Walkthrough: Automating Pardot (MCAE) Business Unit Access with User Access Policies

by brandonin Education, Management, Pardoton Posted on

Managing Marketing Cloud Account Engagement (Pardot) access—especially across multiple Business Units—is one of the most common pain points for Salesforce admins. User Access Policies solve this by automatically granting permission sets and Business Unit access based on user criteria, eliminating manual assignments and reducing security risk.

This walkthrough shows how to configure a User Access Policy that automatically grants Pardot Business Unit access using:

  • A clear detection criteria (ex: “Marketing User”)
  • Automated assignment of required MCAE permission sets
  • Automated assignment of Marketing Cloud Next (MCN) permission sets
  • Automated Public Group membership for Business Unit access

Step 1: Define the Access Strategy (Before You Click Anything)

Before building the policy, define your access model clearly.

Example Strategy

  • Who should get Pardot access?
    • Users who are marketing team members
  • How do we identify them?
    • Marketing User checkbox field on User = TRUE
    • (Optional) A custom profile: MCAE – Marketing User
  • What access should they receive?
    • Core MCAE permission sets
    • Required MCN permission sets (Recommended if you plan to enable MCN features for MCAE customers)
    • Membership in a Public Group tied to a specific Pardot Business Unit

This approach ensures least-privilege access and makes onboarding fully automatic.

Step 2: (Optional) Create a Marketing-Specific Profile

While profiles are no longer best practice for feature access, they can still be useful as a high-level access indicator.

Optional Profile Example

  • Profile Name: MCAE – Marketing User
  • Purpose:
    • Baseline Salesforce access
    • Used as a filter in User Access Policies

💡 If you prefer not to use profiles, you can rely entirely on a custom user field (recommended for flexibility).

Step 3: Create a User Criteria Field (Marketing User Flag)

To make automation reliable and scalable, create a custom User field.

Example

  • Field Type: Checkbox
  • Field Label: MCAE User
  • API Name: MCAE_User__c

This field becomes your single source of truth for:

  • Pardot access
  • Business Unit assignment
  • Future marketing-related automations

Step 4: Identify Required Permission Sets for MCAE Access

Required Permission Sets for Account Engagement (Pardot)

To access Account Engagement, users must have one of the following permission sets:

  • Sales Cloud User
  • CRM User
  • Service Cloud User

To access the Account Engagement Lighting App, include:
✅ Account Engagement User

Optional:
Include B2BMA Access with the following Permission sets: https://help.salesforce.com/s/articleView?id=mktg.pardot_b2bma_assign_permissions.htm&type=5

These permission sets must be included in your User Access Policy, or users may appear in Salesforce but fail to sync correctly with Account Engagement.

Step 5: Identify Required MCN (Marketing Cloud Next) Permission Sets

Marketing Cloud Account Engagement users can now leverage Marketing Cloud Next (MCN) features. In order for MCAE users to take advantage, they’ll need access to the proper permissions for MCN.

From Salesforce documentation, MCN permission sets typically include:

  • Marketing Cloud standard access permission sets
  • Identity and user sync permissions
  • Cross-cloud access permissions

📘 Reference: MCN Permission Set Setup
https://help.salesforce.com/s/articleView?id=mktg.mktg_admin_permissions_ref.htm&type=5

Step 6: Create and Assign an Account Engagement CMS Permission Set (Required for Salesforce CMS Content – New Email & Landing Page Builders)

If your marketing users will create or manage emails, landing pages, and content assets in Account Engagement Lightning Experience, they must have Salesforce CMS permissions. These permissions are not fully covered by standard MCAE permission sets and should be handled explicitly.

Automating this step with User Access Policies ensures that:

  • Content creators can work immediately
  • CMS access is consistent across users
  • Admins don’t need to troubleshoot missing CMS permissions later

Key Permissions for Salesforce CMS in Account Engagement

Essential for Basic CMS / Content Use

These permissions allow users to see, create, and use CMS-backed content in Account Engagement (AEP):

  • Account Engagement User (Standard Permission Set)
    Provides foundational access to the Account Engagement Lightning App.
  • CMS Channels & CMS Workspaces (Object Permissions)
    Required to see and use CMS tabs inside AEP.
  • Access Drag and Drop Content Builder
    Required to build emails and landing pages.
  • Manage Email Content
    Required to create, edit, and manage email assets.

For Advanced or Admin-Level CMS Capabilities

These are optional and should be limited to trained users:

  • Create CMS Workspaces and Channels
    Allows non-admins to create new CMS workspaces and channels.
  • View Setup and Configuration
    Enables deeper setup and troubleshooting access.

To Enable CMS File Copying (AEP → CMS)

If users need to copy assets from Account Engagement into Salesforce CMS:

  • Copy to CMS Functionality
    Requires permissions in the Account Engagement UI that allow transferring files to CMS.

This is especially important for teams standardizing content across:

  • Marketing emails
  • Experience Cloud
  • Sales enablement content

How to Set It Up

1. Create a Custom Permission Set

Navigate to:
Setup → Permission Sets → New

  • Label: AE CMS Content Manager
  • License: None (or Salesforce, depending on org setup)

2. Assign Object Permissions

In the permission set:

Object Settings

  • CMS Channels
    • Read, Create, Edit, Delete
  • CMS Workspaces
    • Read, Create, Edit, Delete

3. Enable App Permissions

Go to App Permissions and enable:

  • Access Drag and Drop Content Builder
  • Manage Email Content
  • Activate Email for Automation (if required by your org)

4. Assigned Apps

Ensure access to:

  • Account Engagement Lightning App
  • Salesforce CMS
    (Found under Digital Experiences)

Automate This with the User Access Policy

Add the AE CMS Content Manager permission set to the same User Access Policy that:

  • Detects Marketing_User__c = TRUE
  • Assigns MCAE and MCN permission sets

This ensures:

  • Every marketing user can create content
  • CMS access is provisioned automatically

Step 7: Create a Public Group for the Pardot Business Unit

Account Engagement Business Unit access is controlled via Public Groups.

Example

  • Public Group Name: Pardot – EMEA Business Unit
  • Purpose:
    • Determines which Business Unit the user can access
    • Used by the Salesforce–Pardot Connector for user sync

📘 Reference: User Sync & Public Group Considerations
https://help.salesforce.com/s/articleView?id=mktg.pardot_sf_connector_setup_user_sync_considerations.htm&type=5

Each Business Unit should have its own Public Group to maintain clean separation of access.

Step 7: Create the User Access Policy

Now you’re ready to automate everything.

Navigate To

Setup → User Access Policies → New Policy

Policy Criteria (Detection Logic)

Example criteria:

  • Marketing_User__c = TRUE
  • AND Profile equals MCAE – Marketing User (optional)

This ensures the policy:

  • Automatically detects new marketing users
  • Updates access when a user’s role changes

Policy Actions: Permission Set Assignments

Add the following Permission Sets to the policy:

MCAE Access

  • Account Engagement User

MCN Access

  • Required Marketing Cloud Next permission sets (per Salesforce documentation)

These assignments happen automatically when the criteria is met.

Policy Actions: Public Group Assignment

Add the Public Group for the correct Business Unit:

  • Pardot – EMEA Business Unit (example)

This ensures:

  • Correct Business Unit access
  • Proper user sync with Account Engagement
  • No manual group management

Step 8: Test the Automation

Recommended Testing Steps

  1. Create a test user
  2. Set Marketing_User__c = TRUE
  3. Assign the MCAE marketing profile (if used)
  4. Save the user

Expected Result

  • Permission sets auto-assigned
  • Public Group membership auto-assigned
  • User appears in the correct Pardot Business Unit after sync

No manual steps. No admin follow-up.

Why This Approach Works So Well

Admin Benefits

  • Zero manual permission management
  • Faster onboarding
  • Fewer access mistakes
  • Scales cleanly across Business Units

Security Benefits

  • Least-privilege access enforced automatically
  • Easy removal of access when criteria is no longer met
  • Clear audit trail of how access is granted

Marketing Benefits

  • Immediate access to the right Business Unit
  • No waiting on admins
  • Fewer sync issues with Account Engagement

Final Takeaway

Using User Access Policies to manage Pardot Business Unit access transforms one of the most error-prone admin tasks into a fully automated, secure, and scalable process.

Once implemented:

  • Marketing access “just works”
  • Business Units stay cleanly separated
  • Admins get their time back

This is exactly how Salesforce intended Account Engagement access to be managed—automated, auditable, and future-proof.