Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records


Published on

1 Comment
  • hello thank you for the useful subject, when i try to log in the system ask for verification code , i already click send to your email can you send it to me mega-100@live.com

    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Open:IE, login as Sales PersonFF, login as FirefoxApex Explorer JTBOTSSEclipse
  • Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records

    1. 1. Who Sees What When?<br />Using Dynamic Sharing Rules to Manage Access to Salesforce Records <br />John Westenhaver<br />Solution Architect<br />Spyrel, Inc.<br />
    2. 2. Salesforce Security Model<br />Profiles<br />Roles<br />Public Groups<br />Sharing<br />Setting Up Sharing Rules<br />Automatic Sharing Rules<br />Manual Sharing Rules<br />Master-Detail Sharing Rules<br />Dynamic Sharing Rules<br />
    3. 3. Profiles<br />Determine which objects you can read, create, edit, and delete<br />Determine which fields you can see on objects you can see<br />Determine which applications you can see<br />Determine which tabs you can see<br />Determine which record types you can see<br />Have no effect on access to specific records<br />
    4. 4. Roles<br />Establish a hierarchy of users<br />Users belonging to a role can view, edit, and report on all data owned or shared with users below them in the hierarchy<br />Unless the Grant Access Using Hierarchies checkbox is un-checked on the Organization-Wide Defaults list for an object<br />Establish hierarchical access rights to records, not position on the company org chart<br />Are created automatically for customer portal users<br />
    5. 5. Public Groups<br />Are an arbitrary collection of users<br />Can be used to set up sharing rules when roles will not work due to business rules<br />
    6. 6. Sharing Rules<br />Automatic Sharing Rules<br />Pros: automatic, configurable, criteria-based rules for custom objects<br />Cons: multi-record, inflexible, criteria based rules not available for standard objects<br />Manual Sharing Rules<br />Pros: flexible, configurable<br />Cons: manual, single-record, cannot use criteria-based rules<br />Dynamic Sharing Rules<br />Pros: flexible, automatic, multi-record<br />Cons: requires programming, cannot use criteria-based rules<br />
    7. 7. Setting Up Sharing Rules<br />Go to Setup | Security | Sharing Settings<br />Click the Edit button to set up Organization-Wide Defaults<br />If set to Public Read/Write, anyone can see and edit it<br />If set to Public Read Only, anyone can see it<br />If set to Private, only record owners and users, roles, and public groups granted access via sharing rules can see it<br />
    8. 8. Setting Up Sharing Rules<br />
    9. 9. Setting Up Sharing Rules<br />All custom objects have three options:<br />Public Read/Write<br />Public Read Only<br />Private<br />Standard objects have special rules<br />Uncheck the Grant Access Using Hierarchies checkbox to disable access to records via role hierarchies<br />
    10. 10. Standard Object Automatic Sharing Rules<br />Go to Setup | Security | Sharing Settings<br />Scroll down past the Organization-Wide Defaults section<br />Click the New button for any standard object<br />
    11. 11. Standard Object Automatic Sharing Rules<br />Select a public group, queue, or role that owns the records you want to automatically share<br />This does not work for individual users<br />Select a public group or role that you want to share these records with<br />Select the access rights these users will have<br />
    12. 12. Custom Object Automatic Sharing Rules<br />Go to Setup | Security | Sharing Settings<br />Scroll down past the Organization-Wide Defaults section<br />Click the New button for any custom object<br />Choose whether to create an owner-based or criteria-based sharing rule<br />
    13. 13. Custom Object Automatic Sharing - Owner<br />
    14. 14. Custom Object Automatic Sharing - Criteria<br />
    15. 15. Manual Sharing Rules<br />For any object with Private or Public Read Only access permissions, the Sharing button becomes available.<br />Click on the Share button to manually create sharing rules for this record.<br />
    16. 16. Manual Sharing Rules<br />A list of all existing sharing rules is displayed, both manual and automatic<br />Click the Add button to add another sharing rule for this specific record<br />
    17. 17. Manual Sharing Rules<br />
    18. 18. Manual Sharing Rules<br />Select a public group, role, or user with which to share this record<br />Select the access rights you want to share<br />Standard objects may have special access rights<br />When sharing an Account, you can also set access rights to the Opportunities and Cases associated with that Account<br />Custom objects only have two options for access rights:<br />Read Only<br />Read/Write<br />
    19. 19. Master-Detail Sharing Rules<br />Apply only to master-detail relationships<br />Sharing rules defined for the master record define how access to detail records will be granted, based on this setting<br />Sharing rules cannot be defined for detail records in a master-detail relationship<br />
    20. 20. Dynamic Sharing Rules Demo<br />User Roles<br />Salesperson<br />Project Manager<br />Requirements<br />All users will have access only to those records they need to do their jobs.<br />Identify the Project Manager for any Installation Opportunity before it can be closed.<br />Create a new Installation Project owned by the Project Manager whenever an Installation Opportunity is closed.<br />Create a new Installation Case for each Opportunity Product whenever an Installation Opportunity is closed.<br />
    21. 21. Dynamic Sharing Rules Demo<br />More Requirements<br />Automatically add the Project Manager to the Project Team.<br />Automatically grant the Salesperson read-only access to the Installation Project.<br />Automatically grant the Project Manager read-only access to the Installation Opportunity.<br />Whenever a new Team Member is added to the Project Team, grant that user edit access to all Project Cases.<br />Whenever a new Project Case is added, grant all Project Team members edit access to that Project Case.<br />
    22. 22. Dynamic Sharing Rules Demo<br />SharingTools.cls<br />Sharing constants<br />doSharingTriggers<br />Deriving group ID from role name for customer portal roles<br />opportunityAfterInsertUpdate.trigger<br />projectAfterInsertUpdate.trigger<br />teamMemberAfterInsertUpdate.trigger<br />caseAfterInsertUpdate.trigger<br />
    23. 23. Things To Watch Out For<br />Criteria-based sharing rules cannot be created dynamically as of Spring ’11.<br />If a user has the View All permission, this overrides any sharing rules. This is why System Administrators automatically see all records, regardless of sharing rules.<br />You cannot use Apex to share a record with the owner of that record; this results in the barely documented INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY error.<br />
    24. 24. More Things To Watch Out For<br />As a best practice, always use the “with sharing” keywords when writing Apex.<br />All custom sharing objects are named Object__Share, with two underscores and no “__c”.<br />All standard sharing objects are named ObjectShare, with no underscores.<br />The field names for all custom sharing objects are exactly the same; however, the field names for all standard sharing object are specific to that object.<br />
    25. 25. Sharing Rules & The Customer Portal<br />Whenever a customer portal user is created, he is automatically assigned to a role that is created automatically<br />If Organization-Wide Defaults are set to private for objects visible on the customer portal, then sharing rules must be defined<br />Customer portal roles have three possible names:<br />[Account Name] Customer Executive<br />[Account Name] Customer Manager<br />[Account Name] Customer User<br />
    26. 26. Sharing Rules & The Customer Portal<br />By default, the lowest level role (Customer User) is assigned to new customer portal users<br />You need to determine which customer portal role will be necessary to meet your requirements<br />You may use one, two, or three different customer portal roles<br />When creating dynamic sharing rules, you have to derive the role name and then to look up the Group ID associated with this role<br />
    27. 27. How Do I Get My Hands On This Code?<br />
    28. 28. John Westenhaver<br />Who Sees What When? <br />Solution Architect<br />Spyrel, Inc.<br />john@spyrel.com<br />