Security Flashcards

1
Q

Default record access to TCRM user

A

All rows by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How to restrict access to records in a dataset

A

sharing inheritance and security predicates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what is a security predicate?

A

manually assigned filter condition that defines dataset row access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

implement effective dataset row-level security

A

use combination of sharing inheritance and security predicates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How to enable sharing inheritance

A

Is on by default in new Salesforce orgs.

Turn on:
Setup -> Analytics -> Settings -> Inherit sharing from salesforce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How to Enable Sharing Inheritance for Synced Objects

A

If Data Sync is enabled, enable sharing inheritance for each object you want to use s sharing source.

Data Manager -> Connect -> Row Level Sharing -> Sharing Inheritance On.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Sharing Inheritance

A

Let CRM Analytics apply same sharing setup for datasets as Salesforce uses for your objects. Uses SF org Sharing settings.

Increases accuracy and reduces need for complicated security predicates.

Results in increased time to complete data syncs.

When you create or edit datasets, specify the objects to inherit sharing from.

If use sharing inheritance, must also set security predicates to impacted datsets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Sharing Inheritance supported objects

A

Each dataset can inherit sharing from ONE of the following objects, regardless of how many objects were used to create the dataset.

All object records must have fewer than 400 sharing descriptors each:

Account
Case
Contact
Lead
Opportunity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How often do sharing settings change for object selected to inherit sharing from?

A

Each full data sync captures sharing setting changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Sharing Inheritance Coverage Assessment Report, and who does it apply to?

A

Checks if object has records or users with more than org’s max sharing descriptors. Run on each object to see if sharing inheritance will work for you.

Only evaluates active users assigned to the “USE CRM Analytics” permission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Set Sharing Inheritance for Data Prep Recipe

A

Before a dataset can inherit sharing, must configure its recipe in data prep.

Output of node in a recipe, set ‘sharing source’ to the object to inherit sharing inheritance from.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Set Sharing Inheritance for Dataset

A

Update sharing inheritance for dataset on the edit dataset page.

Settings in dataset and recipe must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the recipe’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Set Sharing Inheritance in Dataflow

A

sfdc register node -> select object to inherit sharing from.

Settings in dataset and dataflow must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the dataflow’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

what is a sharing descriptor

A
ID of any user or group that has access to a record. Granted by:
Owning the record
Role Hierarchy
Sharing Rules
Manual Sharing
Apes managed sharing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Sharing Inheritance Limits

A

Covers a user if they have:
View All Data permission or their record access is granted by fewer than 3000 sharing descriptors.
Backup security predicate takes effect for users with more than 3000 sharing descriptors without the view all data permission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What happens when user not covered by sharing inheritance and there is no security predicate on the dataset?

A

user sees no data because they have no dataset row-level access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Apply sharing inheritance automatically

A

NOT automatically applied to datasets. Must set manually.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Changes to rowLevelSharingSource or rowLevelSecurityFilter impact datasets when?

A

Only apply to datasets created AFTER you save the change.

Update the settings for existing datasets on the edit dataset page to match your changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why would an object not appear in the sharing inheritance standard object list?

A

Primary key of custom object must be a field in the dataset. A foreign key doesn’t satisfy this requirement.

Ex: Opp.AccountID in dataset but not Account.ID, you can’t inherit from the account object.

20
Q

Fix data drift

A

Consider using periodic full synce to refresh security settings on objects

21
Q

Information Leak Considerations

A

Dataset can inherit sharing settings from one object, regardless of how many objects were used to create it.

computeRelative and delta Dataflow transformations can merge information from records with different security.

Calculated fields are treated as normal fields. Row-level security applied during calculation in SF is ignored

Security predicats referencing $User information require a new user session before a new value is recognized.

22
Q

ways to add a security predicate

A

Dataflow - rowLevelSecurityFilter on SFDC Register
Recipe - Security Predicate on output node
Ext. Data File - metadata file on upload

If dataset already exists, must edit security on the dataset. Changes to dataflows and recipes do NOT impact already created datasets.

23
Q

CRM Analytics requires access to Salesforce data when…

A

extracting the data and when they data is used as part of row-level security

24
Q

Two users CRM Analytics uses

A

Integration User and Security User

25
Q

What does TCRM use the Integration User for?

A

Extract data from salesforce objects and fields when a dataflow runs. Integration has access view all data access.

If dataflow is configured to extract data from an object or field the integration user doesn’t have access to, the dataflow will fail.

26
Q

What does TCRM use the Security User for?

A

when you query a dataset that has row-level security based on the user object. Uses Security user access to access the user object and its fields.

Security user must have at least read permission on each user object field included in a predicate.

27
Q

Security User predicate instances

A

By default, security user has read permission on all standard fields of the user object.

If predicate is based on custom field, must grand security user access to read the field.

If security user doesn’t have read access of all user object fields included in predicate, error appears when trying to query dataset using that predicate.

28
Q

Control Access to Salesforce Object and Fields

A

integration user permissions - controls dataflow access to salesforce data

security user permissions - enable row-level security based on custom fields in user object

29
Q

App Information

A

All CRM Analytics users start off with viewer access to the default shared app. Admins can change default setting to restrict or extend access.

Each user has own private app. Private App contents aren’t visible to admins, but dashboards and lenses in private app can be shared.

All other apps created by users are private by defauly. App Owner and Admins have Manager access to extend access to other users, group, or roles.

30
Q

App - Manager access

A

Do everything including change app sharing settings, rename app, delete app

31
Q

App - Editor access

A

Do everything except what the manager can do. Can update visibility in app.

32
Q

App - Viewer access

A

View dashboards, lenses, dataset in app.
See who has access to app.

Explore datasets the user has viewer access to and save lenses to an app that the user has editor or manager access to.

Save contents of the app to another app that the user has editor or manager access to.

33
Q

What happens if underlying dataset is in different app than a lens or dashboard?

A

User must have access to both apps to view the lens or dashboard.

34
Q

What happens when a user is deactivated?

A

Lose share and delete access to all apps they manage. To avoid stranding an app, make sure manager access is assigned to one active user before deactivating the user who’s the manager of the app.

35
Q

How to implement row-level security

A

Security predicates or sharing inheritance or both

36
Q

Block all users not covered by sharing inheritance

A

Set security predicate to ‘false’. This predicate is default when sharing inheritance is enabled on existing datasets.

37
Q

Types of predicates can be based on…

A

Record ownership
Management visibility
Team or account collaboration
Combination of different security requirements

38
Q

Security Predicate Format

A

ex: ‘AccountOwner’ == “$User.Name”

notes:
columns in single quotes (')
values in double quotes (")
Single quotes in column names must be escaped 
ex: 'Team\'s name' == "Connors team"
case sensitive
<= 5000 characters
must have spaces between dataset operator and value

CRM Analytics returns a sales target record when user who submits the query on the dataset is the account owner

Account owner column -> matches user

39
Q

Security Predicate In JSON

A

In sfdcRegister node:

“rowLevelSecurityFilter”: “‘UserId’ == "$User.Id"”

40
Q

CRM Analytics Growth and CRM Analytics Plus license row limits

A

1 billion rows of data

Can purchase CRM Analytics Additional Data Rows -> gets you 100 million more rows

41
Q

CRM Analytics Growth License Permission Sets prebuilt permission sets

A

CRM Analytics Growth Admin

CRM Analytics Growth User

42
Q

CRM Analytics Growth Admin Permission Set

A

Enables all permissions required to administer CRM Analytics platform, including permissions to create and manage CRM analytics templated apps and Apps.

43
Q

CRM Analytics Growth User Permission Set

A

Enables all permissions required to use CRM Analytics platform and CRM Analytics templated apps and Apps

44
Q

CRM Analytics Plus License prebuilt permission sets

A

CRM Analytics plus Admin

CRM Analytics plus User

45
Q

CRM Analytics plus Admin permission set

A

all permissions to admin crm analytics platform, einstein Discovery, create manage apps and templated apps

46
Q

CRM Analytics plus User permission set

A

Use CRM, Discovery, CRM Template apps and Apps.