Salesforce Data Access

Question 1

Integration User

Answer 1

• This user is vital to the function of Analytics
• Tableau CRM uses the permissions of the Integration User to extract data from Salesforce objects and fields when a dataflow job runs
• Tied to the Analytics Integration User License; does not need to be granted any Analytics-related PSL
• The Analytics Integration User Profile has these permissions:
  - View All Data
  - Read and View All on all standard objects
  - Read Access on Field Level Security for all standard fields
• Password cannot be reset
• Login as (impersonation) cannot be granted

Question 2

Security User

Answer 2

• This user is vital to the function of Analytics
• Tableau CRM uses the permissions of the Security User to access the User object and its fields when you query a dataset that has row-level security based on the User object
• Security User is used for sharing and security predicate functionality to control row visibility in datasets as well as Data Prep Preview
• Tied to the Analytics Integration User License; does not need to be granted any analytics-related PSL
• Password cannot be reset
• Login as (impersonation) cannot be granted

Question 3

Row-Level Security

Answer 3

If Tableau CRM users have access to a dataset, by default, they have access to all records in the dataset.

You can implement row-level security on a dataset to restrict access to certain records.

Some records contain sensitive data that shouldn’t be accessible to everyone.

Row-level security is implemented via security predicates and sharing inheritance. Most Salesforce orgs use a combination of the two.

Question 4

Security Predicates

Answer 4

To implement row-level security, set a predicate for each dataset where you want to restrict access to records.

A predicate is a filter condition that defines row-level access to records in a dataset.

When a user submits a query against a dataset that has a predicate, Tableau CRM checks the predicate to determine which records the user can access. If you user doesn’t have access to a record, it is not returned.

Security predicates can be viewed by looking at the dataflow JSON file or the edit page for the dataset.

Question 5

Field Level Security

Answer 5

You don’t configure field-level security in Tableau CRM, but you can implement it in Salesforce to restrict access to individual fields.

Tableau CRM dataflows run using Analytics Integration User permissions. If you want to enforce field-level security on Salesforce objects, you have to assign read access to the Analytics Integration User. Otherwise, you may see errors when your dataflow runs since Tableau CRM can’t see that data.

You can define field-level security…

    - for multiple fields on a single permission set or profile
    - for a single field on all profiles

Question 6

Sharing Inheritance vs. Security Predicate

Answer 6

Sharing inheritance applies a Salesforce object’s sharing logic to the dataset. Ideal for orgs that don’t have many employees or shared records.

A security predicate is a manually assigned filter condition that defines dataset row access. It’s usually a backup to sharing inheritance for users with access to many of their own or shared records, like a CEO or dashboard builder.

Question 7

Sharing Inheritance

Answer 7

Lets Tableau CRM apply the same sharing setup from Salesforce objects to your datasets.

Simple and accurate. Reduces the need for complicated security predicates for most objects.

Tradeoff is more time to run data syncs, dataflow and recipe jobs, and queries. The more complicated the sharing settings, the longer it takes.

Question 8

Enable Sharing Inheritance

Answer 8

Sharing inheritance needs to be turned on and then you select the objects to use as a sharing source.

By default, sharing inheritance is already enabled in new Salesforce orgs.

• From Setup, enter “Analytics” in the Quick Find box and click Settings
• Select Inherit sharing from Salesforce and click Save
• To enable for synced objects, go to Data Manager and click the Connect tab
• Find the object you want to enable, click the drop-down, and click Row Level Sharing
• Click Sharing inheritance on
• Click Save