At the moment I have 14 users of DTM with different levels of access. Some are users, some are approvers, and some are publishers. However, there is a concern that IP restriction is not possible with DTM the way it is with Adobe Analytics. The fear (however small) is that someone could gain access to DTM and add some nefarious script which could then get published. Is there a way to secure DTM either through the marketing cloud, or is IP restriction a feature Adobe might look into?
No, you wouldn't need to "reset" all users, they can be migrated over. Each user would need to create an Adobe ID, Enterprise ID or Federated ID for the Marketing Cloud (if they don't already have one). Once created, their Adobe ID would be linked to their solution login.
Customer Care can simply change a setting within your DTM account that restricts login to the Marketing Cloud. This essentially turns off the solution logins (dtm.adobe.com) for your account. Users would need to login to the Marketing Cloud (marketing.adobe.com) then navigate to DTM.
If your organization also has access to Analytics, Target, and Audience Manager, those solutions can also be linked to the Marketing Cloud (if they're not already). Once your solutions are linked appropriately, you'd have a single location to manage users and permissions for all your Adobe marketing solutions.
This is Adobe's vision for user management. You'll find each of the solutions is at various stages of integration with this vision. Some will have full functionality in the Admin Console, while others will only have user management. Eventually, all solutions will be fully enabled for user and permissions management via the Marketing Cloud
Another question. We have the marketing cloud, would I need to reset up all the users? We also have Adobe Analytics (obviously), Target and Audience manager. So I think an admin overhaul might be in order.
The best way to secure DTM would be to only allow login via Adobe Marketing Cloud (enabled by Client Care). Once this is setup, you would manage users and their permissions in the Adobe Admin Console.
The Adobe Marketing Cloud also has SSO and Federated ID capabilities. If you setup the SSO portion through Client Care, I believe you can restrict authentication to certain IP addresses. Please let me know if you'd like to go down this route and I'll see what other documentation I can find.