Security Flashcards
Default record access to TCRM user
All rows by default
How to restrict access to records in a dataset
sharing inheritance and security predicates
what is a security predicate?
manually assigned filter condition that defines dataset row access
implement effective dataset row-level security
use combination of sharing inheritance and security predicates
How to enable sharing inheritance
Is on by default in new Salesforce orgs.
Turn on:
Setup -> Analytics -> Settings -> Inherit sharing from salesforce
How to Enable Sharing Inheritance for Synced Objects
If Data Sync is enabled, enable sharing inheritance for each object you want to use s sharing source.
Data Manager -> Connect -> Row Level Sharing -> Sharing Inheritance On.
What is Sharing Inheritance
Let CRM Analytics apply same sharing setup for datasets as Salesforce uses for your objects. Uses SF org Sharing settings.
Increases accuracy and reduces need for complicated security predicates.
Results in increased time to complete data syncs.
When you create or edit datasets, specify the objects to inherit sharing from.
If use sharing inheritance, must also set security predicates to impacted datsets.
Sharing Inheritance supported objects
Each dataset can inherit sharing from ONE of the following objects, regardless of how many objects were used to create the dataset.
All object records must have fewer than 400 sharing descriptors each:
Account Case Contact Lead Opportunity
How often do sharing settings change for object selected to inherit sharing from?
Each full data sync captures sharing setting changes.
What is Sharing Inheritance Coverage Assessment Report, and who does it apply to?
Checks if object has records or users with more than org’s max sharing descriptors. Run on each object to see if sharing inheritance will work for you.
Only evaluates active users assigned to the “USE CRM Analytics” permission.
Set Sharing Inheritance for Data Prep Recipe
Before a dataset can inherit sharing, must configure its recipe in data prep.
Output of node in a recipe, set ‘sharing source’ to the object to inherit sharing inheritance from.
Set Sharing Inheritance for Dataset
Update sharing inheritance for dataset on the edit dataset page.
Settings in dataset and recipe must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the recipe’
Set Sharing Inheritance in Dataflow
sfdc register node -> select object to inherit sharing from.
Settings in dataset and dataflow must match. If they don’t will get the warning ‘The sharing source and security predicate in this dataset version must be the same as in the dataflow’
what is a sharing descriptor
ID of any user or group that has access to a record. Granted by: Owning the record Role Hierarchy Sharing Rules Manual Sharing Apes managed sharing
Sharing Inheritance Limits
Covers a user if they have:
View All Data permission or their record access is granted by fewer than 3000 sharing descriptors.
Backup security predicate takes effect for users with more than 3000 sharing descriptors without the view all data permission.
What happens when user not covered by sharing inheritance and there is no security predicate on the dataset?
user sees no data because they have no dataset row-level access.
Apply sharing inheritance automatically
NOT automatically applied to datasets. Must set manually.
Changes to rowLevelSharingSource or rowLevelSecurityFilter impact datasets when?
Only apply to datasets created AFTER you save the change.
Update the settings for existing datasets on the edit dataset page to match your changes.
Why would an object not appear in the sharing inheritance standard object list?
Primary key of custom object must be a field in the dataset. A foreign key doesn’t satisfy this requirement.
Ex: Opp.AccountID in dataset but not Account.ID, you can’t inherit from the account object.
Fix data drift
Consider using periodic full synce to refresh security settings on objects
Information Leak Considerations
Dataset can inherit sharing settings from one object, regardless of how many objects were used to create it.
computeRelative and delta Dataflow transformations can merge information from records with different security.
Calculated fields are treated as normal fields. Row-level security applied during calculation in SF is ignored
Security predicats referencing $User information require a new user session before a new value is recognized.
ways to add a security predicate
Dataflow - rowLevelSecurityFilter on SFDC Register
Recipe - Security Predicate on output node
Ext. Data File - metadata file on upload
If dataset already exists, must edit security on the dataset. Changes to dataflows and recipes do NOT impact already created datasets.
CRM Analytics requires access to Salesforce data when…
extracting the data and when they data is used as part of row-level security
Two users CRM Analytics uses
Integration User and Security User
What does TCRM use the Integration User for?
Extract data from salesforce objects and fields when a dataflow runs. Integration has access view all data access.
If dataflow is configured to extract data from an object or field the integration user doesn’t have access to, the dataflow will fail.
What does TCRM use the Security User for?
when you query a dataset that has row-level security based on the user object. Uses Security user access to access the user object and its fields.
Security user must have at least read permission on each user object field included in a predicate.
Security User predicate instances
By default, security user has read permission on all standard fields of the user object.
If predicate is based on custom field, must grand security user access to read the field.
If security user doesn’t have read access of all user object fields included in predicate, error appears when trying to query dataset using that predicate.
Control Access to Salesforce Object and Fields
integration user permissions - controls dataflow access to salesforce data
security user permissions - enable row-level security based on custom fields in user object
App Information
All CRM Analytics users start off with viewer access to the default shared app. Admins can change default setting to restrict or extend access.
Each user has own private app. Private App contents aren’t visible to admins, but dashboards and lenses in private app can be shared.
All other apps created by users are private by defauly. App Owner and Admins have Manager access to extend access to other users, group, or roles.
App - Manager access
Do everything including change app sharing settings, rename app, delete app
App - Editor access
Do everything except what the manager can do. Can update visibility in app.
App - Viewer access
View dashboards, lenses, dataset in app.
See who has access to app.
Explore datasets the user has viewer access to and save lenses to an app that the user has editor or manager access to.
Save contents of the app to another app that the user has editor or manager access to.
What happens if underlying dataset is in different app than a lens or dashboard?
User must have access to both apps to view the lens or dashboard.
What happens when a user is deactivated?
Lose share and delete access to all apps they manage. To avoid stranding an app, make sure manager access is assigned to one active user before deactivating the user who’s the manager of the app.
How to implement row-level security
Security predicates or sharing inheritance or both
Block all users not covered by sharing inheritance
Set security predicate to ‘false’. This predicate is default when sharing inheritance is enabled on existing datasets.
Types of predicates can be based on…
Record ownership
Management visibility
Team or account collaboration
Combination of different security requirements
Security Predicate Format
ex: ‘AccountOwner’ == “$User.Name”
notes:
columns in single quotes (')
values in double quotes (")
Single quotes in column names must be escaped
ex: 'Team\'s name' == "Connors team"
case sensitive
<= 5000 characters
must have spaces between dataset operator and value
CRM Analytics returns a sales target record when user who submits the query on the dataset is the account owner
Account owner column -> matches user
Security Predicate In JSON
In sfdcRegister node:
“rowLevelSecurityFilter”: “‘UserId’ == "$User.Id"”
CRM Analytics Growth and CRM Analytics Plus license row limits
1 billion rows of data
Can purchase CRM Analytics Additional Data Rows -> gets you 100 million more rows
CRM Analytics Growth License Permission Sets prebuilt permission sets
CRM Analytics Growth Admin
CRM Analytics Growth User
CRM Analytics Growth Admin Permission Set
Enables all permissions required to administer CRM Analytics platform, including permissions to create and manage CRM analytics templated apps and Apps.
CRM Analytics Growth User Permission Set
Enables all permissions required to use CRM Analytics platform and CRM Analytics templated apps and Apps
CRM Analytics Plus License prebuilt permission sets
CRM Analytics plus Admin
CRM Analytics plus User
CRM Analytics plus Admin permission set
all permissions to admin crm analytics platform, einstein Discovery, create manage apps and templated apps
CRM Analytics plus User permission set
Use CRM, Discovery, CRM Template apps and Apps.
