t r ib
D is
o t
o N
- D
Data Access Security
Veeva Professional Services
nl y
a O
e v
V e
ut e
Module Objectives
t r ib
Define Salesforce.com Data Access Security
Dis
Describe the different mechanisms for securing data access
including:
ot
Profiles
Permission Sets
o N
Field Level Security
Record Ownership
- D
l
Organization-Wide Defaults
Role Hierarchy
n y
a O
Territory Hierarchy
e v Sharing Rules
V
1
e Create and manage user accounts
l y
One profile can be assigned to many users, but a user can be
n
assigned to only one profile at a time
a O
Important to set up user profiles properly in the beginning
e v
Minimize the number of profiles for maintenance
Dis
t
Setup Manage Users Profiles
o
Profiles used by Veeva have the word Platform in their names
N
D o
y -
nl
a O
e v
V
4
e 2014 Veeva Systems Company Confidential veeva.com | 4
ut e
Application Access
t r ib
Dis
ot
An application is a collection of tabs
o N
Typically, End-Users and Managers will have access to the Veeva CRM
D
application only
-
Administrative users may have custom applications such as Samples
Management, Territory Management, and Data Stewardship that provide a
l
specialized arrangement of tabs
n y
a O
e v
V e 2014 Veeva Systems Company Confidential veeva.com | 5
ut e
Tab Access
t r ib
D is
ot
Tabs control the top level objects that users can access
o N
D
Default On tab will always appear on the tab bar
y -
Default Off tab is available from the +
Tab Hidden tab is not available to the user; not be able to search on objects
n
whose tab is hidden
l
a
Default On tabs
O
e v Default On +
veeva.com | 6
ut e
CRUD for Objects Access
t r ib
Controls whether users of a profile can read, create, edit, and
Dis
t
delete records for each standard or custom object
all objects
N o
System Administrators also have the View All and Modify All permissions on
D o
y -
nl
a O
e v
V
7
e 2014 Veeva Systems Company Confidential veeva.com | 7
ut e
Object Record Type Access
t r ib
Record Type Settings control which record types are available
for each object for users of a profile
D is
o
Record types will be covered in detail later in the course
t
o N
- D
nl y Control what Account
record types this profile
O
has access to
V
8
2014 Veeva Systems Company Confidential veeva.com | 8
ut e
Field Level Security Access
t r ib
Fields can be hidden or displayed to users in:
D is
o
Detail and edit pages, related lists, list views, reports
t
display it for the Admin
o N
Example: Hide the Territory field on the Accounts page from the users but
nl
prevent searching on the
values within a field if
you have visibility to the
y
O
Objects Records
object
va Fields
ee
V
9
2014 Veeva Systems Company Confidential veeva.com | 9
ut e
Setting FLS from a Profile
t r ib
To set FLS on all objects and all fields for a single profile:
Dis
ot
Setup Manage Users Profiles [Profile] Field-Level Security [Field]
o N
- D
nl y
a O
e v
V
10
e 2014 Veeva Systems Company Confidential veeva.com | 10
ut e
Setting FLS from an Object
t r ib
To set FLS on a single field for all profiles:
Dis
Setup Create Objects [Object] [Field] field detail page Set Field-
Level Security button
ot
Setup Customize Accounts [Fields] field detail page Set Field-Level
Security button
o N
- D
nl y
a O
e v
V
11
e 2014 Veeva Systems Company Confidential veeva.com | 11
ut e
Additional Access
t r ib
Profiles are also used to configure:
D is
Page Layout Assignment
o t
Enable Apex Class Access
o N
- Which page layout(s) is being used for all objects per profile
nl y
- Which Visual Force Pages users of this profile have access to in the
application
a O
e v
V
12
e 2014 Veeva Systems Company Confidential veeva.com | 12
ut e
t r ib
Dis
Permission Sets ot
o N
- D
nl y
a O
e v
V e
ut e
Permission Sets
t r ib
Grants permissions at the user
Dis
t
level without having to modify
o
or clone Profiles
v
Veeva Setting to true
e
V e 2014 Veeva Systems Company Confidential veeva.com | 14
ut e
Defining Permission Sets
t r ib
To create Permission Sets:
Dis
ot
Setup Administration Setup Manage Users Permission Sets
Dis
ot
o N
- D
nl y
a O
e v
V
16
e 2014 Veeva Systems Company Confidential veeva.com | 16
ut e
Assign Permission Sets
t r ib
Once defined, assign Permission Sets to uses
D is
t
Click the Manage Assignments button
D o
y -
nl
a O
e v
V
17
e 2014 Veeva Systems Company Confidential veeva.com | 17
ut e
t r ib
Dis
Record Access ot
o N
- D
nl y
a O
e v
V e
ut e
Record Ownership
t r ib
Fundamental element driving the concept of shared visibility
Dis
to control how data is shared
ot
All records in the system must have an Owner
By default, the owner of a record is the creator
o N
- D
An owner of a record has the following default rights to the
record
View
nl y
a
Edit
Delete O
e v Transfer Ownership
V
19
e Sharing
o N
- D
nl y
a O
e v
V
20
e 2014 Veeva Systems Company Confidential veeva.com | 20
ut e
Organization-Wide Defaults
t r ib
Organization-Wide Default (OWD) has 4 settings:
D is
o t
Private Public Read
o N Public
Read/Write
Controlled by
Parent
D
Allows only Allows all Allows all Takes the
-
the record users to view users to view OWD setting
owner to records of an and edit at the parent
view and edit
the record
nl
object
y
regardless of
record
records of an
object
regardless of
object, i.e.,
Address
takes
Accounts
O
ownership record
ownership; OWD setting
va this is rare
ee
V 2014 Veeva Systems Company Confidential veeva.com | 21
ut e
Organization-Wide Defaults
t r ib
Lock down data to the most restrictive level, and then use
Dis
ot
profiles to selectively give users the ability to manipulate the
data
o N
If all users need to read Medical Events but some users need to edit them,
then set the OWD to Public Read and grant certain user profiles Edit
D
permission to the Medical Event object
y -
nl
a O
e v
V
22
e 2014 Veeva Systems Company Confidential veeva.com | 22
ut e
Territory Hierarchy
t r ib
Give users access to Accounts through
territories
Dis
Applies only to the Veeva My Accounts
ot
Accounts are aligned to one or more territories
Users are assigned to one territory (in some
o N
D
cases temporarily to more than one)
-
Visibility to accounts is shared up the territory
hierarchy
nl
To access and setup the Territory y
O
Hierarchy go to:
ee users to territories
V
23
2014 Veeva Systems Company Confidential veeva.com | 23
ut e
Role Hierarchy
t r ib
The Role Hierarchy gives managers
Dis
visibility to the data with private OWD
(excluding Accounts) owned by their
ot
direct reports
Also known as Vertical Sharing
o N
To access and setup the Role Hierarchy
- D
go to:
nl
Setup Manage Users Roles Set Up y
O
Roles button
a
Add roles as well as edit, delete, and assign
v
roles to users
ee
V
24
2014 Veeva Systems Company Confidential veeva.com | 24
t e
Territories vs. Roles Best Practice bu
t r i
i s
In Veeva implementations the Territory and Role hierarchies
should be identical
t D
N o
Focus on creating the Territory hierarchy and then make the
Role hierarchy exactly the same
D o
Territory Hierarchy Role Hierarchy
y -
n l
a O
e v
V
25
e 2014 Veeva Systems Company Confidential veeva.com | 25
ut e
Sharing Rules
t r ib
Private data can be shared when needed
Dis
Can be shared to users or public groups
Allow greater access for designated users
ot
Can never be stricter than OWD settings
o N
Often referred to as Horizontal Sharing
- D
nl y
a O
e v
V
26
e 2014 Veeva Systems Company Confidential veeva.com | 26
ut e
Accessing Sharing Rules
t r ib
To access and set up Sharing Rules:
Dis
o t
Setup Security Controls Sharing Settings Sharing Rules
Configuration:
Sharing Rules are defined for one-way sharing
o N
- D
Two sharing rules are needed to share data between groups
nl y
Create a Public Group to group individual users and/or roles
a O Sharing Rule 1
e v Sharing Rule 2
V
27
e 2014 Veeva Systems Company Confidential veeva.com | 27
t e
Change Account Owner Workflow bu
t r i
i s
D
The Veeva My Accounts tab displays an Account if
t
N o
The Account belongs to the users territory
The user owns the Account
Accounts
D o
Veeva implementations in which users are allowed to create
-
Create a workflow that updates the Account Owner field and sets it to a
y
nl designated Admin user
O
If the Accounts are realigned to different territories
va Users still see Accounts they own even though the account is no longer in the
users territory
ee
V
28
2014 Veeva Systems Company Confidential veeva.com | 28
ut e
t r ib
Dis
User Management ot
o N
- D
nl y
a O
e v
V e
ut e
User Management
t r ib
In Salesforce, every user is identified by a username, password,
Dis
ot
a single profile and a single role, and one or more territories
which determines:
What tasks users can perform
What data they see
o N
What they can do with the data
- D
l y
Admins can also perform the following user management
functions:
n
a O
Creating or inactivating users
Resetting passwords
e v Unlocking users
V
30
e Logging in as another user (Enable Login Permission required)
o t
o N
- D Select a user
e v
Click Edit to edit a
users account
V
31
e 2014 Veeva Systems Company Confidential veeva.com | 31
ut e
Creating a New User
t r ib
Username
D is
Must be unique
across SFDC
Generally set to
o t
users email
Active
o N User License must be
set to Salesforce Platform
- D
Cant delete users
If someone leaves,
inactivate the user
for Veeva licenses
nl y account
a O Approver Settings
If enabling an
v
approval workflow,
e
assign a manager
V
32
e 2014 Veeva Systems Company Confidential veeva.com | 32
ut e
Add User to a Territory
t r ib
To access and setup territory hierarchy through the UI:
Dis
t
Setup Manage Territories Hierarchy
D o
y -
nl
a O
e v
V
33
e 2014 Veeva Systems Company Confidential veeva.com | 33
ut e
Module Summary
t r ib
Defined Salesforce.com Data Access Security
Dis
Described the different mechanisms for securing data access
including:
ot
Profiles
Field Level Security
o N
Record Ownership
- D
Organization-Wide Defaults
Role Hierarchy
nl y
a Sharing Rules O
Territory Hierarchy
e v
Discussed how to manage and create user accounts
V
34
e 2014 Veeva Systems Company Confidential veeva.com | 34
ut e
Labs
t r ib
Create a role
Dis
Create a user profile
ot
Access and create territories
o N
Review OWD
- D
nl y
a O
e v
V
35
e 2014 Veeva Systems Company Confidential veeva.com | 35