We have some celebrity and other high profile people who support our
organization. In the past all of their data was in our donor database
that only development had access to but now we're putting it all in
Salesforce. Is there a way to make certain records viewable by only a
certain profile? I know you can do it with fields but we need their
entire record or at least their contact info to be inaccessible to
most of our users. Any suggestions?
Don't let the feature name deter you, but this is what the territory management tools do very well. the feature is not enabled by default, so you'll need to ask support to turn it on.
Territories can be automatically assigned based on geographic data (ergo territory) or any account level field, even custom fields (e.g major donor). Once an account is in a territory, all related contacts and opportunities are visible to only those staff you grant access to manage the territory. It works like a charm for the use case you've described an there are tons of bells, whistles and permission options that will align to even the most complex rules. Komen is using this within Common Ground for all regions and affiliates.
Defintely worth checking out.
// Sent from my phone, so please excuse any typos! //
On Apr 10, 2009, at 6:13 PM, "Paige Van Riper" <pvanri...@hotmail.com> wrote:
> We have some celebrity and other high profile people who support our > organization. In the past all of their data was in our donor database > that only development had access to but now we're putting it all in > Salesforce. Is there a way to make certain records viewable by only a > certain profile? I know you can do it with fields but we need their > entire record or at least their contact info to be inaccessible to > most of our users. Any suggestions?
I believe that the territory strategy Tompkins describes will only work where your sensitive contacts are in different Accounts from the non-sensitive ones. So if you are currently putting all individuals into say an "Individual" Account bucket, they cannot be separated out. Anyone with access to the "individual" account has access to the contacts it contains.
A couple of ways round this;
A) The new NP edition creates a shadow Account behind each Contact, so that you can restrict access to any persons "account" such that appears to be at secured at the Contact level. This means that individuals who are not associated with an Organization can now be secured independently. (Not sure of the process ... someone else want to fill that in?)
B) you could make a second bucket account called "Sensitive Individual" and then restrict that account, while leaving the "Individual" account as is.
-----Original Message----- From: npsf@googlegroups.com [mailto:npsf@googlegroups.com] On Behalf Of
Tompkins Spann Sent: Friday, April 10, 2009 18:37 To: npsf@googlegroups.com Cc: Nonprofit Salesforce.com Practitioners Subject: [NPSF] Re: Protecting sensitive records
Don't let the feature name deter you, but this is what the territory management tools do very well. the feature is not enabled by default, so you'll need to ask support to turn it on.
Territories can be automatically assigned based on geographic data (ergo territory) or any account level field, even custom fields (e.g major donor). Once an account is in a territory, all related contacts and opportunities are visible to only those staff you grant access to manage the territory. It works like a charm for the use case you've described an there are tons of bells, whistles and permission options that will align to even the most complex rules. Komen is using this within Common Ground for all regions and affiliates.
Defintely worth checking out.
// Sent from my phone, so please excuse any typos! //
On Apr 10, 2009, at 6:13 PM, "Paige Van Riper" <pvanri...@hotmail.com> wrote:
> We have some celebrity and other high profile people who support our > organization. In the past all of their data was in our donor database > that only development had access to but now we're putting it all in > Salesforce. Is there a way to make certain records viewable by only a > certain profile? I know you can do it with fields but we need their > entire record or at least their contact info to be inaccessible to > most of our users. Any suggestions?
To hide partial contact info for certain individuals, you can create a
new record type of VIP and assign page layouts with full or limited
access to different profiles.
To completely hide the contacts, another possibility if the other
suggestions don't work is to change the default sharing rules to be
applied at the contact level instead of inheriting visibility from the
account level. Not sure if you are using the Contact Owner, but you
can decide that one user 'owns' all VIP records, and then only share
those users contacts with other people allowed to view VIPs using
groups and Sharing Settings. To enforce the rule for new contacts, you
can set a workflow rule on a field that identifies someone as a VIP to
change the owner to be the VIP owner.
On Apr 10, 6:12 pm, Paige Van Riper <pvanri...@hotmail.com> wrote:
> We have some celebrity and other high profile people who support our
> organization. In the past all of their data was in our donor database
> that only development had access to but now we're putting it all in
> Salesforce. Is there a way to make certain records viewable by only a
> certain profile? I know you can do it with fields but we need their
> entire record or at least their contact info to be inaccessible to
> most of our users. Any suggestions?
Most orgs have security set up in exactly the way you describe. It is possible, however (if you do not have Person Accounts enabled) to set Contact sharing to Private. This does not solve the situation described below; I'm just mentioning this for completeness. This will allow Users to see--or not see--contacts in the same way that any other private object is handled.
This would be a huge headache for any org that is using a bucket account, as you might need to set the VIPs to be owned by one particular user, and perhaps use sharing groups... I'll stop here, as it would be ugly and likely untenable from a maintenance perspective.
-----Original Message----- From: npsf@googlegroups.com [mailto:npsf@googlegroups.com] On Behalf Of
Jenny Council Sent: Friday, April 10, 2009 9:08 PM To: npsf@googlegroups.com Subject: [NPSF] Re: Protecting sensitive records
I believe that the territory strategy Tompkins describes will only work where your sensitive contacts are in different Accounts from the non-sensitive ones. So if you are currently putting all individuals into say an "Individual" Account bucket, they cannot be separated out. Anyone with access to the "individual" account has access to the contacts it contains.
A couple of ways round this;
A) The new NP edition creates a shadow Account behind each Contact, so that you can restrict access to any persons "account" such that appears to be at secured at the Contact level. This means that individuals who are not associated with an Organization can now be secured independently. (Not sure of the process ... someone else want to fill that in?)
B) you could make a second bucket account called "Sensitive Individual" and then restrict that account, while leaving the "Individual" account as is.
Jenny
-----Original Message----- From: npsf@googlegroups.com [mailto:npsf@googlegroups.com] On Behalf Of Tompkins Spann Sent: Friday, April 10, 2009 18:37 To: npsf@googlegroups.com Cc: Nonprofit Salesforce.com Practitioners Subject: [NPSF] Re: Protecting sensitive records
Don't let the feature name deter you, but this is what the territory management tools do very well. the feature is not enabled by default, so you'll need to ask support to turn it on.
Territories can be automatically assigned based on geographic data (ergo territory) or any account level field, even custom fields (e.g major donor). Once an account is in a territory, all related contacts and opportunities are visible to only those staff you grant access to manage the territory. It works like a charm for the use case you've described an there are tons of bells, whistles and permission options that will align to even the most complex rules. Komen is using this within Common Ground for all regions and affiliates.
Defintely worth checking out.
// Sent from my phone, so please excuse any typos! //
On Apr 10, 2009, at 6:13 PM, "Paige Van Riper" <pvanri...@hotmail.com> wrote:
> We have some celebrity and other high profile people who support our > organization. In the past all of their data was in our donor database > that only development had access to but now we're putting it all in > Salesforce. Is there a way to make certain records viewable by only a > certain profile? I know you can do it with fields but we need their > entire record or at least their contact info to be inaccessible to > most of our users. Any suggestions?
Following on from your point David this is something we spent a good
while looking at for one of our clients and could find no quick and
easy way to do it in Salesforce.com.
Our solution was to update the sharing rules so that all contact
records are default Private and write a trigger that then shares the
non-VIP contacts with everyone and the VIP contacts with only the
nominated users, roles or public groups.
The steps would be as below:
Create a public group called "Regular Contacts" which contains all of
your users.
Create a public group called "VIP Contacts" which contains only those
users you want to see the VIP records.
Add a tickbox called VIP to the contact record.
Update sharing rules so all contact records can only be seen by the
record owner and people above them in the role hierarchy.
Create a trigger that looks at the VIP field and updates the
Salesforce.com sharing table. For VIP equal No the trigger should
share the record with the Regular Contacts group. For VIP equals Yes
the trigger should share the record with only the VIP group.
The trigger should be set to run each time a field changes on the
contact record.
There are many benefits to this approach such as allowing increased
flexibility so that anyone can own a VIP but only the VIP group can
see it.
If you already have your data in Salesforce.com then you will need a
couple more simple steps to migrate to this new sharing model which
I'd be very happy to discuss in more detail: saas...@googlemail.com
Cheers,
Barney
On Apr 13, 3:23 am, "David Schach" <dsch...@x2od.com> wrote:
> Most orgs have security set up in exactly the way you describe.
> It is possible, however (if you do not have Person Accounts enabled) to set
> Contact sharing to Private. This does not solve the situation described
> below; I'm just mentioning this for completeness. This will allow Users to
> see--or not see--contacts in the same way that any other private object is
> handled.
> This would be a huge headache for any org that is using a bucket account, as
> you might need to set the VIPs to be owned by one particular user, and
> perhaps use sharing groups... I'll stop here, as it would be ugly and likely
> untenable from a maintenance perspective.
> David
> -----Original Message-----
> From: npsf@googlegroups.com [mailto:npsf@googlegroups.com] On Behalf Of
> Jenny Council
> Sent: Friday, April 10, 2009 9:08 PM
> To: npsf@googlegroups.com
> Subject: [NPSF] Re: Protecting sensitive records
> I believe that the territory strategy Tompkins describes will only work
> where your sensitive contacts are in different Accounts from the
> non-sensitive ones. So if you are currently putting all individuals into
> say an "Individual" Account bucket, they cannot be separated out. Anyone
> with access to the "individual" account has access to the contacts it
> contains.
> A couple of ways round this;
> A) The new NP edition creates a shadow Account behind each Contact, so that
> you can restrict access to any persons "account" such that appears to be at
> secured at the Contact level. This means that individuals who are not
> associated with an Organization can now be secured independently.
> (Not sure of the process ... someone else want to fill that in?)
> B) you could make a second bucket account called "Sensitive Individual" and
> then restrict that account, while leaving the "Individual" account as is.
> Jenny
> -----Original Message-----
> From: npsf@googlegroups.com [mailto:npsf@googlegroups.com] On Behalf Of
> Tompkins Spann
> Sent: Friday, April 10, 2009 18:37
> To: npsf@googlegroups.com
> Cc: Nonprofit Salesforce.com Practitioners
> Subject: [NPSF] Re: Protecting sensitive records
> Don't let the feature name deter you, but this is what the territory
> management tools do very well. the feature is not enabled by default,
> so you'll need to ask support to turn it on.
> Territories can be automatically assigned based on geographic data
> (ergo territory) or any account level field, even custom fields (e.g
> major donor). Once an account is in a territory, all related contacts
> and opportunities are visible to only those staff you grant access to
> manage the territory. It works like a charm for the use case you've
> described an there are tons of bells, whistles and permission options
> that will align to even the most complex rules. Komen is using this
> within Common Ground for all regions and affiliates.
> Defintely worth checking out.
> // Sent from my phone, so please excuse any typos! //
> On Apr 10, 2009, at 6:13 PM, "Paige Van Riper" <pvanri...@hotmail.com>
> wrote:
> > We have some celebrity and other high profile people who support our
> > organization. In the past all of their data was in our donor database
> > that only development had access to but now we're putting it all in
> > Salesforce. Is there a way to make certain records viewable by only a
> > certain profile? I know you can do it with fields but we need their
> > entire record or at least their contact info to be inaccessible to
> > most of our users. Any suggestions?
|
