You are here:
Security for Omnistudio Data Mappers and Integration Procedures
You can control access to Data Mappers and Integration Procedures using settings that reference Sharing Settings and Sharing Sets or Profiles and Permission Sets.
Guest Users, also called anonymous users, cannot access any records by default. Criteria-based Sharing Rules grant them read-only access. This affects all Salesforce orgs. For details, see Guest User Record Access Development Best Practices.
Vlocity allows guest users to create and update the records to which Sharing Rules grant access. No additional configuration is necessary for this expanded access.
You can use Salesforce Sharing Settings to secure access to Data Mappers and Integration Procedures. If you use caching, you must set CheckCachedMetadataRecordSecurity to true as described here.
You can allow access to a Data Mapper or Integration Procedure based on the Custom Permissions enabled in a user's Salesforce Profiles or Permission Sets. An Apex class added to your Salesforce Org allows the Vlocity Managed Package to check user Custom Permissions. The custom settings described here are related to this approach. Vlocity recommends using Custom Permissions in Profiles or Permission Sets for ease of use and better performance.
To ensure data security and maintain compliance with Salesforce encryption access controls, always check that a user has the View Encrypted Data permission before displaying or processing decrypted values of encrypted fields.
For Salesforce access basics, see Control Who Sees What and Salesforce Data Security Model — Explained Visually. For Vlocity-specific information about Profiles, see Overview of Profiles and Security for Vlocity
Sharing Settings, Sharing Sets, Profiles, and Permission Sets control access to Data Mappers and Integration Procedures as object records.
To ensure field-level security for a Data Mapper, go to the Data Mapper’s Options tab and select Check Field Level Security. To automatically enforce field-level security for all Data Mappers, enable EnforceDMFLSAndDataEncryption in the Omni Interaction Configuration.
If you’re using the Omnistudio standard designer, and if the user has the View Encrypted Data permission, the classic encrypted fields are shown in plain text for that user by default. However, if you are using Omnistudio managed package designer, you must enable EnforceDMFLSAndDataEncryption in the Omni Interaction Configuration to enforce this behavior.
To enable EnforceDMFLSAndDataEncryption in the Omni Interaction Configuration, follow these steps: From Setup, search and open Omni Interaction Configuration. Click New Omni Interaction Configuration, enter EnforceDMFLSAndDataEncryption for both name and label, set the value to true, and save your changes.
A user's access to a Data Mapper or Integration Procedure includes more than the ability to run it directly. Access also applies if an application the user is using calls the Data Mapper or Integration Procedure.
If a user has access to a parent Integration Procedure, the parent can invoke child Integration Procedures and Data Mappers to which the user doesn’t have direct access.
- Configure Omnistudio Data Mapper and Integration Procedure Security Settings
You can change settings for Data Mapper and Integration Procedure security in Setup. - Omnistudio Data Mapper and Integration Procedure Security Settings
These settings affect Data Mapper and Integration Procedure security. - Syntax of the Required Permission Property
Omnistudio Data Mappers and Integration Procedures have a Required Permission property, which determines who has runtime access. You can specify roles, profiles, permission sets, custom permissions, or any combination. If Required Permission is blank, any user can run the Data Mapper or Integration Procedure unless the DefaultRequiredPermission property is set. - Implement the VlocityRequiredPermissionCheck Class
For the DefaultRequiredPermission setting to work, you must implement the VlocityRequiredPermissionCheck class manually because Salesforce handles classes in managed and unmanaged packages differently. This class doesn't work properly if it's included in the Vlocity managed package.
