This article supports Gainsight NXT, the next evolution of the Customer Success platform. If you are using Gainsight CS Salesforce Edition, you can find supporting documentation by visiting the home page, and selecting CS > Salesforce Edition.
Not sure what your team is using? Click here.
This article explains how you can restrict the data that certain users can access within an object. For instance, you can create an access rule for your Sales team in the US East region to access only the Companies in that region. The Resources tab lists the objects on which you can implement data access restrictions. Access restriction can be defined using User or Object attributes. The User Attributes tab allows you to select a set of Attributes which can be used in creating rules. You can use the Sharing Groups to create a group of users to whom you can provide data access.
To enable Data Permissions, contact firstname.lastname@example.org.
- Gainsight Permissions works only on Gainsight Users.
When you navigate to Administration > Data Permissions, the Gainsight Permission page opens and displays the following three tabs:
- User Attributes
- Sharing Groups
For more information, refer the topic Define Sharing Rules.
When the Gainsight Permissions feature is enabled, permissions are granted in the following GS areas:
- In C360 > Relationship section
- In Cockpit > CTA, if you have applied permissions, Cockpit list view and CTA assignment screen
- Gainsight’s Global Search
- Report Builder
Note: If a User who does not have access to a Company record but tries to access the same through URL, an error message is displayed.
The Resources tab contains the following items on UI:
- Resources: Resources are objects whose data access can be controlled by defining conditions.
- Resource Relations: A given resource may be linked to another resource through an attribute.
Note: Resources include Relationship, Relationship Type, and Call To Action. You can even filter the required resource by using Filter resources search field.
Sharing Rules: In Resources tab > under Sharing Rules column > [click Edit icon] for any resource, the Permission Attributes and Sharing rules sub-sections under the Data Permissions for resource section are displayed as shown in the following image.
- Permission Attributes sub-section contains the list of attributes that can be used to define sharing rules. You can add a maximum of 20 attributes. To add an Attribute, select the required Attribute in the selected Resource from the attributes list and click +Attribute. These attributes can be inherited from any object (Resource) like, Relationship, Activity Timeline, etc. User attributes cannot be deleted.
- You can sort the attributes based on lookup. When you click Sort based on lookup, it filters the attributes based on the permissions that the attributes inherited from the parent objects.
- Attributes are a set of identifiers on a given resource, user, or environment which can later be used in setting up the conditions which enable access to the resource. Attributes can be used to define the security.
- Sharing rules sub-section enables you to grant access to everyone by enabling the Everyone gets READ/WRITE access button as shown in the following image (This is for another Resource Ao_advanced_outreach).
CAUTION: Enabling the Everyone gets READ/WRITE access disables the +RULE button to create conditional access and also deletes all the saved rules. When you disable the same access, you are enabled to define sharing rules and the +RULE button will be enabled.
Note: An administrator can define multiple condition sets, or a combination of conditions for every action on the resource to grant access to the end-users.
All the resources will have read and write access by default at the Resource level. Admins can provide Conditional READ/WRITE access by creating Rules under Sharing rules section.
User: A consumer from whom the access needs to be protected for a given resource. A consumer can be the user who has been provided a Gainsight User License or it can be a system simulating user.
User Attributes: The properties which can be used to create sharing rules (in the Resources tab).
In the Add User Attributes section, you can search from the User Attributes which are already added here. To add an Attribute, you must select the required Attribute and click +.
Note: User Attributes are not static but once added, cannot be deleted.
This tab consists of all the attributes that you may use for defining/creating a rule/permission. You can use an attribute to create a rule which decides the access rights to be given to a specific user.
The Attributes list for rules is updated every hour. When you add an User Attribute, you must click Refresh user Data, to immediately start using the newly added Attribute in creation of Rules.
Define Sharing Rules
This section describes how you can use Gainsight Data Permissions to restrict access to all companies for CSMs, and then grant permission to view only those companies which are in Will Churn Stage (here, it is ABC Corp Ltd.).
- Data Permissions are not applicable for super admins. They have access to all the data.
- You can restrict access for a field (or even an object) through Data Permissions. If a restricted field has a lookup to an object then the restricted field is visible when viewed through the object. Super admin should restrict the access to this field even through the object. For instance, if you restrict access to Company object, users can still view restricted Company details through CTA.
- When you create multiple Criteria or Advice, the AND operator is applied by default. However, you can change it to OR operator, as required.
- When you add multiple Rules, the OR operator is applied. You cannot modify this operator.
- A delay of around two minutes can be expected before the access restrictions are implemented.
To define sharing rules:
- Navigate to Resources tab.
- Click Edit button, for the Company Resource.
- Switch off the Everyone gets Read/Write access button, in the Sharing Rules section.
- Click Save Sharing Rules.
Now, CSMs cannot view any Company. Note that the below image (picked from a CSM’s computer) has three Companies, but still shows No data found.
- Click + RULE.
- In the Rule setup page:
- Enter a name in the Rule Name field.
- Click + Advice.
- The Stage field.
- in Operator.
- Will Churn Value.
- Click √ icon.
- Click Save.
- Click Save Sharing Rules.
CSMs can now view only ABC Corp Ltd Company, since this is the only company with Stage equal to Will Churn.
You can also create a Criteria to restrict access to companies at user level. For instance, if you create a Criteria which filters users belonging to APAC region, then APAC users only can view companies those are in Will Churn stage. Non APAC users cannot view any company data.
User Groups page enables you to create new user-group(s) and also manually set criteria in the group(s) to add only those users who meet these criteria. This enables Admins to create user groups as per their choice and assign rules to them.
To create an User Group:
- Navigate to the Sharing Groups tab on the Data Permissions page.
- Click +New Sharing-Group
- Enter a name for the user group. While naming the New User Group, avoid using space, numbers, or special characters as only Alphanumeric strings are allowed.
- Click Ok.
Adding users to a User Group:
There are two methods to add a users to a User group:
Manually: To add users manually, you should:
- Click the Edit link of the required User group.
- Click Add Users Manually. The Add New User window is displayed.
- Select the checkbox of the users, to be added to the User Group.
- Click SAVE.
- (Optional) To delete an added user, select the user check box and click Delete Users.
- Click Refresh User Group, to refresh user group now.
Using a Rule: To add users by creating a rule, you must define a criteria. When you define a Criteria, the list of users meeting the criteria is populated under the Add Users Manually section. You can delete any users, if required.
The process of adding users by creating a rule is demonstrated here. , rule is created to create a User group having all the Active users.
To add Active Users via a Rule:
- Click the Edit link of the required User group.
- Click + Criteria.
- IsActiveUser attribute.
- = Operator
- Click √
- Click Update.
- Click Refresh User Group.
Note: It takes up to five minutes to refresh and populate the users list.
- Click <<Back To Sharing groups List.
Now, three CSMs are added to the user group CSMgroup1. These three CSMs will work on Customers who are in the Will Churn Stage. Now we create a rule such that only the CSMs of this group (CSMgroup1) can view Customers data, which are in the Will Churn Stage, instead of all the CSMs.
- Navigate to the Resources tab.
- Click the edit icon of the Company Resource.
- Click Edit link for R1 rule (This is an Advice created in this rule already).
- Click + Criteria.
- User Group as the Attribute.
- in as Operator, and
- Enter CSMgroup1.
- Click Ok.
- Click Update
User Attributes are not static but once added, cannot be deleted. User Attributes can be deleted from the backend only upon request, whereas Resource attributes may be deleted at any time.
When you apply Data Permissions on the Activity Timeline object, the associated permissions are not honoured on Timeline accessed from the Global Timeline page.
You can delete resource attributes as these are specific to an object, unless they are in use. If they are in use and you try to delete, it will throw an error.
An activity performed by a user on a given resource is called an Action. By default the feature provides READ and WRITE actions for all the resources. Actions can be created and incorporated for the resource types. ACTIONS cannot be added dynamically for a given resource type.
If the user is added to a user group through a rule defined in the user group, removing the user from the group’s list manually does not ensure that user is no longer part of the user group. This is because all of the users that fulfill the group’s rule criteria are automatically added again when the user group job executes.
GS does an UNION of all the data permissions a user has while resolving data permissions. This means, the highest permissions of all the permissions will be assigned to the user. Moreover, this behavior is same while dealing with inherited permissions or while dealing with base and parent objects. The UNION of all base and parent object permissions will be applied to the user.
For example: Currently, CTA has look-up to relationship and relationship type object. Hence, while resolving the CTA permissions, the UNION of CTA , relationship and relationship type permissions would be applied. If the CTA had “Everyone gets READ/WRITE access”, then it would supersede any relationship or relationship type permissions specified.