Salesforce Connector: Security

Owned by Andreas Kebede (Deactivated)
Last updated: Oct 12, 2018 by Jeremy Sommer (Deactivated)
2 min read

Security Settings

A user can be granted access to an item or an entity type in several ways. Not all possible ways are currently included in the connector. The security is layered and the security overrides depend the individual Salesforce environment settings. Initial access can be given or denied for all entities of a certain type and later access can be granted or restricted for individual items of this entity type. Security permissions are given by Licenses, Organization-Wide Defaults, Profiles, Permission Sets, Public Groups, User and Group Sharing (Direct Sharing), Roles, Sharing Rules (Object Sharing), Inherited Access (for managers), Access by parent objects and Field Accessibility.


The current user security access is implemented in the connector.

  • User access is given by the user Id.
  • Group access is given from user roles and inherited sub roles
  • Entity access given to access all objects of one type - like all accounts. This is found by layering of License, Organization-Wide Defaults and Profile information. 
  • Permission to view all data, if the profile has this access.
  • Permission to view all users, if the profile has this access.


Security settings not implemented in the connector.

  • Permission Sets.
  • Sharing Rules (Object Sharing).
  • Inherited Access. Security settings to directly check if a manager should be able to view all items of users which he/she manages.
    Currently only roles will inherit permissions from sub roles - given by the user roles hierarchy. 
  • Access by parent object. Currently only exists for the well-known entity types with preselected metadata fields. 
  • Field Accessibility. No field restrictions for any of the index entities. 

Authentication

At search time when users log into Locator they are authenticated with Active Directory. User attributes for the authenticated user are used to find a username in Salesforce. This happens automatically in the plug-in and the user does not need provide the Salesforce credentials.   

Identification

To be able to identify the user in Salesforce the Salesforce username must be stored for the authenticated AD user. The connector first checks if the UserPrincipalName is a username in Salesforce. If a user is not found, then the AD attributes Proxyaddresses and Mail are examined for a Salesforce username. If the Salesforce user can not be determined for this AD user, no access tokens and search hits from Salesforce will be provided for the authenticated user.  

Authorization

Document items are marked with a list of Salesforce groups and user SIDs at fetching time. At search time, users are given SIDs based on the Salesforce account associated with the Locator login.
Example:

  • Salesforce_999 005A0000004wzojIAA (User)
  • Salesforce_999 00GA0000001LnPuMAK (Group)
  • Salesforce_999 Account (View all account - from user settings)
  • Salesforce_999 AllData (View all data - from profile settings)
  • Salesforce_999 Users  (View all users - from profile settings)


ayfie