Abstract image of a woman sitting on books and studying on a laptop

2020 07-08 fireside chat sharing architecture

J
Jihun Jung

Jihun Jung will give a presentation on Salesforce data accessibility architecture. The presentation will include an introduction, overview of different types of data access including license models and sharing model components, and considerations for implementation. The sharing model components that will be covered include profiles and permission sets, record ownership, organization-wide defaults, role hierarchy, public groups, sharing rules, teams, territory management, and programmatic sharing. Best practices for implementation such as limiting the number of hierarchies, groups, and rules will also be discussed.

Internet
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
2020 07-08 fireside chat sharing architecture
2020 07-08 fireside chat sharing architecture
2020 07-08 fireside chat sharing architecture
Jihun Jung
Agenda ● Welcome / Introduction ○ Say Hello / Self Introduction / Icebreaking ● Sharing Architecture Overview ○ Introduction ○ Types of Data Access ○ Considerations ● Wrap up ○ Session feedback ○ Take a Capture :)
Past meeting ● 4. 04 The impact COVID 19 has had on you ● 4. 11 Ask Salesforce Certification Anything! ● 4. 18 Fireside chat (Tip & Resource) ● 4. 25 Certification story contest ● 5. 02 Lightning Flow ● 5. 09 Ask an Expert Online ● 5. 27 Virtual Dreamin’ ● 6. 10 Dynamic Pages ● 6. 24 Implicit Sharing
Sharing Architecture Overview ⚫ Introduction ⚫ Types of Data Access ■ License ■ Components ⚫ Considerations
The Salesforce sharing model is an essential element in your organization's ability to provide secure application data access. Therefore, it's crucial to architect your sharing model correctly to meet your current and future data access requirements. Not Covered The topics not covered in Data Accessibility Architecture: • Folder access • Content access • Chatter access • Knowledge Base access • Ideas, Questions/Answers access • Salesforce2Salesforce • Mobile data accessibility Introduction
License • Full Sharing Model Usage Users/Licenses • High Volume Customer Portal License • Chatter Free License Types of Data Access Components • Profiles and Permission Sets • Record Ownership and Queues • Organization-Wide Defaults • Role Hierarchy • Public Groups • Ownership-based Sharing Rules • Criteria-based Sharing Rules • Manual Sharing • Teams • Territory Hierarchy • Account Territory Sharing Rules • Programmatic Sharing • Implicit Sharing
Full Sharing Model Usage Users/Licenses Most Standard Salesforce license types take full advantage of the sharing model components. The license might not make a module accessible, or even some objects accessible. For example, the Free edition can't access any CRM objects. However, the sharing entities, and functionality, still exists and is ready when and if the module ever does become active. High Volume Customer Portal License High Volume Customer Portal (HVPU) license users (including Community and Service Cloud license users) do not utilize the sharing model. HVPU licenses have their own sharing model that works by foreign key match between the portal user (holding the license) and the data on Account and Contact lookups. HVPU license is only used for the Customer Portal and not the Partner Portal. Chatter Free License The Chatter Free license doesn't follow the standard sharing model. Chatter Free is a collaboration-only license with the following features: Chatter, Profile, People, Groups, Files, Chatter Desktop, and limited Salesforce app access. The license doesn't have access to CRM records (standard or custom objects) and Content functionality, and therefore, there is no sharing. License
Profiles and Permission Sets Profiles and permission sets provide object-level security by determining what types of data users see and whether they can edit, create, or delete records. For each object, the “View All” and “Modify All” permissions ignore sharing rules and settings, allowing administrators to quickly grant access to records associated with a given object across the organization. These permissions are often preferable alternatives to the “View All Data” and “Modify All Data” administrative permissions. Profiles and permission sets also control field-level security, which determines the fields within every object that users can access. For example, an object may have 20 fields, but field-level security can be set up to prevent the users from seeing five of the 20 fields. Components
Record Ownership and Queues Every record must be owned by a single user or a queue. The owner has access to the record, based on the Object Settings for the owner’s profile. For example, if the owner’s profile has Create and Read permission on an object, but not Edit or Delete permission, the owner can create a record for the object and see the new record. However, the owner won't be able to edit or delete the record. Users higher in a hierarchy (role or territory) inherit the same data access as their subordinates for standard objects. Managers gain as much access as their subordinates. If the subordinate has read-only access, so will the manager. This access applies to records owned by users, as well as records shared with them. Queues help you prioritize, distribute, and assign records to teams who share workloads. Queue members and users higher in a role hierarchy can access queues from list views and take ownership of records in a queue. If a single user owns more than 10,000 records, as a best practice: Ownership skew The user record of the owner should not hold a role in the role hierarchy. If the owner's user record must hold a role, the role should be at the top of the hierarchy in its own branch of the role hierarchy. Components
Organization-Wide Defaults Organization-wide sharing settings specify the default level of access users have to each others’ records. You use organization-wide sharing settings to lock down your data to the most restrictive level, and then use the other record-level security and sharing tools to selectively give access to other users. For example, let’s say users have object-level permissions to read and edit opportunities, and the organization-wide sharing setting is Read- Only. By default, those users can read all opportunity records, but can’t edit any unless they own the record or are granted additional permissions.. Organization-wide defaults are the only way to restrict user access to a record. Organization-wide default settings can be changed from one setting to another (private to controlled by parent, then back to private); however, these changes require sharing recalculation and depending on volume could result in very long processing times. For custom objects only, use the Grant Access Using Hierarchies setting, which if unchecked (default is checked), prevents managers from inheriting access. This setting is found in the organization-wide default settings. Components
Role Hierarchy (1/2) A role hierarchy represents a level of data access that a user or group of users needs. The role hierarchy ensures that managers always have access to the same data as their employees, regardless of the organization-wide default settings. Role hierarchies don't have to match your organization chart exactly. Instead, each role in the hierarchy should represent a level of data access that a user or group of users needs. An organization is allowed 500 roles; however, this number can be increased by Salesforce. As a best practice, keep the number of non-portal roles to 25,000 and the number of portal roles to 100,000. As a best practice, keep the role hierarchy to no more than 10 levels of branches in the hierarchy. When a user's role changes, any relevant sharing rules are evaluated to correct access as necessary. Peers within the same role don't guarantee them access to each other's data. Components
Role Hierarchy (2/2) Modeling the role hierarchy begins with understanding how the organization is structured. This is usually built from understanding a manager’s scope, starting from the top. The CEO oversees the entire company. The CEO usually has direct reports that can then be segmented by Business Unit (Sales or Support) or geographical region (EMEA, APAC). That person then has direct reports that could be further segmented, and so on. Although this sounds very much like an HR organizational chart, and we have said they might be very much alike, keep in mind, when modeling data access, focus on data accessibility with a consideration to HR reporting. Overlays are always the tricky part of the hierarchy. If they're in their own branch, they'll require either sharing rules, teams, or territory management to gain needed access. If they are folded into the hierarchy, there might be reporting implications. It's important to spend the time setting up the role hierarchy because it's the foundation for the entire sharing model. Components
Components Role Hierarchy Use Cases Management access – the ability for managers to be able to see and do whatever their subordinates can see and do. Management reporting – the ability for reporting to roll up in a hierarchical fashion so that anyone higher in the hierarchy sees more data than those below them. Segregation between organizational branches – different business units don’t need to see each other’s data; having a hierarchy in which you can define separate branches allows you to segregate visibility within business units, while still rolling visibility up to the executive levels above those units. Segregation within a role – in many organizations/applications, people who all play the same role should not necessarily see each other’s data. Having hierarchical roles allows you to define a “leaf” node in which all data is essentially private, and still roll that data up to a parent role that can see all.
Public Groups A public group (not Chatter group) is a collection of individual users, roles, territories, and so on, that all have a function in common. Public groups can consist of: • Users, Customer Portal Users, Partner Users • Roles, Internal Subordinates, Internal and Portal Subordinates, Portal Roles, Portal Roles and Subordinates • Territories, Territories and Subordinates • Other public groups (nesting) Groups can be nested (Group A nested into Group B), however don't nest more than five levels. Nesting has an impact on group maintenance and performance due to group membership calculation. As a best practice, keep the total number of public groups for an organization to 100,000. Components
Components Public Groups Use Cases When you need to provide access to an arbitrary group of people, you create a public group to collect them, and then use other sharing tools to give the group the necessary access. Group membership alone doesn't provide data access. Groups can also be nested inside each other, therefore, allowing a nested group to gain the same access as the group in which it is contained. This allows the creation of smaller, ad-hoc hierarchies that don’t necessarily interact with the role or territory hierarchies. If Group A is a member of Group B, then the members of Group A will have access to data shared to Group B at the same access level as the members of Group B. Groups also have the ability to protect data shared in the group from being made accessible to people in the role hierarchy above the group members. This (and dealing with the access of record owners and their management hierarchy) allows the creation of groups in which very highly confidential information can be shared—the data will be accessible ONLY to group members, and nobody else in the organization. This is accomplished by using the Grant Access Using Hierarchies setting.
Ownership-based Sharing Rules Ownership-based sharing rules allow for exceptions to organization-wide default settings and the role hierarchy that give additional users access to records they don’t own. Ownership-based sharing rules are based on the record owner only. Contact ownership-based sharing rules don't apply to private contacts(not related Account). As a best practice, keep the number of ownership-based sharing rules per object to 1,000. Components Ownership-based Sharing Rule Use Cases Role-based matrix management or overlay situations: a person in Service needs to be able to see some Sales data, but they live in different branches of the hierarchy, so you can create a rule that shares data between roles on different branches. To provide data access to peers who hold the same role/territory. To provide data access to other groupings of users (public groups, portal. roles, territories). The members of the groupings who own the records can be shared with the members of other groupings.
Criteria-based Sharing Rules Criteria-based sharing rules provide access to records based on the record’s field values (criteria). If the criteria are met (one or many field values), then a share record is created for the rule. Record ownership is not a consideration. As a best practice, keep the number of criteria-sharing rules per object to 50; however, this can be increased by Salesforce. Components
Manual Sharing Sometimes it’s impossible to define a consistent group of users who need access to a particular set of records. In those situations, record owners can use manual sharing to give read and edit permissions to users who would not have access to the record any other way. Although manual sharing isn’t automated like organization-wide sharing settings, role hierarchies, or sharing rules, it gives record owners the flexibility to share particular records with users that need to see them. Manual sharing is removed when the record owner changes or when the sharing access granted doesn't grant additional access beyond the object's organization-wide sharing default access level. This also applies to manual shares created programmatically. Only manual share records can be created on standard objects. Manual share records are defined as share records with the row cause set to manual share. All share records (standard and custom objects) with a row cause set to manual share can be edited and deleted by the Share button on the object's page layout, even if the share record was created programmatically. Components
Teams A team is a group of users that work together on an account, sales opportunity, or case. Record owners can build a team for each record that they own. The record owner adds team members and specifies the access level each team member has to the record. Some team members can have read-only access, while others have read/write. Only owners, people higher in the hierarchy, and administrators can add team members and provide more access to the member. A team member with read/write access can add another member who already has access to the record with which the team is associated. The team member can't provide them additional access. Creating a team member in the app creates two records: a team record and an associated share record. If you create team members programmatically, you have to manage both the team record and associated share record. There is only one team per record (Account, Opportunity or Case). If multiple teams are needed, depending on your specific needs consider territory management or programmatic sharing The team object is not a first-class object. You can't create custom fields, validations rules, or triggers for teams Components
Territory Hierarchy The territory hierarchy is a single dimensional, additional hierarchy which can be structured by business units or any kind of segmentation in a hierarchical structure. When territory management is enabled you must manage both the role hierarchy and territory hierarchy. Territories exist only on Account, Opportunity and master/detail children of Accounts and Opportunities. As a best practice, keep the territory hierarchy to no more than 10 levels of branches in the hierarchy. If the assignment rules for a territory are changed, sharing rules using that territory as the source will be recalculated. Likewise, if the membership of a territory changes, any ownership- based sharing rules that use the territory as the source will be recalculated. Components
Territory Management Use Cases Multiple groups of people (multiple teams) require either read-only or read/write access to accounts. An additional hierarchical structure (different from the role hierarchy) is needed. A single user needs to hold multiple levels in the hierarchy. Global users (GAM – global account manager) need to see everything from the global account downward. Components
Account Territory Sharing Rules Account territory sharing rules become available only when the original territory management feature has been enabled for an organization. These sharing rules provide access to Account records that have been stamped with the Territory defined in the rule. Account Territory Sharing Rule Use Case To provide data access to accounts within a territory (not based on ownership) to a grouping of users. Applies only to accounts and when territory management is enabled. Components
Programmatic Sharing Programmatic sharing (formally Apex-managed sharing) allows you to use code (Apex or other) to build sophisticated and dynamic sharing settings when a data access requirement cannot be met by any other means. If you create a share record programmatically, and the out-of-box row cause (manual share) is used, then you can maintain this share record with the Share button in the app. The share record is subject to all rules with the manual share row cause such as deletion upon owner transfer. Review https://developer.salesforce.com/page/Using_Apex_Managed_Sharing_to_Create_Custom_Recor d_Sharing_Logic before you consider using programmatic sharing. Components
Programmatic Sharing Use Cases No other method of sharing (declarative) meets the data access needs. There is an existing, external system of truth for user access assignments which will continue to drive access and be integrated with Salesforce. Poor performance by using native sharing components. (Usually applies to very large data volumes) Team functionality on custom objects. Components
Implicit Sharing Implicit sharing is automatic. You can neither turn it off, nor turn it on—it is native to the application. In other words, this isn't a configurable setting; however, it's very important for any architect to understand. Parent, Child, Portal , High Volume, High Volume Parent For more information, see the recording of the previous meeting. https://www.youtube.com/watch?v=GDdwB6Icu4Q Components
Role Hierarchy • Make simple, it should be possible to flatten • Use territory hierarchy as your “sales” hierarchy if there need other hierarchy • Don’t making the role hierarchy and territory hierarchy identical Teams • Territory hierarchy is better to do it there than to use teams • Only implement teams if no other existing sharing component will satisfy the requirement Realignment and Reassignment • Considered are the volume of changes and the number of cascading changes that each change will cause • Hierarchy structural changing can be resource expensive Considerations
Large Data Volumes • The modeling for the initial rollout or a realignment change are testing out your changes in a sandbox is highly recommended before production. • Have implemented teams or Territory Management, you especially need to pay attention to performance Defer Sharing Calculations • Enabled by Salesforce Support to defer automatic sharing calculations. Data Skews/Ownership Skews • As a best practice, keep the ratio as close to 1:10,000 as possible (lower is preferred) • The user record of the owner should not hold a role in the role hierarchy. Or be at the top of the hierarchy • We will be holding a session in the near future The Account Hierarchies Impact on Data Access • the account hierarchy does not drive access between two Account records with a parent/child relationship Considerations
A Guide To Sharing Architecture • https://resources.docs.salesforce.com/226/latest/en- us/sfdc/pdf/sharing_architecture.pdf User Licenses • https://help.salesforce.com/articleView?id=users_understanding_license_types.htm Sharing a Record Using Apex • https://developer.salesforce.com/docs/atlas.en- us.apexcode.meta/apexcode/apex_bulk_sharing_creating_with_apex.htm Source
Wrap up • Session feedback • Next is... • Take a Capture :)
TrailheaDX 2020 Global Gathering We’re excited to bring our Trailblazers together to talk about the TrailheaDX 2020 highlights. Event details to be announced soon - please RSVP to receive updates!
Thanks for Like, Share, Follow, Connect ☺ Please comment anywhere in the Korea user group Chatter, Facebook, or LinkedIn.
Trailblazer Community Conference Certification Voucher Winner Presented to: [Your Name] Date: [April, 25, 2020] Certification Redemption Code: [B1mi|iBn1d@] Expires on: [August, 30, 2021] Free vouchers will be provided by lottery at events with over 10 attendees.
$100 off $200: SFAPACCERTDAYS042020S

More Related Content

PPTX
Introduction to the sharepoint 2013 userprofile service By Quontra
QUONTRASOLUTIONS
 
PPTX
Managed metadata in SharePoint 2010
Slides2ShareFromPallavi
 
PPT
Dbms
Tej Kiran
 
PPT
Dbms
Tej Kiran
 
PPT
Dbms
Tej Kiran
 
DOCX
Are you mdm aware
Dr.Dinesh Chandrasekar PhD(hc)
 
PPTX
SharePoint 2010 User Profile Sync
Nilesh Mehta
 
PPTX
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Henry Ong
 
Introduction to the sharepoint 2013 userprofile service By Quontra
QUONTRASOLUTIONS
 
Managed metadata in SharePoint 2010
Slides2ShareFromPallavi
 
Dbms
Tej Kiran
 
Dbms
Tej Kiran
 
Dbms
Tej Kiran
 
Are you mdm aware
Dr.Dinesh Chandrasekar PhD(hc)
 
SharePoint 2010 User Profile Sync
Nilesh Mehta
 
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Henry Ong
 

What's hot (20)

PPTX
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
Knowledge Management Associates, LLC
 
PPTX
Introduction to the SharePoint 2013 User Profile Service
Regroove
 
PPT
SharePoint 2010 Managed Metadata Service
Craig Pilkenton
 
PDF
SIF IDM Profile Introduction
Richard Tong
 
PPTX
Chris McNulty - Managed Metadata and Taxonomies
SharePoint Saturday NY
 
PPT
Ideas
thowell
 
PDF
Database Management System
RHIMRJ Journal
 
PPTX
Database software
JahidHussain13
 
DOCX
Share point server 2016 as a document management solution
Raghunathan M.S.
 
PPTX
SharePoint 2010 Managed Metadata Service Application
Mohamed Abdeen
 
PPTX
SharePoint 2010 Managed Metadata
Nick Hobbs
 
PPTX
Database administration
Anish Gupta
 
PPTX
Metadata management in SharePoint
Metataxis
 
PPTX
Dbms
Surkhab Shelly
 
PDF
Mastering data-modeling-for-master-data-domains
Chanukya Mekala
 
PPTX
DATABASE MANAGEMENT
MiXvideos
 
PPT
Enterprise Information Catalogue Another Way
Victor Zhang
 
PPT
Lecture 00 introduction to course
emailharmeet
 
PPT
Data Models [DATABASE SYSTEMS: Design, Implementation, and Management]
Usman Tariq
 
PPTX
Dc2010 fanning
Betsy Fanning
 
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
Knowledge Management Associates, LLC
 
Introduction to the SharePoint 2013 User Profile Service
Regroove
 
SharePoint 2010 Managed Metadata Service
Craig Pilkenton
 
SIF IDM Profile Introduction
Richard Tong
 
Chris McNulty - Managed Metadata and Taxonomies
SharePoint Saturday NY
 
Ideas
thowell
 
Database Management System
RHIMRJ Journal
 
Database software
JahidHussain13
 
Share point server 2016 as a document management solution
Raghunathan M.S.
 
SharePoint 2010 Managed Metadata Service Application
Mohamed Abdeen
 
SharePoint 2010 Managed Metadata
Nick Hobbs
 
Database administration
Anish Gupta
 
Metadata management in SharePoint
Metataxis
 
Dbms
Surkhab Shelly
 
Mastering data-modeling-for-master-data-domains
Chanukya Mekala
 
DATABASE MANAGEMENT
MiXvideos
 
Enterprise Information Catalogue Another Way
Victor Zhang
 
Lecture 00 introduction to course
emailharmeet
 
Data Models [DATABASE SYSTEMS: Design, Implementation, and Management]
Usman Tariq
 
Dc2010 fanning
Betsy Fanning
 
Ad

Similar to 2020 07-08 fireside chat sharing architecture (20)

PPTX
Salesforce sharing and visibility Part 1
Ahmed Keshk
 
PDF
recordsharingmodelinsalesforce-170519074428.pdf
rohitgupt1
 
PPTX
Record sharing model in salesforce
Sunil kumar
 
PPTX
Data Migration for Remedyforce SaaS Help Desk and High-Speed Digital Service ...
BMC Software
 
PDF
Salesforce Sharing and Security overview for new admins and devs
SayedMossad1
 
PDF
Getting started with Salesforce security
Salesforce Admins
 
PPT
To Share or Not to Share
dreamforce2006
 
PPTX
Salesforce Sharing Architecture
gemziebeth
 
PPTX
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
vraopolisetti
 
PDF
2020 07-22 fireside chat : Record Ownership Deep Dive
Jihun Jung
 
PDF
Moving Sharing to a Parallel Architecture
Salesforce Developers
 
PPTX
SFDC Database Security
Sujit Kumar
 
PPTX
Sharing and security in Salesforce
Saurabh Kulkarni
 
PPTX
Adm 201 study group session 1 user interface kathy c
ovalisgroup
 
PPTX
Adm 201 study group session 1 user interface kathy c
ovalisgroup
 
PDF
Salesforce Admin 201-certification Notes
Aslam Tayyab
 
PDF
2020 06-24 fireside chat implicit sharing
Jihun Jung
 
PDF
Setting up Security in Your Salesforce Instance
Salesforce Developers
 
PPTX
LAG #3 - Master-External-sharing (Abdelhakim Speaker).pptx
ArnaudSourdillon1
 
PDF
Salesforce - Implicit Sharing, Record Locks & Skews
Nora Nicklis
 
Salesforce sharing and visibility Part 1
Ahmed Keshk
 
recordsharingmodelinsalesforce-170519074428.pdf
rohitgupt1
 
Record sharing model in salesforce
Sunil kumar
 
Data Migration for Remedyforce SaaS Help Desk and High-Speed Digital Service ...
BMC Software
 
Salesforce Sharing and Security overview for new admins and devs
SayedMossad1
 
Getting started with Salesforce security
Salesforce Admins
 
To Share or Not to Share
dreamforce2006
 
Salesforce Sharing Architecture
gemziebeth
 
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
vraopolisetti
 
2020 07-22 fireside chat : Record Ownership Deep Dive
Jihun Jung
 
Moving Sharing to a Parallel Architecture
Salesforce Developers
 
SFDC Database Security
Sujit Kumar
 
Sharing and security in Salesforce
Saurabh Kulkarni
 
Adm 201 study group session 1 user interface kathy c
ovalisgroup
 
Adm 201 study group session 1 user interface kathy c
ovalisgroup
 
Salesforce Admin 201-certification Notes
Aslam Tayyab
 
2020 06-24 fireside chat implicit sharing
Jihun Jung
 
Setting up Security in Your Salesforce Instance
Salesforce Developers
 
LAG #3 - Master-External-sharing (Abdelhakim Speaker).pptx
ArnaudSourdillon1
 
Salesforce - Implicit Sharing, Record Locks & Skews
Nora Nicklis
 
Ad

More from Jihun Jung (20)

PPTX
Salesforce Flow using development with Gen. AI
Jihun Jung
 
PPTX
2022-12-02 Trailblazer Winter Coming to the Town.pptx
Jihun Jung
 
PDF
2022-11-08 All About career path in Salesforce Eco System_KR.pdf
Jihun Jung
 
PPTX
2021 10-06 about user experience (ux) designer
Jihun Jung
 
PPTX
2021 09-29 dreamforce 21 success party
Jihun Jung
 
PPTX
2021 09-13 fireside chat
Jihun Jung
 
PDF
2020 07-22 fireside chat record ownership deep dive(kor)
Jihun Jung
 
PPTX
Bangkok Admin Group TrailheaDX 2020 Global Gathering v2
Jihun Jung
 
PDF
2020 07-08 fireside chat sharing architecture kor
Jihun Jung
 
PDF
2020 06-24 fireside chat implicit sharing kor
Jihun Jung
 
PDF
2020 06-10 Fireside Chat : Dynamic Pages
Jihun Jung
 
PDF
2020 05-27 fireside chat virtual dreamin
Jihun Jung
 
PDF
2020 05-02 fireside chat lightning flow
Jihun Jung
 
PDF
Certification story contest
Jihun Jung
 
PDF
Ask salesforcecertanything
Jihun Jung
 
PPTX
20200115 admin group_networking_party_v2
Jihun Jung
 
PPTX
20191211 Admin group Seoul Dreamforce Global Gathering
Jihun Jung
 
PPTX
[Salesforce Community Group] Seoul, KR Admin Group September Meeting
Jihun Jung
 
PPTX
20190719 admin group_meeting
Jihun Jung
 
PPTX
[Salesforce] Seoul Admin group kick-off Meeting
Jihun Jung
 
Salesforce Flow using development with Gen. AI
Jihun Jung
 
2022-12-02 Trailblazer Winter Coming to the Town.pptx
Jihun Jung
 
2022-11-08 All About career path in Salesforce Eco System_KR.pdf
Jihun Jung
 
2021 10-06 about user experience (ux) designer
Jihun Jung
 
2021 09-29 dreamforce 21 success party
Jihun Jung
 
2021 09-13 fireside chat
Jihun Jung
 
2020 07-22 fireside chat record ownership deep dive(kor)
Jihun Jung
 
Bangkok Admin Group TrailheaDX 2020 Global Gathering v2
Jihun Jung
 
2020 07-08 fireside chat sharing architecture kor
Jihun Jung
 
2020 06-24 fireside chat implicit sharing kor
Jihun Jung
 
2020 06-10 Fireside Chat : Dynamic Pages
Jihun Jung
 
2020 05-27 fireside chat virtual dreamin
Jihun Jung
 
2020 05-02 fireside chat lightning flow
Jihun Jung
 
Certification story contest
Jihun Jung
 
Ask salesforcecertanything
Jihun Jung
 
20200115 admin group_networking_party_v2
Jihun Jung
 
20191211 Admin group Seoul Dreamforce Global Gathering
Jihun Jung
 
[Salesforce Community Group] Seoul, KR Admin Group September Meeting
Jihun Jung
 
20190719 admin group_meeting
Jihun Jung
 
[Salesforce] Seoul Admin group kick-off Meeting
Jihun Jung
 

Recently uploaded (20)

PPTX
module 1-Part 1.pptxdddddddddddddddddddddddddddddddddddd
KevinSeelu
 
PDF
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PDF
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
PDF
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
PDF
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PDF
Lean-Manufacturing-Tools-Techniques-and-How-To-Use-Them.pdf
Turreteng
 
PPTX
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PPTX
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
PPT
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
DOCX
Powerful Ways AIRCONNECT INFOSYSTEMS Pvt Ltd Enhances IT Infrastructure in In...
Airconnect pvtltd
 
PPTX
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
PDF
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
PDF
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PDF
Understand the Gitlab_presentation_task.pdf
ruhinisiyara
 
PPTX
The-Importance-of-School-Sanitation.pptx
shinjanmandal111
 
module 1-Part 1.pptxdddddddddddddddddddddddddddddddddddd
KevinSeelu
 
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
Lean-Manufacturing-Tools-Techniques-and-How-To-Use-Them.pdf
Turreteng
 
IPCNA VIRTUAL CLASSES INTERMEDIATE 6 PROJECT.pptx
AldoCharaRojas
 
Ethics in Information System - Management Information System
faizhossain3
 
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
Powerful Ways AIRCONNECT INFOSYSTEMS Pvt Ltd Enhances IT Infrastructure in In...
Airconnect pvtltd
 
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
Understand the Gitlab_presentation_task.pdf
ruhinisiyara
 
The-Importance-of-School-Sanitation.pptx
shinjanmandal111
 

2020 07-08 fireside chat sharing architecture

  • 5. Agenda ● Welcome / Introduction ○ Say Hello / Self Introduction / Icebreaking ● Sharing Architecture Overview ○ Introduction ○ Types of Data Access ○ Considerations ● Wrap up ○ Session feedback ○ Take a Capture :)
  • 6. Past meeting ● 4. 04 The impact COVID 19 has had on you ● 4. 11 Ask Salesforce Certification Anything! ● 4. 18 Fireside chat (Tip & Resource) ● 4. 25 Certification story contest ● 5. 02 Lightning Flow ● 5. 09 Ask an Expert Online ● 5. 27 Virtual Dreamin’ ● 6. 10 Dynamic Pages ● 6. 24 Implicit Sharing
  • 7. Sharing Architecture Overview ⚫ Introduction ⚫ Types of Data Access ■ License ■ Components ⚫ Considerations
  • 8. The Salesforce sharing model is an essential element in your organization's ability to provide secure application data access. Therefore, it's crucial to architect your sharing model correctly to meet your current and future data access requirements. Not Covered The topics not covered in Data Accessibility Architecture: • Folder access • Content access • Chatter access • Knowledge Base access • Ideas, Questions/Answers access • Salesforce2Salesforce • Mobile data accessibility Introduction
  • 9. License • Full Sharing Model Usage Users/Licenses • High Volume Customer Portal License • Chatter Free License Types of Data Access Components • Profiles and Permission Sets • Record Ownership and Queues • Organization-Wide Defaults • Role Hierarchy • Public Groups • Ownership-based Sharing Rules • Criteria-based Sharing Rules • Manual Sharing • Teams • Territory Hierarchy • Account Territory Sharing Rules • Programmatic Sharing • Implicit Sharing
  • 10. Full Sharing Model Usage Users/Licenses Most Standard Salesforce license types take full advantage of the sharing model components. The license might not make a module accessible, or even some objects accessible. For example, the Free edition can't access any CRM objects. However, the sharing entities, and functionality, still exists and is ready when and if the module ever does become active. High Volume Customer Portal License High Volume Customer Portal (HVPU) license users (including Community and Service Cloud license users) do not utilize the sharing model. HVPU licenses have their own sharing model that works by foreign key match between the portal user (holding the license) and the data on Account and Contact lookups. HVPU license is only used for the Customer Portal and not the Partner Portal. Chatter Free License The Chatter Free license doesn't follow the standard sharing model. Chatter Free is a collaboration-only license with the following features: Chatter, Profile, People, Groups, Files, Chatter Desktop, and limited Salesforce app access. The license doesn't have access to CRM records (standard or custom objects) and Content functionality, and therefore, there is no sharing. License
  • 11. Profiles and Permission Sets Profiles and permission sets provide object-level security by determining what types of data users see and whether they can edit, create, or delete records. For each object, the “View All” and “Modify All” permissions ignore sharing rules and settings, allowing administrators to quickly grant access to records associated with a given object across the organization. These permissions are often preferable alternatives to the “View All Data” and “Modify All Data” administrative permissions. Profiles and permission sets also control field-level security, which determines the fields within every object that users can access. For example, an object may have 20 fields, but field-level security can be set up to prevent the users from seeing five of the 20 fields. Components
  • 12. Record Ownership and Queues Every record must be owned by a single user or a queue. The owner has access to the record, based on the Object Settings for the owner’s profile. For example, if the owner’s profile has Create and Read permission on an object, but not Edit or Delete permission, the owner can create a record for the object and see the new record. However, the owner won't be able to edit or delete the record. Users higher in a hierarchy (role or territory) inherit the same data access as their subordinates for standard objects. Managers gain as much access as their subordinates. If the subordinate has read-only access, so will the manager. This access applies to records owned by users, as well as records shared with them. Queues help you prioritize, distribute, and assign records to teams who share workloads. Queue members and users higher in a role hierarchy can access queues from list views and take ownership of records in a queue. If a single user owns more than 10,000 records, as a best practice: Ownership skew The user record of the owner should not hold a role in the role hierarchy. If the owner's user record must hold a role, the role should be at the top of the hierarchy in its own branch of the role hierarchy. Components
  • 13. Organization-Wide Defaults Organization-wide sharing settings specify the default level of access users have to each others’ records. You use organization-wide sharing settings to lock down your data to the most restrictive level, and then use the other record-level security and sharing tools to selectively give access to other users. For example, let’s say users have object-level permissions to read and edit opportunities, and the organization-wide sharing setting is Read- Only. By default, those users can read all opportunity records, but can’t edit any unless they own the record or are granted additional permissions.. Organization-wide defaults are the only way to restrict user access to a record. Organization-wide default settings can be changed from one setting to another (private to controlled by parent, then back to private); however, these changes require sharing recalculation and depending on volume could result in very long processing times. For custom objects only, use the Grant Access Using Hierarchies setting, which if unchecked (default is checked), prevents managers from inheriting access. This setting is found in the organization-wide default settings. Components
  • 14. Role Hierarchy (1/2) A role hierarchy represents a level of data access that a user or group of users needs. The role hierarchy ensures that managers always have access to the same data as their employees, regardless of the organization-wide default settings. Role hierarchies don't have to match your organization chart exactly. Instead, each role in the hierarchy should represent a level of data access that a user or group of users needs. An organization is allowed 500 roles; however, this number can be increased by Salesforce. As a best practice, keep the number of non-portal roles to 25,000 and the number of portal roles to 100,000. As a best practice, keep the role hierarchy to no more than 10 levels of branches in the hierarchy. When a user's role changes, any relevant sharing rules are evaluated to correct access as necessary. Peers within the same role don't guarantee them access to each other's data. Components
  • 15. Role Hierarchy (2/2) Modeling the role hierarchy begins with understanding how the organization is structured. This is usually built from understanding a manager’s scope, starting from the top. The CEO oversees the entire company. The CEO usually has direct reports that can then be segmented by Business Unit (Sales or Support) or geographical region (EMEA, APAC). That person then has direct reports that could be further segmented, and so on. Although this sounds very much like an HR organizational chart, and we have said they might be very much alike, keep in mind, when modeling data access, focus on data accessibility with a consideration to HR reporting. Overlays are always the tricky part of the hierarchy. If they're in their own branch, they'll require either sharing rules, teams, or territory management to gain needed access. If they are folded into the hierarchy, there might be reporting implications. It's important to spend the time setting up the role hierarchy because it's the foundation for the entire sharing model. Components
  • 16. Components Role Hierarchy Use Cases Management access – the ability for managers to be able to see and do whatever their subordinates can see and do. Management reporting – the ability for reporting to roll up in a hierarchical fashion so that anyone higher in the hierarchy sees more data than those below them. Segregation between organizational branches – different business units don’t need to see each other’s data; having a hierarchy in which you can define separate branches allows you to segregate visibility within business units, while still rolling visibility up to the executive levels above those units. Segregation within a role – in many organizations/applications, people who all play the same role should not necessarily see each other’s data. Having hierarchical roles allows you to define a “leaf” node in which all data is essentially private, and still roll that data up to a parent role that can see all.
  • 17. Public Groups A public group (not Chatter group) is a collection of individual users, roles, territories, and so on, that all have a function in common. Public groups can consist of: • Users, Customer Portal Users, Partner Users • Roles, Internal Subordinates, Internal and Portal Subordinates, Portal Roles, Portal Roles and Subordinates • Territories, Territories and Subordinates • Other public groups (nesting) Groups can be nested (Group A nested into Group B), however don't nest more than five levels. Nesting has an impact on group maintenance and performance due to group membership calculation. As a best practice, keep the total number of public groups for an organization to 100,000. Components
  • 18. Components Public Groups Use Cases When you need to provide access to an arbitrary group of people, you create a public group to collect them, and then use other sharing tools to give the group the necessary access. Group membership alone doesn't provide data access. Groups can also be nested inside each other, therefore, allowing a nested group to gain the same access as the group in which it is contained. This allows the creation of smaller, ad-hoc hierarchies that don’t necessarily interact with the role or territory hierarchies. If Group A is a member of Group B, then the members of Group A will have access to data shared to Group B at the same access level as the members of Group B. Groups also have the ability to protect data shared in the group from being made accessible to people in the role hierarchy above the group members. This (and dealing with the access of record owners and their management hierarchy) allows the creation of groups in which very highly confidential information can be shared—the data will be accessible ONLY to group members, and nobody else in the organization. This is accomplished by using the Grant Access Using Hierarchies setting.
  • 19. Ownership-based Sharing Rules Ownership-based sharing rules allow for exceptions to organization-wide default settings and the role hierarchy that give additional users access to records they don’t own. Ownership-based sharing rules are based on the record owner only. Contact ownership-based sharing rules don't apply to private contacts(not related Account). As a best practice, keep the number of ownership-based sharing rules per object to 1,000. Components Ownership-based Sharing Rule Use Cases Role-based matrix management or overlay situations: a person in Service needs to be able to see some Sales data, but they live in different branches of the hierarchy, so you can create a rule that shares data between roles on different branches. To provide data access to peers who hold the same role/territory. To provide data access to other groupings of users (public groups, portal. roles, territories). The members of the groupings who own the records can be shared with the members of other groupings.
  • 20. Criteria-based Sharing Rules Criteria-based sharing rules provide access to records based on the record’s field values (criteria). If the criteria are met (one or many field values), then a share record is created for the rule. Record ownership is not a consideration. As a best practice, keep the number of criteria-sharing rules per object to 50; however, this can be increased by Salesforce. Components
  • 21. Manual Sharing Sometimes it’s impossible to define a consistent group of users who need access to a particular set of records. In those situations, record owners can use manual sharing to give read and edit permissions to users who would not have access to the record any other way. Although manual sharing isn’t automated like organization-wide sharing settings, role hierarchies, or sharing rules, it gives record owners the flexibility to share particular records with users that need to see them. Manual sharing is removed when the record owner changes or when the sharing access granted doesn't grant additional access beyond the object's organization-wide sharing default access level. This also applies to manual shares created programmatically. Only manual share records can be created on standard objects. Manual share records are defined as share records with the row cause set to manual share. All share records (standard and custom objects) with a row cause set to manual share can be edited and deleted by the Share button on the object's page layout, even if the share record was created programmatically. Components
  • 22. Teams A team is a group of users that work together on an account, sales opportunity, or case. Record owners can build a team for each record that they own. The record owner adds team members and specifies the access level each team member has to the record. Some team members can have read-only access, while others have read/write. Only owners, people higher in the hierarchy, and administrators can add team members and provide more access to the member. A team member with read/write access can add another member who already has access to the record with which the team is associated. The team member can't provide them additional access. Creating a team member in the app creates two records: a team record and an associated share record. If you create team members programmatically, you have to manage both the team record and associated share record. There is only one team per record (Account, Opportunity or Case). If multiple teams are needed, depending on your specific needs consider territory management or programmatic sharing The team object is not a first-class object. You can't create custom fields, validations rules, or triggers for teams Components
  • 23. Territory Hierarchy The territory hierarchy is a single dimensional, additional hierarchy which can be structured by business units or any kind of segmentation in a hierarchical structure. When territory management is enabled you must manage both the role hierarchy and territory hierarchy. Territories exist only on Account, Opportunity and master/detail children of Accounts and Opportunities. As a best practice, keep the territory hierarchy to no more than 10 levels of branches in the hierarchy. If the assignment rules for a territory are changed, sharing rules using that territory as the source will be recalculated. Likewise, if the membership of a territory changes, any ownership- based sharing rules that use the territory as the source will be recalculated. Components
  • 24. Territory Management Use Cases Multiple groups of people (multiple teams) require either read-only or read/write access to accounts. An additional hierarchical structure (different from the role hierarchy) is needed. A single user needs to hold multiple levels in the hierarchy. Global users (GAM – global account manager) need to see everything from the global account downward. Components
  • 25. Account Territory Sharing Rules Account territory sharing rules become available only when the original territory management feature has been enabled for an organization. These sharing rules provide access to Account records that have been stamped with the Territory defined in the rule. Account Territory Sharing Rule Use Case To provide data access to accounts within a territory (not based on ownership) to a grouping of users. Applies only to accounts and when territory management is enabled. Components
  • 26. Programmatic Sharing Programmatic sharing (formally Apex-managed sharing) allows you to use code (Apex or other) to build sophisticated and dynamic sharing settings when a data access requirement cannot be met by any other means. If you create a share record programmatically, and the out-of-box row cause (manual share) is used, then you can maintain this share record with the Share button in the app. The share record is subject to all rules with the manual share row cause such as deletion upon owner transfer. Review https://developer.salesforce.com/page/Using_Apex_Managed_Sharing_to_Create_Custom_Recor d_Sharing_Logic before you consider using programmatic sharing. Components
  • 27. Programmatic Sharing Use Cases No other method of sharing (declarative) meets the data access needs. There is an existing, external system of truth for user access assignments which will continue to drive access and be integrated with Salesforce. Poor performance by using native sharing components. (Usually applies to very large data volumes) Team functionality on custom objects. Components
  • 28. Implicit Sharing Implicit sharing is automatic. You can neither turn it off, nor turn it on—it is native to the application. In other words, this isn't a configurable setting; however, it's very important for any architect to understand. Parent, Child, Portal , High Volume, High Volume Parent For more information, see the recording of the previous meeting. https://www.youtube.com/watch?v=GDdwB6Icu4Q Components
  • 29. Role Hierarchy • Make simple, it should be possible to flatten • Use territory hierarchy as your “sales” hierarchy if there need other hierarchy • Don’t making the role hierarchy and territory hierarchy identical Teams • Territory hierarchy is better to do it there than to use teams • Only implement teams if no other existing sharing component will satisfy the requirement Realignment and Reassignment • Considered are the volume of changes and the number of cascading changes that each change will cause • Hierarchy structural changing can be resource expensive Considerations
  • 30. Large Data Volumes • The modeling for the initial rollout or a realignment change are testing out your changes in a sandbox is highly recommended before production. • Have implemented teams or Territory Management, you especially need to pay attention to performance Defer Sharing Calculations • Enabled by Salesforce Support to defer automatic sharing calculations. Data Skews/Ownership Skews • As a best practice, keep the ratio as close to 1:10,000 as possible (lower is preferred) • The user record of the owner should not hold a role in the role hierarchy. Or be at the top of the hierarchy • We will be holding a session in the near future The Account Hierarchies Impact on Data Access • the account hierarchy does not drive access between two Account records with a parent/child relationship Considerations
  • 31. A Guide To Sharing Architecture • https://resources.docs.salesforce.com/226/latest/en- us/sfdc/pdf/sharing_architecture.pdf User Licenses • https://help.salesforce.com/articleView?id=users_understanding_license_types.htm Sharing a Record Using Apex • https://developer.salesforce.com/docs/atlas.en- us.apexcode.meta/apexcode/apex_bulk_sharing_creating_with_apex.htm Source
  • 32. Wrap up • Session feedback • Next is... • Take a Capture :)
  • 33. TrailheaDX 2020 Global Gathering We’re excited to bring our Trailblazers together to talk about the TrailheaDX 2020 highlights. Event details to be announced soon - please RSVP to receive updates!
  • 34. Thanks for Like, Share, Follow, Connect ☺ Please comment anywhere in the Korea user group Chatter, Facebook, or LinkedIn.
  • 35. Trailblazer Community Conference Certification Voucher Winner Presented to: [Your Name] Date: [April, 25, 2020] Certification Redemption Code: [B1mi|iBn1d@] Expires on: [August, 30, 2021] Free vouchers will be provided by lottery at events with over 10 attendees.
  • 36. $100 off $200: SFAPACCERTDAYS042020S