This article describes how to add and manage server-side users and permission roles for the Tealium Customer Data Hub .

In order to use this feature, it must first be enabled by your Tealium account manager.

This article covers the following topics:

Table of Contents Placeholder

How It Works

Server-side user permissions creates a separation of access between the Tealium client-side interface and the server-side interface. This allows account administrators to grant access to users only for the areas that they intend to work on.

Users are still added using the client-side (iQ) admin, at which point the user will appear in the server-side user permissions list where server-side access is granted per profile. Server-side access is controlled using predefined permission roles. For each profile in the account, users are assigned a permission role to determine their access level.

Client-Side and Server-Side Permission Differences

Access between the client-side and server-side interfaces are mutually exclusive. Permissions granted to server-side do not apply to client-side. Likewise, permissions set for the client-side do not affect the server-side, except for assigning the Manage Account permission for admins.

Server-Side Permission Roles

There are four (4) server-side permission roles.

The following table describes the available permission roles.

Permission Role Description
No Access (default)

The No Access permission role does not grant any access to the server-side profile. Users with this role  that attempt to access the server-side profile will be blocked with an "Access Denied" modal. 


The Reader permission role grants read-only access to the server-side profile. A user in this role can browse the profile configuration, but will observe a disabled Save/Publish button. Users with this role cannot save any changes.


The Editor permission role grants edit and save access to the server-side profile. Users in this role can also access and edit settings in the Profile Admin > Settings menu.


The Publisher permission role grants the same access as the Editor role with the addition of the ability to publish the profile.

Admin Users

Admins of the server-side interface are the only users that have the ability to change permissions of server-side users. None of the server-side permission roles grant this ability. To be an admin of the server-side interface you must have the Manage Account permission, set from the client-side interface.

Only the Manage Users permission grants the ability to add users to the account.

Learn more about managing user permissions in Tealium iQ Tag Management.

Managing Users

Adding Users

To give a user access to server-side, you must first add them in the client-side interface. In the client-side interface you must have the Manage Users permission to add users to your account and the Manage Account permission to manage permissions in the server-side interface. 

To add a user with only permission to a server-side profile, follow these steps:

  1. In the client-side interface, add the user, but do not select any client-side permissions.
    The user must verify their email address before you can continue, at which point the user will have read-only access to the client-side interface and will appear in the Manage Users list in the server-side interface.
  2. In the server-side interface, go to Manager Users and assign permission roles to grant the user access to a server-side profile.
  3. In the client-side interface, go to Manage Users and remove the user.

The user will no longer have access to the client-side profile, but will retain access to the server-side profile.

See Managing User Permission in iQ: Adding Users.

Viewing and Editing User Permissions

You must have the Manage Account permission, assigned from the client-side interface, to access this area.

Use the following steps to view and edit server-side permissions for a user:

  1. Log in to the Server-Side area of the Customer Data Hub.
  2. Click the drop-down menu in the upper right of screen and select Manage Users.
    A list of all server-side users displays, including the user's name, email address, and a timestamp for the last login.
  3. Click a user to display the permission details. 
  4. To grant access to a profile, select a permission role from the drop-down list.
    If no changes are needed, click X to close the user details and return to the user list.
  5. Click Save.
  6. Repeat steps 3 through 5 for each user you want to edit.
    Your changes are saved without the need to publish.


If a user is removed from the client-side profile, is the user also removed from the server-side profile?

No. Once a user exists in both client-side and server-side, removing the user from one does not impact the other.

Can I grant a user access to a server-side profile without allowing access to a client-side profile?

Yes. If a user already exists in the account and has been granted permission to a profile on the server-side, go to iQ Tag Management > Manage Users and remove that user from the client-side interface. See the Adding Users section for more information.

How does the "All current and future profiles" option impact server-side permissions?

There is no impact to server-side users. All server-side users will have the default permission role of No Access to all new server-side profiles.

What happens if a user has access to only one profile on the server-side and no profile access on the client-side?

If the user selects server-side at the login screen, they will automatically be loaded into the account/profile accordingly. If the user attempts to log in to the client-side, a modal displays with a denied access message.

Can a server-side admin change their own permissions for server-side profiles?

Yes. A server-side admin user (granted by the Manage Account permission) can change permissions for all server-side users, including their own.

Can a server-side admin update manage permissions for all server-side profiles?

Yes. A server-side admin user's access is granted by the Manage Account permission, which is an account-level permission. Users with this permission level have access to the Manage Users screen in the server-side interface where they can manage user permissions for all profiles.

How do the new server-side permissions affect the Omnichannel File Status API?

Access control to the Omichannel File Status API will change upon final release of the server-side permissions feature. In addition to the standard requirement of needing an API key to authenticate with the API, users must have read access to the relevant Customer Data Hub account. Users utilizing the v1 API only need read access to the Customer Data Hub account.

Can a server-side admin add or delete a user from an account?

It depends. Only admin users that also have the Manage Users permission (granted in the client-side interface) can add and remove a user from the account. A server-side admin user without this permission can only manage permissions for server-side profiles.