Loading
Feature degradation | Gmail Email delivery failureRead More
About Salesforce Data 360
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Policy Behavior on Process Definitions

            You are here:

            1. Salesforce Help
            2. Docs
            3. Data 360

            Policy Behavior on Process Definitions

            Data 360 process definitions describe the workflows and tasks used to manage data such as data streams, transformations, calculated insights, segments, and identity resolution. These definitions help standardize how data operations are created and executed. Data governance policies are enforced when users create or consume these definitions.

            Key Enforcement Callouts for Creating Process Definitions in Data Data 360

            Here's how policy enforcement works when you create a process definition:

            • Objects available for selection are filtered according to the user's context and policy.
              • Data graphs are available for use when the user has access to the ID, value, and fragment DMOs in addition to the underlying DMOs and CIOs used in the definition.
              • Calculated Insights are available for use when the user has access to the underlying DMOs and CIOs used in the definition. Access to the Calculated Insight output object is also required.
            • Users with View All and Modify All permissions on the data object can view all metadata and can create process definitions.

            Here are some additional nuances or exceptions related to field enforcement and the View All and Modify All permission experiences.

            feature area how are policies enforced
            Activation
            • Users with View All and Modify All permissions on the data object can save the activation, but can’t construct the activation definition as they don’t have direct access to the underlying entities required for the attribute library map (ALM) to load.
            • Field enforcement is in effect for this experience.
            Calculated Insight (CI)
            • An object’s field list isn’t filtered to honor the policy. However, field access is verified when validating or saving the CI. As such, users with insufficient access to a field can't save the CI.
            • Objects or fields that are manually referenced in the syntax fail to validate if the user has insufficient privileges due to policy.
            • Users with View All and Modify All permissions on the data object can see all metadata when creating a CI. However, the CI fails to validate and save if the user has insufficient privileges based on the policy.
            Code Extensions
            • Object and field enforcement doesn’t apply to this experience. You must manually assign and audit the appropriate governance tags on target DLOs or DMOs that your code extension scripts create or update, including the DataCustomCodeLogs__dll DLO.
            • Row-level security (RLS) policies apply during code extension script development when you query data from outside Data 360, but not during runtime execution. As a result, you may see fewer records during development than are processed during execution.
            Data Actions
            • None
            Data Graph
            • Object and field enforcement is in effect for this experience.
            • Creating a data graph on an engagement type DMO requires access to a “Date” type field to establish recency criteria. Without these fields, users can’t save the data graph.
            • Users with View All and Modify All permissions on the data object can initially view all metadata when selecting the primary DMO. But since object enforcement applies on the Policy Builder canvas, the data graph fails to save if the user who creates the data graph doesn't have access to the Primary DMO.
            • Exception to data graph behavior: Data graphs are available for use when the user has access to the ID and value DMOs and all of their fields. There’s no underlying access check on the DMOs or CIOs used in the data graph.
            • If a DMO has a deny field-level security (FLS) policy, access to the entire data graph is restricted.
            • If a data graph includes restricted objects, it remains visible in the list view while in draft state, but its definition isn’t accessible.
            Segmentation
            • Object and field enforcement is in effect for this experience.
            • Users with View All and Modify All permissions on the data object can save the segment, but can’t construct the segment definition as they don’t have direct access to the underlying entities required for the attribute library map (ALM) to load.
            • Row-level security (RLS) policies aren’t enforced during segment creation. As a result, all records within the object are considered when a segment is created.
            Transforms
            • Object and field enforcement is in effect for this experience.
            • To enable data preview in the Input node, users must first select a data space. If no data space is selected, the preview is disabled. When joining multiple DLOs, all input nodes must use the same data space to enable downstream previews. If different data spaces are selected, the transform can still be authored and saved, but preview functionality is disabled for subsequent nodes.
            • Users with View All and Modify All permissions on the data object can initially preview all data and metadata when building a transform. However, the transform fails to preview or save if the user lacks access to required fields or objects based on data governance policies.
            • If fields or objects are manually referenced in expressions or SQL syntax, the transform fails to validate if the user does not have access based on the applied policy.
            • Row-level security (RLS) policies are enforced during transform preview, but not during runtime execution. As a result, users may see fewer records during preview than are processed during execution.
            Einstein Studio
            • Object and field enforcement is in effect for this experience.
            • Users with View All and Modify All permissions on the data object can initially view all metadata when selecting a predictive model entity. But since object enforcement applies on the Policy Builder canvas, search index fails to save if the creating user doesn’t have access to the DMO used for the predictive model entity.
            Search Index
            • Object and field enforcement is in effect for this experience.
            • Users with View All and Modify All permissions on the data object can initially view all metadata when selecting the Search Index On entity. But since object enforcement applies on the Policy Builder canvas, search index fails to save if the creating user doesn’t have access to the DMO used for the Search Index On entity.
            Identity Resolution
            • None
            High Scale Flow
            • None

            Key Enforcement Callouts for Consuming Process Definitions in Data Cloud

            A process definition appears in the list view for the feature area when a consuming user:

            • Has access to the data space
            • Has access to all of the dependent objects that are used in the definition

            A user with View All and Modify All permissions for the data object can view all process definitions in the list view.

            feature area how policies are enforced
            Activation
            • Users must have access to all underlying CIOs and DMOs, including entities in the relationship path.
            • When working with data graphs or segments, users must have access to all entities within the data graph or segment.
            Calculated Insight (CI)
            • To view the CI process definition, users must also have access to the underlying DMO, DLO, and CIO.
            Data Actions
            • Users can view the data actions only if they have permission to access all the related objects.
            • Data actions shown on the data action target are filtered to only those that the user has permission to view.
            Data Graph
            • Users must have access to the ID, value, and fragment DMOs in addition to the underlying DMOs/ CIOs used in the definition.
            • Users with View All and Modify All permissions can initially see all data graph process definitions in the list view, but they can’t view the data graph definition in Policy Builder if they don’t have access to all the necessary inputs.
            Segmentation
            • For the waterfall segment, the segment name appears in the filter criteria, but the user can’t access the original segment's definition.
            • Activations displayed on the segment record home are filtered to include only those where the user has access to all related dependent objects.
            • Users with View All and Modify All permissions can initially see all segment process definitions in list view, but they can’t view the segment definition if they don’t have access to all necessary inputs.
            Transforms
            • Transforms are hidden from the list view if the user lacks access to the underlying object or all of its fields.
            Search Index
            • Users must have access to all the DMOs in the relationship path.
            • Users must have access to the search, index, chunk, and attachment DMOs.
            Identity Resolution
            • Users must have access to the unified result and the unified link DMOs in addition to the DMOs used in the rule.
            High Scale Flow
            • When a scheduled flow is triggered the governance policies applied at the time of creation of the flow is enforced.
            • Row-level security (RLS) policies aren’t enforced when flow is triggered on schedule.
             
            Loading
            Salesforce Help | Article