Loading
About Salesforce Data 360
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Policy Behavior When Querying Data

            You are here:

            1. Salesforce Help
            2. Docs
            3. Data 360

            Policy Behavior When Querying Data

            When you query data in Data 360, whether through Data Explorer, Profile Explorer, or Tableau, governance policies control what you can retrieve. Even if metadata is visible in the UI, actual access is enforced at query time to protect sensitive data.

            Key Enforcement Callouts When Consuming Query API

            Here's how governed data behaves in Data 360, including its unique policy rules and exceptions.

            In general, when querying data:

            • Users can query objects if they have access as defined by the policy.
              • Users can query DMOs if they have access to them. There's no underlying access check on DLOs.
              • Users can query data graphs if they have access to the ID and value DMOs and all their fields. There's no underlying access check on DMOs or CIOs used within the data graph.
              • Users can query calculated insights if they have access to the underlying calculated insight object.
            • Field enforcement is applied at the query layer. Users can query fields only if they have access as defined by the policy.
            • The View All and Modify All data object permissions don't apply when querying data.
            • Users can create or edit masked fields if they have access to the underlying objects and fields. Masking applies at the query layer and doesn’t prevent data input or updates.
            feature area how policies are enforced
            Data Explorer
            • If an FLS policy is applied to a Primary Key or Fully Qualified Key, the query fails, even if the key isn't included as a selected column.
            • Exception to data graph behavior: Users can only see the data graphs if they have permission for all the underlying objects (DMOs/CIOs) and their fields.
            • Exception to CI behavior: Users can only see the CI if they have permission for all the underlying objects (DMOs/CIOs).
            • Users with View All and Modify All permissions on the data object see all metadata when interacting with the UI. However, the query fails if the user has insufficient privileges according to the policy.
            Profile Explorer

            For unified objects:

            • If an FLS policy is applied to a Primary Key or Fully Qualified Key, the query fails, even if the key isn't included as a selected column.
            • If a user tries to search for a field value that they don’t have access to under RLS, they can’t view the data.
            Query Editor
            • If a user queries an object with access to only a subset of fields, for example, SELECT *, the query returns results only for the fields they are permitted to access.
            • If a user explicitly references a field they don’t have access to, for example, SELECT 'ssot__Individual__c', the query fails.
            • If a user queries an object they don’t have access to, the query fails.
            Tableau
            • If a user queries an object where they only have access to a subset of fields, the query returns metadata and data results for the permitted fields only.
             
            Loading
            Salesforce Help | Article