Security Flashcards
Default record access to TCRM user
All rows by default
How to restrict access to records in a dataset
sharing inheritance and security predicates
what is a security predicate?
manually assigned filter condition that defines dataset row access
implement effective dataset row-level security
use combination of sharing inheritance and security predicates
How to enable sharing inheritance
Is on by default in new Salesforce orgs.
Turn on:
Setup -> Analytics -> Settings -> Inherit sharing from salesforce
How to Enable Sharing Inheritance for Synced Objects
If Data Sync is enabled, enable sharing inheritance for each object you want to use s sharing source.
Data Manager -> Connect -> Row Level Sharing -> Sharing Inheritance On.
What is Sharing Inheritance
Let CRM Analytics apply same sharing setup for datasets as Salesforce uses for your objects. Uses SF org Sharing settings.
Increases accuracy and reduces need for complicated security predicates.
Results in increased time to complete data syncs.
When you create or edit datasets, specify the objects to inherit sharing from.
If use sharing inheritance, must also set security predicates to impacted datsets.
Sharing Inheritance supported objects
Each dataset can inherit sharing from ONE of the following objects, regardless of how many objects were used to create the dataset.
All object records must have fewer than 400 sharing descriptors each:
Account Case Contact Lead Opportunity
How often do sharing settings change for object selected to inherit sharing from?
Each full data sync captures sharing setting changes.
What is Sharing Inheritance Coverage Assessment Report, and who does it apply to?
Checks if object has records or users with more than org’s max sharing descriptors. Run on each object to see if sharing inheritance will work for you.
Only evaluates active users assigned to the “USE CRM Analytics” permission.
Set Sharing Inheritance for Data Prep Recipe
Before a dataset can inherit sharing, must configure its recipe in data prep.
Output of node in a recipe, set ‘sharing source’ to the object to inherit sharing inheritance from.
Set Sharing Inheritance for Dataset
Update sharing inheritance for dataset on the edit dataset page.
Settings in dataset and recipe must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the recipe’
Set Sharing Inheritance in Dataflow
sfdc register node -> select object to inherit sharing from.
Settings in dataset and dataflow must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the dataflow’
what is a sharing descriptor
ID of any user or group that has access to a record. Granted by: Owning the record Role Hierarchy Sharing Rules Manual Sharing Apes managed sharing
Sharing Inheritance Limits
Covers a user if they have:
View All Data permission or their record access is granted by fewer than 3000 sharing descriptors.
Backup security predicate takes effect for users with more than 3000 sharing descriptors without the view all data permission.
What happens when user not covered by sharing inheritance and there is no security predicate on the dataset?
user sees no data because they have no dataset row-level access.
Apply sharing inheritance automatically
NOT automatically applied to datasets. Must set manually.
Changes to rowLevelSharingSource or rowLevelSecurityFilter impact datasets when?
Only apply to datasets created AFTER you save the change.
Update the settings for existing datasets on the edit dataset page to match your changes.