Introduction to Salesforce Security From the Perspective of Communities

Approaches to “Expose” access

 

Manual Sharing – An approach to expose “one-off” visibility to a given record.  Apex Logic and Users can manually grant other users access to certain records, including accounts, contact and custom objects. In some cases, granting access to one record includes access to all its associated records. This method of granting access is typically used when there are anomalies where users need adhoc access to records.

Child Records in Master Detail relationship –  A master detail is a special type of lookup to associate records.  When using a master detail relationship the lookup becomes required for the child object and the record has no owner.  All users with visibility to the parent inherit access to the parents master detail child records. Users require profile object level access for both the master and detail objects as a pre-requisite for this approach.

Without Sharing Parameter – Used in apex classes to override sharing settings to expose access to records, fields, objects limited to the logic in the apex.  When used carefully this can be a powerful tool to safely expose access to records that a user may not normally have access to via other means.  When used in conjunction with a visualforce page it can be used to secure present data to end users.  Access to a given visualforce page can be restricted to users with certain profiles.

Criteria Based Sharing Rule – Configurable functionality that exposes access to records that meet specific criteria to a group of users.

Territory Management 2.0 – Configurable functionality that exposes access to Accounts (and optionally access to all its associated records) via setup of “territories.” Includes a UI where administrators can configure a hierarchical tree of territories and up to 10 attributes for each territory.  Territory Management 2.0 is also extensible via apex logic for more complex scenarios (e.g. account assignment by zip code). When accounts meet this criteria they are automatically associated to the territory.  A given account can be associated to multiple territories.  A given user can be associated to multiple territories. Since territories are hierarchical users assigned to parent territories (e.g. United States, or West Coast in the below example) would have visibility to associated child territories (e.g. states in the below example)

United States

>>>> West Coast

>>>>>>> CA

>>>>>>> OR

>>>>>>> WA…

>>>> East Coast

>>>>>>> MA

>>>>>>> NY

>>>>>>> FL…

>>>> Midwest

>>>>>>> IL

>>>>>>> IN

>>>>>>> WI…

Record Ownership – Used in conjunction with internal role hierarchy and Partner Role Hierarchy. Records that are not children in a master detail relationship require an owner to be specified.  A record’s owner and a record’s owner’s manager(s) (determined by role hierarchy) inherit access to the record assuming they have object level access.

 

Internal Role Hierarchy – Not applicable for Community Users. A hierarchical tree of roles that often matches a companies org chart. Leveraged in conjunction with record ownership role hierarchy allows a given users manager access to records that their subordinate(s) own .  All internal users are associated with 1 and only one role.

Partner Super User and Partner Role Hierarchy – Only available for Partner and Customer Community Plus licenses. Similar to internal role hierarchy but limited to 3 tiers maximum and limited to a given partner’s organization (e.g. a given host family).  Can be used in conjunction with a partner account and is used to limit a subordinate from obtaining access a record owned by manager.

Partner Super User Access.  While sounds scary don’t worry! this is limited to a given partner’s account/organization. To ensure that users have visibility to records owned by other users in the same role for a given partner account they should be granted partner super user access.

https://help.salesforce.com/HTViewHelpDoc?id=networks_partner_super_user_access.htm&language=en_US

Public Organization Wide Default – Commonly referred to as OWDs this is the setting for each object which sets default access for users.  For each object there is a separate internal (salesforce) user and external (community) user OWD. OWD can be used to expose public read/write or public read only access to an object (e.g. Schools__c)

Approaches to “Restrict” access

Private Organization Wide Default – Commonly referred to as OWDs this is the setting for each object which sets default access for users.  For each object there is a separate internal (salesforce) user and external (community) user OWD. OWD can be used to restrict access to records by setting to “private”

 

Profile Object Level Security – All users must be associated to 1 and only 1 profile.  Object level security is managed on each profile and is the most  blunt approach to remove access to an object across all the object’s records. Commonly referred to as “CRUD” access object level security allows administrators to grant/restrict Create Read Update or Delete access to each object for a given profile.

 

Profile Field Level Security  – All users must be associated to 1 and only 1 profile. Commonly referred to as “FLS” field level security is set on each profile and is the most common approach to remove access to specific fields for a given object.  FLS allows the administrator to grant/restrict write/read only access to fields on a given object for a given profile. Visualforce pages and page layouts respect FLS for a given user.

Salesforce1 7.0 Now Available

Major new release of Salesforce1 (7.0) now available and includes many new features documented in the Winter ’15 release notes including:

New publisher action bar replaces ” + ”
Filter List Views
“Feed” “Details” “Related” headers replaces “dots” on record details
salesforce URLs clicked via email deep link into salesforce1 downloadable app

Get it here: https://itunes.apple.com/us/app/salesforce1/id404249815?mt=8

Salesforce Winter ’15 Release Blog

Service Cloud A lot of cool upgrades on the service cloud console in Winter ’15.  Competitors like ZenDesk and Service Now have been killing it in the user experience department so the salesforce product managers have stepped up their game taking advantage of new technologies like HTML5 and modern browsers to deliver a slicker presentation that will give developers better flexibility to cram even more context into the console for agents.
Branding – I’ve only ever come across 1 company that desired to brand their solution with thier corporate identity but it’s cool that you can now skin the console with custom colors.  This will help your agents remember who they work for and also will look great in demo videos that woudn’t get many vimeo hits.

Salesforce1 – If your users have not been bright enough to understand that you can swipe left and right and reveal the related list on a detail record salesforce1 replaces the “dots” with underlined text.  Similarly the “plus” button to view your publisher actions is going away in leue of an “action bar” with more blackberry-esque publisher action icons always visible.

Data Pipelines –  This new approach to manipulate data in Pilot for Winter ’15 is actually pretty sick if you are currently having to perform mass manipulations of data in salesforce.  This feature has the potential to make salesforce better at what it is currently very bad at: Quickly spinning through and manipulating data in a batch manner.  Previously you could only do this off platform or with apex batch processing which can be slow if you are dealing with a significant volume of records.  How can this now be accomplished? Hadoop databases.  Salesforce is basically going to allow an approach to move data from your objects to a separate Hadoop database within their data centers and manipulate/query the data and reload the data in your objects using Apache PIG scripts.  What the hell are Apache PIG scripts you ask? More details can be found here: http://pig.apache.org/.  Please note additional costs may apply for this feature. The logic can be executed by apex, scheduled or API.

http://releasenotes.docs.salesforce.com/en-us/api_cti/release-notes/rn_forcecom_data_pipelines.htm

Winter ’15 lamest features:

Case Feed Enhancements – Does anybody ever use the case feed? If you have a good success story implementing case feeds please let me know!

Canvas Personal Apps – If you are reading this blog I’m assuming you have system administrator access to at least one salesforce org.  This feature basically allows your end users to install canvas applications in your org and accessible via the Chatter tab.  The 3rd party would have to create a managed package and publish the link to your end users some how.  I’m still trying to think of a use case for this.  If you can think of one or an approach to use this maliciously (for educational purposes) please message me.

Introduction to the salesforce console integration toolkit

Today we are going introduce the salesforce console integration toolkit which is a javascript library that allows developers to create a unique user experience within the salesforce console by customizing the presentation rendered to the user and integrating multiple disparate components within the console. A “component” could be a telephony adapter, an external web based application, Live Agent chat but for the purposes of this post we will use the integration toolkit to integrate simple visualforce pages within the console

To begin leveraging the salesforce console I’ll demonstrate how a developer can:

1. Customize the user presentation by setting the title of the tab
2. Automatically open multiple tabs with applicable content upon viewing a record

After creating a new visualforce page the first thing we’ll need to is add a reference to the library

<apex:includeScript value=”/support/console/29.0/integration.js”/>

This will load the javascript library when our page is accessed and expose all of the integration toolkit methods provided by the toolkit. For details on each method please reference: http://www.salesforce.com/us/developer/docs/api_console/index.htm. We are going to reference version 29 of the toolkit which is the latest and greatest at the time of posting which should allow us to access all documented methods.

Next I’ll add a reference to the Case standard controller and include an apex:detail tag which will present a case record as you’ve configured it in the associated page layout:

<apex:page showHeader=”true” sidebar=”false” standardController=”Case”>
<head>
// Javascript to go here
</head>
<body>
<apex:detail subject=”{!Id}”/>
</body>
</apex:page>

Next I’ll configure the Case ‘view’ button to override the standard case page layout. This will navigate users to this custom page when viewing a case. I’ll also need to add https://ssl.bing.com to my salesforce console app’s domain whitelist.

Next I’ll add javascript with 2 key methods “openSubtab” and “openNextTab”. These methods will open bing and salesforce knowledge functionality in new tabs within the console respectively. These methods will be triggering in succession starting with the window.onload event which will fire when the page has finished loading. After calling the integration toolkit’s “setTabTitle” method the “openSubTab” method is called. The unique identifier of the tab is required by the integration toolkit to open a sub tab so the getEnclosingPrimaryTabId method is called initially to get it. Next a callback pattern is used to pass the result and open Bing within the console. Notice I’m including the case subject to bing to query. Now I could stop here if I only needed Bing to be automatically loaded in a new subtab but I also want to launch a subtab with suggested internal knowledge ariticles therefore I’ll include a callback to the openNexttab method that is triggered when when the sforce.console.openSubtab method as fired. Chaining these methods together using the callback parameter allows me to present the subtabs in a consistent order.

<script type=”text/javascript”>

function openSubtab() {

// Use the results primary tab id and open a new subtab
var openSubtab = function(result) {
sforce.console.openSubtab(result.id,’https://ssl.bing.com/search?q={!case.subject}’,false,’Search Results…’, null ,openNexttab);
};
// Get the enclosing primary tab id. The openSubtab method is set as the callback
sforce.console.getEnclosingPrimaryTabId(openSubtab);
}

// prevents firing on reload
var previousOnload = window.onload;
// Script runs automatically when page is finished loading
window.onload = function() {
if (previousOnload) {
sforce.console.setTabTitle(‘Case:’+'{!Case.CaseNumber}’);
openSubtab();
}
}

function openNexttab(){

// Use the results primary tab id and open a new subtab
var openSubtab = function(result) {
sforce.console.openSubtab(result.id,’/knowledge/knowledgeHome.apexp?caseid={!case.Id}’,false,’Suggested Solutions…’);
};
// Get the enclosing primary tab id. The openSubtab method is set as the callback
sforce.console.getEnclosingPrimaryTabId(openSubtab);
}

</script>

To test navigate to an existing case within the console and observe 2 additional tabs render. Karate Explosion!

Introduction to the Salesforce Console

The Salesforce Console for Service (and for Sales as of Winter ’14) improves user productivity by providing context via primary tabs and sub tabs and frames along the edges of a detail page that can be used to extend functionality using standard salesforce functionality, Visualforce & Apex, Canvas Apps and javascript.

Service Cloud Console App

To leverage the service cloud console you will first need to create a service cloud console app for your Service Cloud and assign it to user profiles. Similar to adding a typical salesforce app a new service cloud console app will add a new selection in the app picker select list in the top right hand corner of the application for users associated to assigned profiles and indicate which navigation tabs are available.  However additional customization options are available for a service cloud console app including but not limited to: enabling of live agent chat, indicating default presentation of records as primary tabs or child tabs for child objects, configuring push notifications and adding custom console components to the bottom application bar.

Primary and Sub Tabs

From within the Service Cloud Console a primary tab can be launched and have all information related to the primary tab via SubTabs under the primary tab.  This framework will make it very easy to access any additional information with just a single click and makes the primary tab a single logical area where all applicable details are available for a given entity.

Custom Console Components

Custom console components let you customize, extend, or integrate the footer, sidebars, highlights panels, and interaction logs of a Service Cloud console using Visualforce. Visualforce uses a tag-based markup language to give developers a more powerful way to build applications and customize the Salesforce user interface.

Users view the component when they access a given record or click a button in the bottom application bar of a console.

For example, you might want to create custom console components that present:

• Third-party apps or data
• Custom highlights panel
• Chat or Softphone widgets
• The location of contacts on Google maps
• Messages from marquees
• New cases on accounts or contacts
• Knowledge Content

Unlike other Visualforce pages, you don’t have to set the standard controller on custom console components to the object whose page layout you’re customizing however the record ID of the detail component will be explicitly passed into each custom console component.

Primary and Sub Tab Components

Custom console components are presented alongside the detail or edit view of standard entities, in the left, right, top and bottom areas. Each component houses a Visualforce page, which can use the standard controller corresponding to the entity in the detail view, or a custom controller. Custom Console Components are configured to be presented at either the subtab or primary tab level. Primary tabs components are always presented upon focusing on a given primary tab regardless of which child subtab is in focus.  Sub tab components are only presented when there is focus on a given sub-tab.

Configuring Primary and Sub Tab Sidebars Custom Console Components

After you create a custom console component configuration is driven based on the page layout of the associated primary tab or subtab detail record. Add or update components for a given page layout by clicking the “Custom Console Components” link near the top of the page’s layout editor.

A given user can have access to one or more service cloud console apps however the custom console components displayed are administered based on the page layout assigned to a given detail record type for a given user’s profile.  Therefore a user with a given profile would be presented the same custom console components for a given record regardless of which service cloud console app the agent is leveraging.

Configuring Custom Console Components as Bottom Application Bar Components

Add your component to an app if you want users to access your component from a button on the bottom application bar footer of any page or tab, such as a chat or SoftPhone widget, which is useful from any location.  In order to add components to the bottom application bar

Advanced Custom Component Tips

1. Implement logic that needs to be available globally for a given service cloud console app such as event triggers and listeners as a hidden component in the App’s bottom application bar.  Click Hide upon configuring your to hide your component from console users. Hidden components don’t display to console users, but they can still function in the background.

1. You can add a Visualforce page as a component to the Top Sidebar or Bottom Sidebar of primary tabs after you turn off the highlights panel or interaction log on the appropriate page layouts.

1. Standard Page Layouts will automatically mark containing tabs as ‘dirty’ when users are in the process of updating records with unsaved changes which throws the warning shown below when users attempt to close the containing tab.  When implementing Visualforce pages developers can leverage the setTabUnsavedChanges() method to toggle similar functionality on/off.