Skip to main content
Gainsight Inc.

Data Permissions

  1. Last updated
  2. Save as PDF

This article explains how access to data from different Gainsight and Salesforce objects through Gainsight applications can be restricted to specific users. For example, Admins can create an access rule for the Sales team in the US East region to access only the companies in that region. 

Overview

Data Permissions can be applied from the Administration > Data Permissions page. This page has the following four tabs:

Data Permissions 2023-10-12 at 9.03.50 AM.jpg

  • Company: It helps to restrict data on company object to specific Gainsight users. For example, access can be applied on the Company resource to select companies in the Will Churn stage to the users from the US East region.

  • Other MDA Objects: It helps to restrict data access on the Gainsight or SFDC objects to specific Gainsight users.

  • User Attributes: It helps you add all the user attributes which are used for defining a rule to filter users in the Other MDA Objects tab and Company tab.
  • Sharing Groups: It enables you to create a new user group(s) and add users manually and/or by setting criteria on the User object. For example, a user group is created by setting a criteria to select CSMs from the US East region.

The Other MDA Objects tab and the Company tab lists the Gainsight or SFDC objects on which data access restrictions can be applied. Access restriction is applied using User object attributes or user groups. The User Attributes tab helps you add user attributes which are used in creating rules from the Other MDA Objects tab. The Sharing Groups page helps you create a group of users which are used in creating rules from the  Other MDA Objects tab and the Company tab. These rules on the user attributes or user groups can be created to apply data permissions on a resource to the selected users.

When the Data Permissions are applied, permissions are granted in the following Gainsight applications:

  • In the C360 > Relationship section
  • In Cockpit > Call to Action (CTA), if you have applied permissions, Cockpit list view and CTA assignment screen
  • Gainsight’s Global Search
  • 360
  • Dashboard
  • Report Builder
  • Global Timeline
  • Renewal Center
  • Text Analytics
  • NPS® Analytics

Notes:

  • If a user who does not have access to a Company record but tries to access the same through URL, an error message is displayed.
  • Permission attributes which are having lookup cannot be added as Advices, to provide conditional read or write access to the user. Admins must add fields to permission attributes without enabling lookup to provide conditional read or write access to the user.

Prerequisite

Data Permissions can be applied only on Gainsight users, which means data access is restricted to only Gainsight users.

Other MDA Objects

This section explains how data access can be restricted on the Gainsight or SFDC objects to specific Gainsight users.

The Other MDA Objects tab contains the following options:

Data Permissions 2023-10-12 at 9.03.50 AM.jpg

  • Source Type: From the Source Type dropdown, you must select either MDA or SFDC to apply data permissions on the respective objects. The SFDC option is available only when your org is connected to SFDC through Salesforce Connector.
  • Resources: Resources column contains the objects on which data access restriction is applied by defining conditions.
  • Filter: You can use this search box to search an object.
  • Sharing Rules: This option for each resource lets you apply data permissions on each resource by configuring Resource Permission Attributes and Sharing Rules.
  • Refresh: You can click this button to refresh the resource list.

Sharing Rules

In the Sharing Rules column, when you click the edit icon to configure the resource permission attributes and sharing rules, the following three sections appear:

  • Permissions Attributes: This section has the list of attributes that can be used to define Sharing Rules. Attributes are a set of identifiers on a given resource, user, or environment which can later be used in setting up the conditions to enable access to the resource. Attributes can be used to define the security.
  • Inheritance Rules: This section applies advanced logic to the inherited objects.
  • Sharing Rules: This section has the set up configurations for granting access to resources to all or specific Gainsight users.

Data Permissions 2023-10-12 at 9.26.12 AM.jpg

For example, Data Permissions are used to restrict access to all companies for specific CSMs, and then grant permission to access data to only those companies which are in the Will Churn Stage.

IMPORTANT:

  • Data Permissions are not applied to super admins because they have access to all the data.
  • A delay of around two minutes can be expected before the access restrictions are implemented.

Add Permission Attributes

This section explains how attributes are added from the resource. These attributes are used to apply advice on them in the Sharing Rules section.

Data Permissions 2023-10-12 at 9.27.33 AM.jpg

To add attributes for data permissions:

  1. Click the Edit icon against any resource. It navigates you to the page where you configure the Sharing Rules.
  2. In the Permission Attributes section, from the Add Attributes dropdown, select any attribute.
  3. Click +Attribute to add any attribute to the list of permission attributes.
  4. (Optional) Select the Add without lookup checkbox to add an attribute without lookup enabled for the dependent fields on this attribute.
  5. (Optional) Click Sort based on lookup to sort all the attributes by filtering the attributes based on the permissions that the attributes inherited from the parent objects.

Notes:

  • A maximum of 20 attributes can be added to the list.
  • Attributes are a set of identifiers on a given resource, user, or environment which can later be used in setting up the conditions which enable access to the resource. Attributes can be used to define the security.
  • Attributes can be inherited from any object such as Relationship, Activity Timeline, etc. 
  • Selecting the Add without lookup checkbox is not allowed for the attributes that are dependent on other objects such as User Id and Company Id.

Inheritance Rules

Inheritance rules allow admins to control who can access records within an object based on specific rules set within that object and also rules inherited from related objects in Permission Attributes. 

Example Business Usecase:

Consider partner users who should only see (CTAs) they own. Usually, partners can see all CTAs linked to a company or relationship due to a default OR condition. With inheritance rules, admins can customize this access logic. They can set an AND condition for partner users, ensuring they only see their CTAs while retaining the OR condition for other users, allowing them to see all relevant CTAs. This simple feature provides targeted data access, enhancing user experience and data security.

Note: This enhancement feature, as a part of the prerequisite for implementing Partner Success, applies to the following products:

  • Cockpit
  • Success Plan
  • Timeline
  • Scorecards
  • Reports
  • Dashboards
  • Layouts
  • Text Analytics
  • NPS® Analytics

To configure Inheritance Rules:

  1. Click +RULES.  A window appears.
  2. Enter Rule Name.
    1. Click +CRITERIA. 
      1. From the Attribute dropdown, select any user attribute or user group. User attributes that you see in the dropdown are configured in the User Attributes tab and user groups are configured in the Sharing Groups section. For more information, refer to the User Attributes and Sharing Groups sections.
      2. Select the required operator and value for the attribute.
      3. Click the Save icon.
      4. In the Advanced Logic text box, enter Advanced Logic using AND or OR operators.
    2. In the Inheritance Expression section, enter Advanced Logic using AND or OR operators.
    3. Click Save.

Data Permissions 2023-10-12 at 11.33.25 AM.jpg

All the inheritance Rules gets displayed in the Company and Other MDA Objects tabs as shown below:

Data Permissions 2023-10-12 at 11.45.11 AM.jpg

Note: When you create a rule, the OR operator is applied by default. However, you can change it to AND operator, whenever required.

Manage Rules Priority

Managing rules priority involves specifying the order in which rules are applied in a system or process. It ensures that conflicting rules are resolved effectively and helps in achieving desired outcomes by determining which rule takes precedence.

To manage rules priority:

  1. Click Manage Rules Priority. A window appears.

Data Permissions 2023-10-12 at 11.51.33 AM.jpg

  1. You can rearrange the ranks by drag and drop method.
  2. Click Save.

Notes:

  • You cannot change the order with the Default rule.
  • If a user meets a single rule, the system uses that rule, even if it's the last one in the list. However, when a user qualifies for multiple rules, the system only applies the top-most rule.

Configure Sharing Rules

This section explains how to set up configurations for granting access to resources to all or specific Gainsight users in the Sharing Rules section. Access to a resource is granted to everyone by default.

Conditional access restricts access to limited/whole data in the resource to specific users or user groups. Data in the resource is filtered by setting advice and users or user groups are filtered by setting a criteria.

Data Permissions 2023-10-12 at 9.30.30 AM.jpg

  1. Click +RULE to set conditional read/write access. A window appears.

Data Permissions 2023-10-12 at 9.35.16 AM.jpg

  1. Create a Rule as shown below:
    1. Enter Rule name.
    2. Set user criteria to grant data access on a resource as shown below:
      1. Click +Criteria.
      2. From the Attribute dropdown, select any user attribute or user group. User attributes that you see in the dropdown are configured in the User Attributes tab and user groups are configured in the Sharing Groups section. For more information, refer to the User Attributes and Sharing Groups sections.
      3. Select the required operator and value for the attribute.
      4. Click the Save icon.
      5. (Optional) Add multiple criteria and apply advanced logic between them using the AND or OR operators.
    3. Set advice on the attributes of the resource as shown below:
      1. Click +Advice.
      2. From the Field dropdown, select any resource attribute. These attributes are configured in the Permission Attributes section.
      3. Select the required operator.
      4. From the Logged-in User Attributes dropdown, select any user field to match criteria between advice and user fields or enter value for the Advice field.
      5. Click the Save icon.
      6. (Optional) Add multiple Advice and apply advanced logic between them using the AND or OR operators.
    4. Click Save.

Notes: 

  • When you create multiple Criteria or Advice, the AND operator is applied by default. However, you can change it to OR operator, whenever required.
  • When you add multiple Rules, the OR operator is applied. You cannot modify this operator.

Define Sharing Rule.png

  1. Click Save.

Notes:

  • All the resources have read and write access by default at the Resource level. Admins can grant Conditional READ/WRITE access by creating Rules under the Sharing Rules section.
  • An administrator can define multiple condition sets, or a combination of conditions for every action on the resource to grant access to the end-users.
  • Role hierarchies are automatically applied to sharing rules. This means the reporting manager of the users will automatically have access of all the records that is shared with users. 

Configure Sharing Rules to Restrict Access to Specific Companies

This section explains how Data Permissions are used to grant access to only those companies which are in the Will Churn Stage.

To restrict access to specific companies:

  1. Navigate to the Others MDA Objects tab.
  2. Click the Edit icon, for the Relationship type.
  3. Switch the toggle button to add rules in the Sharing Rules section.
  4. Click Save Sharing Rules. A confirmation dialog is displayed.

Data Permissions 2023-10-13 at 3.27.47 PM.jpg

  1. Click Yes , if you want to apply access changes on all look up objects.

Inherit access.png

IMPORTANT: When an Admin creates a sharing rule for a Company, Relationship, or Relationship Type object, the rule is inherited by any object that is looking up to one of these objects and has any of these objects' attributes (Company, Relationship, and Relationship Type).

Now, CSMs cannot view any Company. The following image from the Data Operations page displays that there are three company records, but still displays No data found.

Data Operations _No Data.png

  1. In the Conditional READ/WRITE access section, click + RULE. A window appears.
  2. Enter Rule Name.
  3. Click + Advice.
  4. Set Advice as shown below:
  • Field: Stage
  • Operator: in
  • Value: Will Churn
  1. Click the Save icon.
  2. In the Rule Setup page, click Save.
  3. In the Resource page, click Save Sharing Rules.

CSMs can now see data associated with only ABC Corp Ltd Company, as this is the only company in the Stage, Will Churn. The following image from the Data Operations page displays only one company.

Data_Operations_Company.png

You can also set a criteria to restrict access to companies at user level. For instance, if you set a criteria which filters users belonging to the APAC region, then APAC users  can view only those companies that are in the Will Churn stage. Non APAC users cannot view data belonging to any company.

User Attributes

The User Attributes tab consists of all the attributes that can be used for defining/creating a rule/permission. You can use an attribute to create a rule which decides the access rights granted to a specific user.

Following are a couple of key terms related to User Attributes:

  • User: A consumer from whom the access needs to be protected for a given resource. A consumer can be the user who has a Gainsight User License or a system simulating user.
  • User Attributes: The properties which can be used to create Sharing Rules (in the Resources tab).

The User Attributes tab contains the following options:

User Attributes.png

  1. Add Attributes: From the User Attributes dropdown, you can select the required user field and click + to add user attributes to the list.

Note: User Attributes are not static but once added, cannot be deleted.

  1. Refresh User Data: The attributes list for rules is updated every hour. When you add a new user attribute, you must click Refresh User Data, to immediately start using the newly added attribute while creating rules.
  2. Clear Tenant Cache: The attributes list for rules is updated every hour. You can click Clear Tenant Cache to prevent reflecting newly added attributes while creating rules in the Resources section.
  3. Search in User Attributes: You can use this search box to find any user attribute.

Create Sharing Groups

This tab enables you to create a new user group(s). You can add users to this user group manually and/or by setting criteria on the User object.

To create a user group:

  1. Navigate to the Sharing Groups tab.
  2. Click +New Sharing-Group.
  3. Enter a name for the user group. Avoid using spaces and special characters as only alphanumeric strings are allowed.
  4. Click Ok.

You can add users to a group in two methods, manually and/or by setting criteria on the User object.

To add users to a group manually:

  1. Click the Edit icon of any user group.
  2. Click Add Users Manually. The Add New User window appears.
  3. Select the checkbox of the required users.
  4. (Optional) Select the Allow Inactive Users checkbox to add the inactive users also to the group.
  5. Click Save.
  6. (Optional) Select the user checkbox and click Delete Users to delete an added user.
  7. Click Refresh User Group, to refresh the user group.

Note: User groups are refreshed periodically but you can click the Refresh User Group button to refresh instantly.

You must set a criteria on the User object to add users by creating a rule. When you set a criteria, the list of users meeting the criteria is added to the User Group. You can delete any users, if required.

To add users to a group by setting a criteria on the User object:

  1. Click the Edit icon of any user group.
  2. Click + Criteria.
  3. Set criteria as shown below:
    1. Select a user attribute.
    2. Select the required operator.
    3. Select checkbox or enter value.
  4. Click the Save icon.
  5. (Optional) Add multiple criteria and apply advanced logic between them using the AND or OR operators.
  6. Click Update.
  7. Click Refresh User Group.

Note: It takes a maximum of five minutes to refresh and populate the user list.

To configure Sharing Rules on a resource using a user group:

  1. Navigate to the Resources tab.
  2. Click the edit icon of the Company Resource.
  3. Click the Edit icon of the R1 rule. There is an Advice created in this rule already.
  4. Click + Criteria.
  5. Set criteria as shown below:
    1. From the Attribute dropdown, Select User Group.
    2. From the Operator dropdown, select in.
    3. Enter CSMgroup1.
    4. Click the Save icon of the Criteria.

  1. Click Update.

Limitations

  • User attributes are not static but once added, cannot be deleted. User attributes can be deleted from the backend only upon request, whereas resource attributes can be deleted at any time.
  • You can delete resource attributes as these are specific to an object. Deleting them is not allowed when they are in use.
  • An activity performed by a user on a given resource is called an action. Every feature provides READ and WRITE actions on all the resources, by default.
  • If a user is added to a user group through a rule defined in the user group, removing the user from the group’s list manually does not ensure that user is no longer part of the user group. This is because all of the users that fulfill the group’s rule criteria are added again automatically.
  • Gainsight applies union on all the data permissions assigned to a user, while resolving data permissions. This means that the highest permissions of all the permissions are assigned to the user. Moreover, this behavior is the same while dealing with inherited permissions from parent to child objects. Union of all the permissions from the child and parent objects are applied to the user.

    For example, the Call to Action object has a lookup to the Relationship and Relationship Type objects. While resolving permissions on the Call to Action object, union of permissions on the Call to Action, Relationship, and Relationship Type are applied. If the Call to Action object has the Everyone gets READ/WRITE access permission, then permissions on the Call to Action object are superseded by the Relationship or Relationship Type permissions.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Draft Workflow
    Draft
  2. Tags
    1. Data Permissions
    2. Inheritance Rules
    3. Manage Rules Priority
    4. Sharing Groups
    5. Sharing Rules