Use Marketo Roles to Create Read-Only Workspaces

Note: This post assumes that you have working knowledge of roles and how to manage them. If you do not, it may be helpful to review the Marketo Role documentation.

I recently had the opportunity to dig a little deeper into Marketo roles while configuring Marketo for a client. The requirement seemed simple enough on the surface:

The company wanted to set up a read-only Marketo workspace. Users would be blocked from editing in the workspace, but could clone program templates from it to other workspaces.

These same users were to have full “Marketing User” access and permissions for their own workspace, but not for the read-only one from which they cloned programs.

The solution, however, turned out to be trickier than expected, and our team learned a few things about how Marketo’s roles work beyond what is detailed in the Marketo docs.

In this scenario, let’s say we have two workspaces: “Clone-Only Workspace” and “Global Workspace.” A user wants to clone the program template “Standard Event Template” from the “Clone-Only Workspace” to the “Global Workspace,” and then modify the cloned program in “Global Workspace.”

We configured the client’s instance with one role for read-only permissions in the “Clone-Only Workspace,” and set up another role for the “Global Workspace” with full permissions. Because the two roles were applied to separate workspaces, this worked. However, there are issues that needed to be considered.

Here’s What to Expect

Marketo expects the roles to be mutually exclusive—one role per workspace.

You can only be a Marketing User or a Web Designer, but not both in the same workspace. When a user is assigned multiple roles for the same workspace that have overlapping permissions, Marketo will use the permissions from the more restrictive role. For example, a clone-only role will restrict the full permissions of the other role if both are applied to the same workspace.

Remember that the usual sharing rules apply to marketing assets in Marketo, so programs with forms, landing pages, emails, or templates located in Design Studio in one workspace will not clone to another workspace or be accessible to the cloned program in another workspace. The marketing assets used must be contained within the program that you are trying to clone. Landing page and email templates must be shared with the destination workspace to which you are cloning the program. Forms will need to either be contained within the program itself, or you will need to use a global form from the destination workspace.

Marketo Roles: Best Practices

These are the default roles in Marketo. Review these to understand how Marketo configured them. When applicable, use these default roles.

  • Admin: All permissions
  • Analytics User: Access to Analytics
  • Marketing User: all permissions except Admin (allowed to import lists)
  • Standard User: all permissions except Admin
  • Web Designer: has access to Design Studio except approval permission

When creating a new role, think about the permissions that you are giving the user, even if they only have access to a subset of the available workspaces. Remember: one role for each workspace, and the Admin role is all-or-nothing, so it cannot just be applied to one workspace, it must be applied to all.

Digital Pi recommends creating a User-Role matrix and reviewing user roles every 6 months. Over time overlapping roles may occur and cause unexpected results. A periodic review can help detect and avoid role-security issues.

To learn more reach out to us at

Your marketing technology experts.

At Digital Pi, we use technology to connect revenue to marketing efforts. We fuse marketing strategies, processes, data and applications to make marketing technology solutions work for clients' businesses.

Learn More
Share this resource

Cookies help us keep the site running smoothly and inform some of our advertising, but if you’d like to make adjustments, you can visit our Cookie Notice page for more information.