Data Restriction and Sharing
Salesforce data access is controlled by Organisation-Wide Defaults (OWD) defined for each entity. A combination of OWD, sharing rules, and permission sets can be used to achieve the data sharing with other users. This enhances data security by exposing data that is relevant to users by allowing certain users to access only specified records. You can prevent users from accessing records that can contain sensitive data or information that is not essential to their work.
- The Salesforce integration user is an API user, the same cannot be used to login to org and make changes.
- If the Account entity data is made private, then this is reflected across all its children and grand children. For example, some of the affected ones are Case, Contract, Contact, Opportunity, Quote.
The TMF APIs can be on the managed package or core. Following section details scenarios for both the cases by referring TMF629 API on core and TMF648 API on managed package as examples.
- The API user assigned to a dealer is able to perform all the CRUD operations (that they are allowed to) and no granular persona restrictions are required.
- You can create multiple API users that have varing degree of data access.
- Each dealer to have one user.
- Only Salesforce internal users are considered.
Consider the users and respective data permissions in the following diagram.
- Dealer1 data
- D1 User1 with full access to Dealer1 data
- D1 User2 with Read-only
- Dealer2 data
- D2 User1 with full access to Dealer2 data
- D2 User2 with Read-only
To access TMF629 API developed on core and apply data restrictions and sharing, perform the following steps.
- From Setup, enter users in the Quick Find box, then select Users.
- Click New User to create a user. Name the new user as D1 User1 and provide all the mandatory details along with follwing values.
- User License - Salesforce Integration
- Profile - Salesforce API Only System Integrations
- From Setup, enter permission sets in the Quick Find box, then select Permission Sets.
- If Salesforce Integration user is created then assign:
- Permission Set License - Salesforce API Integration
- In the created permission set go to Object Settings > Accounts > Object Permission.
- Enable Read, Create access by selecting the respectives checkboxes. The same will reflect across all the standard entities controlled by Account. For example, Contact, Case.
- Assign the permission set created to the user D1 User1.
- From Setup, enter public groupds in the Quick Find box, then select Public Groups.
- Assign the user to a user group. For example, Dealer1UserGroup for D1 User1.
Perform the same steps for creating a user D2 User1, respective permission set, and assigning to a user group. For example, Dealer2UserGroup.
To restrict the data, perform the following steps.
- Navigate to Setup > Sharing settings > Select Accounts > Modify the org wide defaults for Internal Access to
Private
. - Due to this the Dealer1 and Dealer2 data can only be accessed by D1 User1, D2 User1 respectively.
To share Dealer1 data with Dealer2, perform the following steps.
- Navigate to Setup > Sharing settings > Select Accounts > Account Sharing rules > New > Create sharing rules.
- Provide a Label and Name
- Select Rule Type as
Based on record owner
. - Records to be shared as Dealer1UserGroup.
- Users to share with as Dealer2UserGroup.
- Level of access can be Read Only or Read-Write based on requirement.
NOTE:
- TMF629 has Account, Contract, Contact as standard entities. Define the sharing rules for each entity. If a standard entity is controlled by parent, then define the rules only on parent. In this case Account controls Contract, and Contact.
To access TMF648 API developed on managed package and apply data restrictions and sharing, perform the following steps.
- From Setup, enter users in the Quick Find box, then select Users.
- Click New User to create a user. Name the new user as D1 User1 and provide all the mandatory details along with follwing values.
- User License - Salesforce
- Profile - Minimum Access - Salesforce
- From Setup, enter public groupds in the Quick Find box, then select Public Groups.
- Assign the user to a user group. For example, Dealer1UserGroup for D1 User1.
- Navigate to Setup > Profiles > 'Minimum Access - Salesforce' > Enabled Apex Class Access(click on edit) > Add TMFOpenAPIResource and all other TMF files and click Save.
- From Setup, enter permission sets in the Quick Find box, then select Permission Sets.
- Click New to create a new permission set. Provide all the mandatory details along with follwing value.
- Permission Set License - Salesforce API Integration
- In the created permission set go to Object Settings, enable read access(enable view all if required) for the following at object and field level.
- "Vlocity OmniScript Compiled Definitions"
- "Vlocity OmniScripts"
- "Vlocity DataRaptor Map Items"
- "Vlocity DataRaptor Bundles"
- Create another permission set with READ, CREATE access to Opportunity and Quotes.
- Assign the permission set created to the user D1 User1.
Perform the same steps for creating a user D2 User1, respective permission set, and assigning to a user group.
To restrict the data, perform the following steps.
- Navigate to Setup > Sharing settings > Select Opportunities > Modify the org wide defaults for Internal Access to
Private
. - Due to this the Dealer1 and Dealer2 data can only be accessed by D1 User1, D2 User1 respectively.
To share Dealer1 data with Dealer2, perform the following steps.
- Navigate to Setup > Sharing settings > Select Opportunities > Account Sharing rules > New > Create sharing rules.
- Provide a Label and Name.
- Select Rule Type as
Based on record owner
. - Records to be shared as Dealer1UserGroup.
- Users to share with as Dealer2UserGroup.
- Level of access can be Read Only or Read-Write based on requirement.
NOTE:
- TMF648 has Quote as standard entity. In case a standard entity is controlled by parent then define the rules only on the parent. In this case Opportunity controls Quote.