Security

Question 1

Default record access to TCRM user

Answer 1

All rows by default

Question 2

How to restrict access to records in a dataset

Answer 2

sharing inheritance and security predicates

Question 3

what is a security predicate?

Answer 3

manually assigned filter condition that defines dataset row access

Question 4

implement effective dataset row-level security

Answer 4

use combination of sharing inheritance and security predicates

Question 5

How to enable sharing inheritance

Answer 5

Is on by default in new Salesforce orgs.

Turn on:
Setup -> Analytics -> Settings -> Inherit sharing from salesforce

Question 6

How to Enable Sharing Inheritance for Synced Objects

Answer 6

If Data Sync is enabled, enable sharing inheritance for each object you want to use s sharing source.

Data Manager -> Connect -> Row Level Sharing -> Sharing Inheritance On.

Question 7

What is Sharing Inheritance

Answer 7

Let CRM Analytics apply same sharing setup for datasets as Salesforce uses for your objects. Uses SF org Sharing settings.

Increases accuracy and reduces need for complicated security predicates.

Results in increased time to complete data syncs.

When you create or edit datasets, specify the objects to inherit sharing from.

If use sharing inheritance, must also set security predicates to impacted datsets.

Question 8

Sharing Inheritance supported objects

Answer 8

Each dataset can inherit sharing from ONE of the following objects, regardless of how many objects were used to create the dataset.

All object records must have fewer than 400 sharing descriptors each:

Account
Case
Contact
Lead
Opportunity

Question 9

How often do sharing settings change for object selected to inherit sharing from?

Answer 9

Each full data sync captures sharing setting changes.

Question 10

What is Sharing Inheritance Coverage Assessment Report, and who does it apply to?

Answer 10

Checks if object has records or users with more than org’s max sharing descriptors. Run on each object to see if sharing inheritance will work for you.

Only evaluates active users assigned to the “USE CRM Analytics” permission.

Question 11

Set Sharing Inheritance for Data Prep Recipe

Answer 11

Before a dataset can inherit sharing, must configure its recipe in data prep.

Output of node in a recipe, set ‘sharing source’ to the object to inherit sharing inheritance from.

Question 12

Set Sharing Inheritance for Dataset

Answer 12

Update sharing inheritance for dataset on the edit dataset page.

Settings in dataset and recipe must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the recipe’

Question 13

Set Sharing Inheritance in Dataflow

Answer 13

sfdc register node -> select object to inherit sharing from.

Settings in dataset and dataflow must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the dataflow’

Question 14

what is a sharing descriptor

Answer 14

ID of any user or group that has access to a record. Granted by:
Owning the record
Role Hierarchy
Sharing Rules
Manual Sharing
Apes managed sharing

Question 15

Sharing Inheritance Limits

Answer 15

Covers a user if they have:
View All Data permission or their record access is granted by fewer than 3000 sharing descriptors.
Backup security predicate takes effect for users with more than 3000 sharing descriptors without the view all data permission.

Question 16

What happens when user not covered by sharing inheritance and there is no security predicate on the dataset?

Answer 16

user sees no data because they have no dataset row-level access.

Question 17

Apply sharing inheritance automatically

Answer 17

NOT automatically applied to datasets. Must set manually.

Question 18

Changes to rowLevelSharingSource or rowLevelSecurityFilter impact datasets when?

Answer 18

Only apply to datasets created AFTER you save the change.

Update the settings for existing datasets on the edit dataset page to match your changes.

Question 19

Why would an object not appear in the sharing inheritance standard object list?

Answer 19

Primary key of custom object must be a field in the dataset. A foreign key doesn’t satisfy this requirement.

Ex: Opp.AccountID in dataset but not Account.ID, you can’t inherit from the account object.

Question 20

Fix data drift

Answer 20

Consider using periodic full synce to refresh security settings on objects

Question 21

Information Leak Considerations

Answer 21

Dataset can inherit sharing settings from one object, regardless of how many objects were used to create it.

computeRelative and delta Dataflow transformations can merge information from records with different security.

Calculated fields are treated as normal fields. Row-level security applied during calculation in SF is ignored

Security predicats referencing $User information require a new user session before a new value is recognized.

Question 22

ways to add a security predicate

Answer 22

Dataflow - rowLevelSecurityFilter on SFDC Register
Recipe - Security Predicate on output node
Ext. Data File - metadata file on upload

If dataset already exists, must edit security on the dataset. Changes to dataflows and recipes do NOT impact already created datasets.

Question 23

CRM Analytics requires access to Salesforce data when…

Answer 23

extracting the data and when they data is used as part of row-level security

Question 24

Two users CRM Analytics uses

Answer 24

Integration User and Security User

Question 25

What does TCRM use the Integration User for?

Answer 25

Extract data from salesforce objects and fields when a dataflow runs. Integration has access view all data access.

If dataflow is configured to extract data from an object or field the integration user doesn’t have access to, the dataflow will fail.

Question 26

What does TCRM use the Security User for?

Answer 26

when you query a dataset that has row-level security based on the user object. Uses Security user access to access the user object and its fields.

Security user must have at least read permission on each user object field included in a predicate.

Question 27

Security User predicate instances

Answer 27

By default, security user has read permission on all standard fields of the user object.

If predicate is based on custom field, must grand security user access to read the field.

If security user doesn’t have read access of all user object fields included in predicate, error appears when trying to query dataset using that predicate.

Question 28

Control Access to Salesforce Object and Fields

Answer 28

integration user permissions - controls dataflow access to salesforce data

security user permissions - enable row-level security based on custom fields in user object

Question 29

App Information

Answer 29

All CRM Analytics users start off with viewer access to the default shared app. Admins can change default setting to restrict or extend access.

Each user has own private app. Private App contents aren’t visible to admins, but dashboards and lenses in private app can be shared.

All other apps created by users are private by defauly. App Owner and Admins have Manager access to extend access to other users, group, or roles.

Question 30

App - Manager access

Answer 30

Do everything including change app sharing settings, rename app, delete app

Question 31

App - Editor access

Answer 31

Do everything except what the manager can do. Can update visibility in app.

Question 32

App - Viewer access

Answer 32

View dashboards, lenses, dataset in app.
See who has access to app.

Explore datasets the user has viewer access to and save lenses to an app that the user has editor or manager access to.

Save contents of the app to another app that the user has editor or manager access to.

Question 33

What happens if underlying dataset is in different app than a lens or dashboard?

Answer 33

User must have access to both apps to view the lens or dashboard.

Question 34

What happens when a user is deactivated?

Answer 34

Lose share and delete access to all apps they manage. To avoid stranding an app, make sure manager access is assigned to one active user before deactivating the user who’s the manager of the app.

Question 35

How to implement row-level security

Answer 35

Security predicates or sharing inheritance or both

Question 36

Block all users not covered by sharing inheritance

Answer 36

Set security predicate to ‘false’. This predicate is default when sharing inheritance is enabled on existing datasets.

Question 37

Types of predicates can be based on…

Answer 37

Record ownership
Management visibility
Team or account collaboration
Combination of different security requirements

Question 38

Security Predicate Format

Answer 38

ex: ‘AccountOwner’ == “$User.Name”

notes:
columns in single quotes (')
values in double quotes (")
Single quotes in column names must be escaped 
ex: 'Team\'s name' == "Connors team"
case sensitive
<= 5000 characters
must have spaces between dataset operator and value

CRM Analytics returns a sales target record when user who submits the query on the dataset is the account owner

Account owner column -> matches user

Question 39

Security Predicate In JSON

Answer 39

In sfdcRegister node:

“rowLevelSecurityFilter”: “‘UserId’ == "$User.Id"”

Question 40

CRM Analytics Growth and CRM Analytics Plus license row limits

Answer 40

1 billion rows of data

Can purchase CRM Analytics Additional Data Rows -> gets you 100 million more rows

Question 41

CRM Analytics Growth License Permission Sets prebuilt permission sets

Answer 41

CRM Analytics Growth Admin

CRM Analytics Growth User

Question 42

CRM Analytics Growth Admin Permission Set

Answer 42

Enables all permissions required to administer CRM Analytics platform, including permissions to create and manage CRM analytics templated apps and Apps.

Question 43

CRM Analytics Growth User Permission Set

Answer 43

Enables all permissions required to use CRM Analytics platform and CRM Analytics templated apps and Apps

Question 44

CRM Analytics Plus License prebuilt permission sets

Answer 44

CRM Analytics plus Admin

CRM Analytics plus User

Question 45

CRM Analytics plus Admin permission set

Answer 45

all permissions to admin crm analytics platform, einstein Discovery, create manage apps and templated apps

Question 46

CRM Analytics plus User permission set

Answer 46

Use CRM, Discovery, CRM Template apps and Apps.