions

Your company has two business divisions, Eastern and Western, that do not share data between them. Within each division, people performing different functions need to access the same objects (campaigns, offers, templates), but with differing permissions to act on these objects, depending on their role.

Solution

Define two separate security policies, each with the appropriate roles and permissions. The roles in each security policy can be the same or different, depending on the needs of each division. Except for individuals who need to work across both divisions (for example, the controller, cross-divisional managers, or the CEO), assign each user to a role within only one policy. Do not assign any role to the users in the global policy. For users that work across both divisions, assign them a role in the global policy and grant them the desired permissions.

Create top-level folders that belong to each policy, to hold campaigns, offers, and so on. These folders are specific to each division. Users with roles in one policy cannot see the objects belonging to the other policy.

The following tables show only a sample subset of the possible object permissions in Campaign.

Eastern Division Security Policy

Functions/Role	Folder Owner	Object Owner	Manager	Designer	Reviewer
Campaigns
Add Campaigns
Edit Campaigns
Delete Campaigns
View Campaign Summary
Offers
Add Offers
Edit Offers
Delete Offers
View Offer Summary

Western Division Security Policy

Functions/Role	Folder Owner	Object Owner	Manager	Designer	Reviewer
Campaigns
Add Campaigns
Edit Campaigns
Delete Campaigns
View Campaign Summary
Offers
Add Offers
Edit Offers
Delete Offers
Add Campaigns