Looking to understand how security is applied on Dashboards of the Salesforce Analytics Cloud powered by Wave?
Look no further!
I hope the following simplified version of the security implementation will help to explain the "How To" and helps anyone who wants to understand the security features.
The Data Security for Wave Dashboards does not have any correlation to the security settings setup within Salesforce platform. For ex., the Opportunity data could be locked down to the most restricted option within Salesforce, but once data is pulled into a Dataset within Wave, anyone who can access the data set can see all the data.
To restrict data access within Wave, Analytics Cloud provides a flexible row-level security option that could be implemented to individual Datasets.
To accomplish access control for each row within the Dataset, a filter condition called ‘Predicate’ is defined which is then executed when the Dataset is accessed by a user. Only the rows that match the security condition then trickle down to the user’s display.
The filter definition is quite flexible and can accommodate the most common security definitions as follows
- Record ownership based access
- Account/Opportunity team based access
- Role hierarchy based access
Ownership Based Sharing
How we apply the predicate filter depends on the data source, if Salesforce data is pulled into Analytics Cloud via native Dataflow, then the filter setting is added as part of the JSON section that registers the Dataset. However, if an external data like CSV file is used, then the metadata that defines header (columns) is where the predicate filter will be defined.
In our case, let us assume we would create a Dataset based on the Opportunity data within Salesforce. We shall use the native Dataflow option available in Analytics Cloud. Below JSON will read the Opportunity data and creates a new Dataset with the same.
First action “Extract_Opp” will fetch the data from Opportunity object with the list of fields defined in the process. The second action will then make use of the Opportunity data and creates a new Dataset along with the security predicate filter.
“rowLevelSecurityFilter” attribute on the sfdcRegister action will apply the predicate condition while rendering the Dataset/dashboard.
The expression on the left hand side should be a column on the Dataset and right side expression is a global variable where it references the “logged” in user’s id. For each row this condition is applied to see if the record owner matches the logged in user.
Only matching rows are filtered to the Dataset and eventually to the dashboard, if no rows match then below message is returned to the user.
“No results meet those criteria. Try changing your filters.”
Team Based Sharing
If Opportunity Teams are being used in an org and to have the dashboards display relevant data based on team membership, the below JSON would handle that.
‘UserId’ attribute from the Opportunity Team Member object is used to match against the logged in user id. We need additional process of ‘Augment’ so we can join the data coming in from two different objects - OpportunityTeamMember and Opportunity.
If record ownership needs to be added to this security filter, the follow criteria will work.
Role Hierarchy Sharing
To grant record access based on role hierarchy, on each record we need a column that holds a list of role ids of all users that are above the record owner in the hierarchy chain.
It is little more complicated than the above two sharing options. We need the below set of processes to get to the hierarchy based sharing
- Extract Opportunity
- Extract User
- Extract UserRole
- Flatten UserRole
This generates a column where a list of comma-separated role ids of all parents of each record owner
- Augment – Join user and UserRole
- Augment – Join UserwithRoles and Opportunity
- Register Dataset with predicate filter
CSV Data Security
When the source data is contained in a CSV file, the same predicate filters are applied along with the metadata that defines the number and type of columns included on the CSV.
In this scenario, ownerid is one of the columns on the CSV file and only rows that match with the logged in user is rendered on to the Dashboard/Dataset.
The basic use-case scenarios for implementing data security on the Salesforce Analytics cloud dashboard were illustrated in this document. For any additional information please feel free to reach out to us!