You are here:
Add Row-Level Security with a Security Predicate
Applying a predicate to a dataset is more than just defining the predicate expression. You must also consider how the predicate is dependent on the information in the dataset and where to define the predicate expression.
Define a predicate for each dataset on which you want to restrict access to records. A security predicate is a filter condition that defines row-level access to records in a dataset.
When a user submits a query against a dataset that has a predicate, CRM Analytics checks the predicate to determine which records the user has access to. If the user doesn’t have access to a record, CRM Analytics doesn’t return that record.
- After a dataset is created, changes to its security settings must be made by editing the dataset; changes to security settings in the dataflow (rowLevelSharingSource or rowLevelSecurityFilter) or recipe (Security Predicate) have no effect.
- When sharing inheritance is enabled, you can set the security predicate to ‘false’ to block all users not covered by sharing. This predicate is the default when sharing is enabled on a datasets.
The predicate is flexible and can model different types of security policies. For example, you can create predicates based on:
- Record ownership. Enables each user to view only records that they own.
- Management visibility. Enables each user to view records owned or shared by their subordinates based on a role hierarchy.
- Territory assignments. Enables each user to view the records in their assigned territory or for dhild territories in the hierarchy. (Only available with Territory Hierarchy 2.0.)
- Team or account collaboration. Enables all members of a team, such as an opportunity team, to view records shared with the team.
- Combination of different security requirements. For example, you can choose to define a predicate based on the Salesforce role hierarchy, teams, and record ownership.
The type of security policy you implement depends on how you want to restrict access to records in the dataset.
You can create a predicate expression based on the user or information in the dataset. For example, to enable each user to view only dataset records that they own, you can create a predicate based on a dataset column that contains the owner for each record. If needed, you can load additional data into a dataset required by the predicate.
Security predicates referencing $User information require a new user session before a new value is recognized.
The location where you define the predicate varies.
- To create a dataset with a security predicate from a dataflow, add the predicate in the rowLevelSecurityFilter field of the Register transformation.
- To create a dataset with a security predicate from a recipe, use the Security Predicate field of the Output node.
- To create a dataset with a security predicate from an external data file, define the predicate in the rowLevelSecurityFilter field in the metadata file associated with the external data file during upload.
- Row-Level Security Example based on Record Ownership
Let’s look at an example where you create a dataset based on a CSV file and then implement row-level security based on record ownership. In this example, you will create a dataset that contains sales targets for account owners. To restrict access on each record in the dataset, you will create a security policy where each user can view only sales targets for accounts that they own. This process requires multiple steps that are described in the sections that follow. - Row-Level Security Example based on Opportunity Teams
Let’s look at an example where you create a dataset based on Salesforce data and then implement row-level security based on an opportunity team. In this example, you will create a dataset that contains only opportunities associated with an opportunity team. To restrict access on each record in the dataset, you will create a security policy where only opportunity members can view their opportunity. This process requires multiple steps that are described in the sections that follow. - Row-Level Security Example based on Role Hierarchy and Record Ownership
Let’s look at an example where you create a dataset based on Salesforce data and then implement row-level security based on the Salesforce role hierarchy and record ownership. In this example, you will create a dataset that contains all opportunities. To restrict access on each record in the dataset, you will create a security policy where each user can view only opportunities that they own or that are owned by their subordinates based on the Salesforce role hierarchy. This process requires multiple steps that are described in the sections that follow. - Row-Level Security Example based on Territory Hierarchy and Record Ownership
If your territory hierarchy is specified with Territory Hierarchy 2.0, you can create a dataset to implement row-level security based on the territory hierarchy and record ownership. This example shows how you do this with a dataset for opportunities. - Predicate Expression Syntax for Datasets
You must use valid syntax when defining the predicate expression.
