Managing large role hierarchies at enterprise scale presents challenges. Regular maintenance is needed to optimize performance as roles and data grow. Best practices include setting minimum role defaults, regularly deleting unused roles via API, and following guidance for major sharing changes to avoid performance issues. Symantec reduced their roles by 30,000 through analyzing sharing rules and portal roles with no users assigned. Periodic reviews help ensure a scalable and efficient security model.

1. Managing the Role Hierarchy at
Enterprise Scale
Bud Vieira, Salesforce, CCE Technical Enablement
@aavra
Sean Regan, Salesforce, CCE Technical Enablement
@sfdcsregan
Robert Kraynak, Symantec Corporation, Sr. Director Change and Cloud Enablement

2. Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if
any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-
looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of
product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of
management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments
and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our
service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth,
interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated
with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain,
and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling
non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the
financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This
documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may
not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently
available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

3. Collaborate!
Post questions to session Chatter
Use any device
We’ll collect the questions for the
Q&A session

4. Agenda
Role Hierarchy at Enterprise Scale – the Challenge
Role Management Success – Tools and Strategies
Customer Success – Role Management at Symantec
Key Take Aways
Q&A

5. Bud Vieira
Senior Member of Technical Staff
CCE Technical Enablement
@aavra

6. Role Hierarchy at Enterprise Scale
Global sales operations  1000s of roles
Cross-functional collaboration  Sharing Rules
Portals  complexity, 10s of K’s of roles
vs

7. What is Sharing Maintenance?
Sharing is optimized for end user performance
Access is calculated as configuration changes
Sharing Rules
Role Hierarchy Structure
User Role Changes
Large Data Loads
Big Changes + Big Data *may* = Big Calc

8. “Under the Hood” of a Role Change
Hierarchy Inheritance
Access to Child Records
Portal Account Roles
A2 B2
Sharing Rule Recalc
Betty

9. Example: Salesforce.com Realignment ‘11
Basic Stats
~19M Accounts and Related Records
~60K Roles
~700 Sharing Rules on Accounts and Children
Scope of the Changes
New executive role
Child record access settings
1M Accounts changed owners
2000 Users changed roles

10. Key Take-Aways
 Security is calculated in advance to optimize user experience
 Changes that seem simple can involve a lot of recalculation
 Actively manage complex orgs to optimize performance

11. Sean Regan
Senior Member of Technical Staff
CCE Technical Enablement
@sfdcsregan

12. Role Management Success
Managing Role Growth
 Role defaults for Portals
 Deleting unused Roles via API
Best Practices for Major Sharing Changes
 CCE Publications on Sharing

13. Role Performance Features
Rule Defaults for Portals
Set Portal Role Defaults to Minimum Value

14. Role Performance Features
Rule Defaults for Portals
Apex to insert an additional UserRole.
UserRole ur = new UserRole();
ur.PortalAccountId = ‘00130000019hCSo’;
ur.PortalType = ‘Partner’;
INSERT ur;
UserRole is a setup object

15. Role Performance Features
Deleting Unused Roles
Determine what roles to delete
 Unused
 All inactive users
 Last login timeframe
Move users to a different role
Delete the target roles

16. Deleting Roles – Step 1
Find the Empty Roles
Back Up Your DATA!!!
SOQL Query to extract the Partner roles not assigned to any user.
SELECT
CaseAccessForAccountOwner, ContactAccessForAccountOwner, ForecastUserId, Id,
MayForecastManagerShare, Name, OpportunityAccessForAccountOwner, ParentRoleId, PortalAccountId,
PortalAccountOwnerId, PortalRole, PortalType,RollupDescription
FROM
UserRole
WHERE
PortalType = 'Partner' and PortalRole in (‘Executive’,’Manager’) and Id not in(select UserRoleId from User)

17. Deleting Roles – Step 2
Check for manual shares that will be deleted
SOQL Query to extract the Manual Object Shares (e.g. AccountShares) created for
RolesAndSubordinates:
SELECT
AccountAccessLevel, AccountId, CaseAccessLevel, ContactAccessLevel, Id, OpportunityAccessLevel, RowCause,
UserOrGroupId
FROM
AccountShare
WHERE
RowCause = 'Manual' and UserOrGroupId in (Select Id from Group where Type = 'RoleAndSubordinates‘ or Type =
‘Role’)
Results from above should be extracted from the partner roles extracted in Step 1.

18. Deleting Roles – Step 3
Check for Sharing Rules that will be deleted
Analyze Sharing Rules and exclude the Roles that have Sharing Rules defined
SELECT
Id
FROM
Group
WHERE
relatedId in (SELECT Id FROM UserRole WHERE Name in (‘Company 1 Partner Executive', 'Company 2 Partner
Executive', 'Company 3 Partner Executive')) and Type = 'Role’
Results from above should be extracted from the partner roles extracted in Step 1.

19. Deleting Roles – GO!
Execute the Deletion
Prepare to Delete
 Test in a full Sandbox!!!
 Segment your data (e.g. date, country)
 Recommended batch size is 10
Perform deletion
Note: parallel processing role deletions will cause lock exceptions

20. Best Practices for Major Changes to Sharing
CCE-TE Publications
Search: “Salesforce Architect Core Resources”
Record Level Access: Under the Hood
http://bit.ly/RhzT3H
Designing Record Access for Enterprise Scale
Coming Soon
Managing Ownership Skew For Peak Performance
http://bit.ly/NYJ2gj
Avoid Account Skew For Peak Performance
http://bit.ly/IlYUZV

21. Key Take-Aways
 Only create the portal roles you need
 Periodically query and delete unneeded roles
 Learn and follow best practices for large scale sharing changes
 Contact Support or Services for assistance on any large scale organization
realignments

22. Robert Kraynak
Sr. Director Cloud Enablement

23. at a Glance
Founded in 1982 $6.7 billion revenue in FY 2012;
IPO in 1989 approximately 52% outside of the U.S.
Approximately 20,500 employees More than 1500 global patents
Operations in 48 countries Symantec footprint on more than
one billion systems
Included on Fortune’s Most Admired
#391 on the 2012 Fortune 500 Companies list
100 percent of Fortune 500 Invests 14% of
companies are customers annual revenue in R&D*
* R&D investment is Non-GAAP

24. Symantec Is –
Symantec is a global leader in
providing security, storage, and
systems management solutions
to help consumers and
organizations
secure and manage
their information
and identities.

25. Symantec Salesforce.com Org Strategy
Business Internal
Sales Cloud – 7500 Custom Apps
Service Cloud – 4500 IT Apps
Channel – 40K Test bed
HVPU – 750K
Custom Apps
PMA
Internal
Discounts Org
Business Consumer
Social Org SF2SF Org Consumer
Chatter – 16K+ chatter users Service Cloud - 1500
Blogs – 51 blogs created Ideas
Ideas – 4 communities Custom Apps

26. Symantec’s Sharing Model
Role Hierarchy
• For Sales = Organizational Hierarchy
• For Service = Product and/or Region based
Territory Hierarchy = Sales Hierarchy (reporting only)
OWDs = Private
• ~80% visibility controlled by roles & sharing rules (ownership & criteria based)
• Remaining via manual & programmatic shares
Teams also used for setting default teams (not visibility)
Role & Territory Hierarchies modified annually

27. Before & Why – Role Reduction
~ 20K Standard roles vs. ~130K Portal roles
# of roles = 152,885 of 155K limit – 99% usage
• Approaching role limit
• Still deploying more Business Units
• Reporting cumbersome
• Simplify!
• Supports efficient, scalable, well performing org

28. How We Did It
• Portal role default = 3
• Analyzed sharing rules for no impacts
• Analyzed portal roles with no users
 Considered role creation date
• Via API, removed unnecessary portal roles
• Tested in a full copy sandbox
• Utilized a maintenance window for Prod
… and we’re not done yet …

29. Before and After
# of roles = 152,885 of 155K # of roles = 123,071 of 155K limit –
limit – 99% usage 79% usage
•Approaching role limit •Migrating to HVPU
•Still deploying business units •Need to review portal role defaults
•Cumbersome reporting •Flexible, scalable
•Simplify!

30. Beyond – Periodic Maintenance
Periodic maintenance to review sharing model (roles, sharing rules, TM)
• Data security architecture review currently underway
• Review portal role defaults with business with intent to decrease default
• Revisit each sharing rule – look for efficiencies
• Update sharing model documentation (hierarchy framework; sharing rules
spreadsheet)
Provides a holistic view
Onboarding (internal and consulting)
SFDC enhancements
This is a journey; not a destination

31. Key Take-Aways
• Have as simple a sharing model as possible
• Continuously look for efficiencies – keep roles trimmed
• Your sharing model is foundational to your platform
• Follow best practices for large scale org changes and sales team
realignments
• Take the time to read and understand the CCE white papers on sharing

32. Bud Vieira Sean Regan Robert Kraynak
CCE Technical Enablement CCE Technical Enablement Sr. Director
Salesforce Salesforce Change and Cloud Enablement
@aavra @sfdcsregan Symantec Corporation