You are on page 1of 36

ut e

t r ib
D is
o t
o N
- D
Data Access Security
Veeva Professional Services

nl y
a O
e v
V e
ut e
Module Objectives
t r ib
Define Salesforce.com Data Access Security

Dis
Describe the different mechanisms for securing data access
including:
ot
Profiles
Permission Sets
o N
Field Level Security
Record Ownership
- D
l
Organization-Wide Defaults
Role Hierarchy
n y
a O
Territory Hierarchy

e v Sharing Rules

V
1
e Create and manage user accounts

2014 Veeva Systems Company Confidential veeva.com | 1


ut e
t r ib
Dis
Profiles ot
o N
- D
nl y
a O
e v
V e
ut e
Profile Definition
t r ib
Dis
Profile is a collection of settings and permissions that determine
What users can see in the application user interface
ot
What users can do with what they see

Profiles are defined based on job functions such as


o N
- D
System Administrator, Sales Representative, MSL, and Managed Markets

l y
One profile can be assigned to many users, but a user can be

n
assigned to only one profile at a time

a O
Important to set up user profiles properly in the beginning

e v
Minimize the number of profiles for maintenance

V e 2014 Veeva Systems Company Confidential veeva.com | 3


ut e
Accessing Profiles
t r ib
To create or manage profiles:

Dis
t
Setup Manage Users Profiles

o
Profiles used by Veeva have the word Platform in their names

N
D o
y -
nl
a O
e v
V
4
e 2014 Veeva Systems Company Confidential veeva.com | 4
ut e
Application Access
t r ib
Dis
ot
An application is a collection of tabs

o N
Typically, End-Users and Managers will have access to the Veeva CRM

D
application only

-
Administrative users may have custom applications such as Samples
Management, Territory Management, and Data Stewardship that provide a

l
specialized arrangement of tabs

n y
a O
e v
V e 2014 Veeva Systems Company Confidential veeva.com | 5
ut e
Tab Access
t r ib
D is
ot
Tabs control the top level objects that users can access
o N
D
Default On tab will always appear on the tab bar

y -
Default Off tab is available from the +
Tab Hidden tab is not available to the user; not be able to search on objects

n
whose tab is hidden
l
a
Default On tabs
O
e v Default On +

V e 2014 Veeva Systems Company Confidential


Default Off tabs

veeva.com | 6
ut e
CRUD for Objects Access
t r ib
Controls whether users of a profile can read, create, edit, and

Dis
t
delete records for each standard or custom object

all objects

N o
System Administrators also have the View All and Modify All permissions on

D o
y -
nl
a O
e v
V
7
e 2014 Veeva Systems Company Confidential veeva.com | 7
ut e
Object Record Type Access
t r ib
Record Type Settings control which record types are available
for each object for users of a profile
D is
o
Record types will be covered in detail later in the course
t
o N
- D
nl y Control what Account
record types this profile

O
has access to

va Control the default

ee record type for this


profile

V
8
2014 Veeva Systems Company Confidential veeva.com | 8
ut e
Field Level Security Access
t r ib
Fields can be hidden or displayed to users in:
D is
o
Detail and edit pages, related lists, list views, reports
t
display it for the Admin

o N
Example: Hide the Territory field on the Accounts page from the users but

Note: FLS does not


- D Functionality Data

nl
prevent searching on the
values within a field if
you have visibility to the
y
O
Objects Records
object

va Fields

ee
V
9
2014 Veeva Systems Company Confidential veeva.com | 9
ut e
Setting FLS from a Profile
t r ib
To set FLS on all objects and all fields for a single profile:
Dis
ot
Setup Manage Users Profiles [Profile] Field-Level Security [Field]

o N
- D
nl y
a O
e v
V
10
e 2014 Veeva Systems Company Confidential veeva.com | 10
ut e
Setting FLS from an Object
t r ib
To set FLS on a single field for all profiles:

Dis
Setup Create Objects [Object] [Field] field detail page Set Field-
Level Security button

ot
Setup Customize Accounts [Fields] field detail page Set Field-Level
Security button

o N
- D
nl y
a O
e v
V
11
e 2014 Veeva Systems Company Confidential veeva.com | 11
ut e
Additional Access
t r ib
Profiles are also used to configure:
D is
Page Layout Assignment
o t
Enable Apex Class Access
o N
- Which page layout(s) is being used for all objects per profile

Enable Visual Force Page Access


- D
- Which Apex Classes users of this profile have access to execute

nl y
- Which Visual Force Pages users of this profile have access to in the
application

a O
e v
V
12
e 2014 Veeva Systems Company Confidential veeva.com | 12
ut e
t r ib
Dis
Permission Sets ot
o N
- D
nl y
a O
e v
V e
ut e
Permission Sets
t r ib
Grants permissions at the user

Dis
t
level without having to modify

o
or clone Profiles

Define Profiles with minimum


permissions and then give
o N
additional permission to
specific users
- D
Can reduce the number of
Profiles required
nl y
a O
Set PermissionSet Support

v
Veeva Setting to true

e
V e 2014 Veeva Systems Company Confidential veeva.com | 14
ut e
Defining Permission Sets
t r ib
To create Permission Sets:
Dis
ot
Setup Administration Setup Manage Users Permission Sets

Create or edit Permission Set(s) as needed


Similar to defining a Profile
o N
- D
nl y
a O
e v
V
15
e 2014 Veeva Systems Company Confidential veeva.com | 15
ut e
Defining Permission Sets
t r ib
Select section and edit permissions

Dis
ot
o N
- D
nl y
a O
e v
V
16
e 2014 Veeva Systems Company Confidential veeva.com | 16
ut e
Assign Permission Sets
t r ib
Once defined, assign Permission Sets to uses

D is
t
Click the Manage Assignments button

Can also assign Permission Sets from the user records


N o
- Assign a Permission Set to up to 1000 users at a time

D o
y -
nl
a O
e v
V
17
e 2014 Veeva Systems Company Confidential veeva.com | 17
ut e
t r ib
Dis
Record Access ot
o N
- D
nl y
a O
e v
V e
ut e
Record Ownership
t r ib
Fundamental element driving the concept of shared visibility
Dis
to control how data is shared
ot
All records in the system must have an Owner
By default, the owner of a record is the creator
o N
- D
An owner of a record has the following default rights to the
record
View

nl y
a
Edit
Delete O
e v Transfer Ownership

V
19
e Sharing

2014 Veeva Systems Company Confidential veeva.com | 19


ut e
Organization-Wide Defaults
t r ib
OWD controls visibility to data records for each object
Dis
To access and setup OWD:
ot
Setup Security Controls Sharing Settings

o N
- D
nl y
a O
e v
V
20
e 2014 Veeva Systems Company Confidential veeva.com | 20
ut e
Organization-Wide Defaults
t r ib
Organization-Wide Default (OWD) has 4 settings:
D is
o t
Private Public Read

o N Public
Read/Write
Controlled by
Parent

D
Allows only Allows all Allows all Takes the

-
the record users to view users to view OWD setting
owner to records of an and edit at the parent
view and edit
the record

nl
object
y
regardless of
record
records of an
object
regardless of
object, i.e.,
Address
takes
Accounts

O
ownership record
ownership; OWD setting

va this is rare

ee
V 2014 Veeva Systems Company Confidential veeva.com | 21
ut e
Organization-Wide Defaults
t r ib
Lock down data to the most restrictive level, and then use
Dis
ot
profiles to selectively give users the ability to manipulate the
data

o N
If all users need to read Medical Events but some users need to edit them,
then set the OWD to Public Read and grant certain user profiles Edit

D
permission to the Medical Event object

y -
nl
a O
e v
V
22
e 2014 Veeva Systems Company Confidential veeva.com | 22
ut e
Territory Hierarchy
t r ib
Give users access to Accounts through
territories
Dis
Applies only to the Veeva My Accounts

ot
Accounts are aligned to one or more territories
Users are assigned to one territory (in some

o N
D
cases temporarily to more than one)

-
Visibility to accounts is shared up the territory
hierarchy

nl
To access and setup the Territory y
O
Hierarchy go to:

va Setup Manage Territories Hierarchy


Add territories as well as edit, delete, and assign

ee users to territories

V
23
2014 Veeva Systems Company Confidential veeva.com | 23
ut e
Role Hierarchy
t r ib
The Role Hierarchy gives managers
Dis
visibility to the data with private OWD
(excluding Accounts) owned by their
ot
direct reports
Also known as Vertical Sharing
o N
To access and setup the Role Hierarchy
- D
go to:

nl
Setup Manage Users Roles Set Up y
O
Roles button

a
Add roles as well as edit, delete, and assign

v
roles to users

ee
V
24
2014 Veeva Systems Company Confidential veeva.com | 24
t e
Territories vs. Roles Best Practice bu
t r i
i s
In Veeva implementations the Territory and Role hierarchies
should be identical

t D
N o
Focus on creating the Territory hierarchy and then make the
Role hierarchy exactly the same

D o
Territory Hierarchy Role Hierarchy

y -
n l
a O
e v
V
25
e 2014 Veeva Systems Company Confidential veeva.com | 25
ut e
Sharing Rules
t r ib
Private data can be shared when needed
Dis
Can be shared to users or public groups
Allow greater access for designated users
ot
Can never be stricter than OWD settings

o N
Often referred to as Horizontal Sharing

- D
nl y
a O
e v
V
26
e 2014 Veeva Systems Company Confidential veeva.com | 26
ut e
Accessing Sharing Rules
t r ib
To access and set up Sharing Rules:
Dis
o t
Setup Security Controls Sharing Settings Sharing Rules

Configuration:
Sharing Rules are defined for one-way sharing
o N
- D
Two sharing rules are needed to share data between groups

nl y
Create a Public Group to group individual users and/or roles

a O Sharing Rule 1

e v Sharing Rule 2

V
27
e 2014 Veeva Systems Company Confidential veeva.com | 27
t e
Change Account Owner Workflow bu
t r i
i s
D
The Veeva My Accounts tab displays an Account if

t
N o
The Account belongs to the users territory
The user owns the Account

Accounts
D o
Veeva implementations in which users are allowed to create

-
Create a workflow that updates the Account Owner field and sets it to a

y
nl designated Admin user

O
If the Accounts are realigned to different territories

va Users still see Accounts they own even though the account is no longer in the
users territory

ee
V
28
2014 Veeva Systems Company Confidential veeva.com | 28
ut e
t r ib
Dis
User Management ot
o N
- D
nl y
a O
e v
V e
ut e
User Management
t r ib
In Salesforce, every user is identified by a username, password,
Dis
ot
a single profile and a single role, and one or more territories
which determines:
What tasks users can perform
What data they see
o N
What they can do with the data

- D
l y
Admins can also perform the following user management
functions:
n
a O
Creating or inactivating users
Resetting passwords

e v Unlocking users

V
30
e Logging in as another user (Enable Login Permission required)

2014 Veeva Systems Company Confidential veeva.com | 30


ut e
Accessing User Management
t r ib
To setup and manage user accounts:
Dis
Setup Manage Users Users

o t
o N
- D Select a user

nl y Click New User to


and click Reset
Password(s) to
force users to

a O create a new user change their


passwords

e v
Click Edit to edit a
users account

V
31
e 2014 Veeva Systems Company Confidential veeva.com | 31
ut e
Creating a New User
t r ib
Username

D is
Must be unique
across SFDC
Generally set to
o t
users email

Active
o N User License must be
set to Salesforce Platform

- D
Cant delete users
If someone leaves,
inactivate the user
for Veeva licenses

nl y account

a O Approver Settings
If enabling an

v
approval workflow,

e
assign a manager

V
32
e 2014 Veeva Systems Company Confidential veeva.com | 32
ut e
Add User to a Territory
t r ib
To access and setup territory hierarchy through the UI:

Dis
t
Setup Manage Territories Hierarchy

Click the Add Territory link to build the territory hierarchy


N o
Add user(s) to the territorys Assigned Users

D o
y -
nl
a O
e v
V
33
e 2014 Veeva Systems Company Confidential veeva.com | 33
ut e
Module Summary
t r ib
Defined Salesforce.com Data Access Security

Dis
Described the different mechanisms for securing data access
including:
ot
Profiles
Field Level Security
o N
Record Ownership

- D
Organization-Wide Defaults
Role Hierarchy

nl y
a Sharing Rules O
Territory Hierarchy

e v
Discussed how to manage and create user accounts

V
34
e 2014 Veeva Systems Company Confidential veeva.com | 34
ut e
Labs
t r ib
Create a role
Dis
Create a user profile
ot
Access and create territories
o N
Review OWD
- D
nl y
a O
e v
V
35
e 2014 Veeva Systems Company Confidential veeva.com | 35