This article describes how to add and manage server-side users and permission roles for the Tealium Customer Data Hub .

In order to use this feature, it must first be enabled by your Tealium account manager.

This article covers the following topics:

Table of Contents Placeholder

How It Works

Server-side user permissions creates a separation of access between the Tealium client-side interface and the server-side interface. This allows account administrators to grant access to users only for the areas that they intend to work on.

Users are still added using the client-side (iQ) admin, at which point the user will appear in the server-side user permissions list where server-side access is granted per profile. Server-side access is controlled using predefined permission roles. For each profile in the account, users are assigned a permission role to determine their access level.

Client-Side and Server-Side Permission Differences

Access between the client-side and server-side interfaces are mutually exclusive. Permissions granted to server-side do not apply to client-side. Likewise, permissions set for the client-side do not affect the server-side, except for assigning the Manage Account permission for admins.

Server-Side Permission Roles

There are four (4) server-side permission roles.

The following table describes the available permission roles.

Permission Role Description
No Access (default)

The No Access permission role does not grant any access to the server-side profile. Users with this role  that attempt to access the server-side profile will be blocked with an "Access Denied" modal. 


The Reader permission role grants read-only access to the server-side profile. A user in this role can browse the profile configuration, but will observe a disabled Save/Publish button. Users with this role cannot save any changes.


The Editor permission role grants edit and save access to the server-side profile. Users in this role can also access and edit settings in the Profile Admin > Settings menu.


The Publisher permission role grants the same access as the Editor role with the addition of the ability to publish the profile.

Admin Users

The ability to manage users for server-side products is still controlled in the client-side interface. Users with the Manage Account permission in the client-side interface will also have the ability to manage users in server-side interface.

Managing Users

Adding Users

User creation occurs in the client-side (iQ Tag Management) interface. You must have the Manage Account permission to add new users. To add a user to server-side, first add them in client-side and grant client-side permissions as needed. Then proceed to Viewing and Editing User Permissions to assign server-side permissions

To add a user with only permission to a server-side profile, do not select any client-side permissions. Once the user is activated and appears in the server-side user list, assign a server-side permission role, then return to the client-side Manage Users list to remove the user. The user will no longer have access to the client-side profile, but will retain access to the server-side profile.

See Managing User Permission in iQ: Adding Users.

Viewing and Editing User Permissions

You must have the Manage Account permission assigned from the client-side interface to access this area.

Use the following steps to view and edit server-side permissions for a user:

  1. Log in to the Server-Side area of the Customer Data Hub.
  2. Click the drop-down menu in the upper right of screen and select Manage Users.
    A list of all server-side users displays, including the user's name, email address, and a timestamp for the last login.
  3. Click a user to display the permission details. 
  4. To grant access to a profile, select a permission role from the drop-down list.
    If no changes are needed, click X to close the user details and return to the user list.
  5. Click Save.
  6. Repeat steps 3 through 5 for each user you want to edit.
    Your changes are saved without the need to publish.


If a user is deleted from the client-side profile, is the user also deleted from the server-side profile?

No. Once a user exists in both client-side and server-side, removing the user from one does not impact the other.

Can I grant user access to a server-side profile without allowing allowing access to a client-side profile?

Yes. If a user already exists in the account and the profile has been granted a permission on the server-side, a user with Manage Account permissions can go to iQ Tag Management > Manage Users and remove that user from client-side.

How does the "All current and future profiles" option impact server-side permissions?

There is no impact to server-side users. All server-side users will have the default permission role of No Access to all new server-side profiles.

What happens if a user has access to only one profile on the server-side and no profile access on the client-side?

If the user selects server-side at the login screen, they will automatically be loaded into the account/profile accordingly. If the user attempts to log in to the client-side, a modal displays with a denied access message.

Can a server-side admin change their own permissions for server-side profiles?

Yes. Users with the Manage Account permission can change permissions for all server-side users, including their own.

Can a server-side admin update user access for all server-side profiles?

Yes. The Manage Account permission is an account-level permission. Users with that permission have access to the server-side Manage Users menu item for all profiles.

How do the new server-side permissions affect the Omnichannel File Status API?

Access control to the Omichannel File Status API will change upon final release of the server-side permissions feature. In addition to the standard requirement of needing an API key to authenticate with the API, users must have read access to the relevant Customer Data Hub account. Users utilizing the v1 API only need read access to the Customer Data Hub account.