Wave App Visibility and the "View All Data" and "Modify All Data" System Permissions
|Knowledge Article Number||000240129|
|Description||Wave apps have sharing behaviour that is similar to the core Report and Dashboard folder sharing, as documented here.
When users have been granted the "View All Data" or "Modify All Data" system permissions, they have access to apps that transcends the sharing functionality.
Note: "View All Data" and "Modify All Data" are potent permissions, and should be granted sparing and only to users that absolutely need that level of access. Details are available here.
When a user has the appropriate permission set license and the associated Use/Access permissions, they can view apps tied to the same license that they have been granted for at least Viewer access (directly by User, or indirectly by Role or Group).
A user with the following configuration will have access only to Sales Wave generated apps that have been shared with them:
Permission Set License: "Sales Analytics Apps"
Permissions: "Access Sales Cloud Analytics Templates and Apps" and "Use Wave Analytics Templated Apps"
View All Data
If a user is granted "View All Data", they will be able to see all apps tied to their assigned permission set license(s).
The user will have visibility on ALL Sales Wave generated apps, regardless of if they have been shared.
The user will be able to see the contents (datasets, lens, dashboards) of the apps.
Modify All Data
If a user is granted "Modify All Data", they will be able to see and edit all apps tied to their assigned permission set license(s).
The user will have visibility and edit capabilities on ALL Sales Wave generated apps, regardless of if they have been shared.
The user will be able to see and edit the contents (datasets, lens, dashboards) of the apps.
It is important to note that the Security Predicate applies row-level security at a query level for datasets. The View All Data and Modify All Data permissions do not override the Security Predicate. Users with these permissions will not be able to view records that are blocked via the Security Predicate. More details on implementing row-level security can be found here.
If the user's visibility is restricted by the Security Predicate on datasets, they will only have visibility on related lenses and dashboards to the records granted by the Security Predicate.
Caution: With "Modify All Data" the user will be able to edit datasets to modify or remove the Security Predicate.