Skip to main content
Gainsight Inc.

Gainsight Data Permissions

This article explains how access to data from different Gainsight and Salesforce objects through Gainsight applications can be restricted to specific users. For example, Admins can create an access rule for the Sales team in the US East region to access only the companies in that region. 

Overview

Data Permissions can be applied from the Administration > Data Permissions page. This page has the following three tabs:

Data Permissions Nav.png

  • User Attributes: It helps you add all the user attributes which are used for defining a rule to filter users in the Resources page.
  • Sharing Groups: It enables you to create a new user group(s) and add users  manually and/or by setting criteria on the User object. For example, a user group is created by setting a criteria to select CSMs from the US East region.
  • Resources: It helps to restrict data access on the Gainsight or SFDC objects to specific Gainsight users. For example, access can be applied on the Company resource to select companies in the Will Churn stage to the users from the US East region.

The Resources page lists the Gainsight or SFDC objects on which data access restrictions can be applied. Access restriction is applied using User object attributes or user groups. The User Attributes tab helps you add user attributes which are used in creating rules from the Resources page. The Sharing Groups page helps you create a group of users which are used in creating rules from the Resources page. These rules on the user attributes or user groups can be created to apply data permissions on a resource to the selected users.

When the Data Permissions are applied, permissions are granted in the following Gainsight applications:

  • In the C360 > Relationship section
  • In Cockpit > Call to Action (CTA), if you have applied permissions, Cockpit list view and CTA assignment screen
  • Gainsight’s Global Search
  • 360
  • Dashboard
  • Report Builder
  • Global Timeline
  • Renewal Center

Note: If a user who does not have access to a Company record but tries to access the same through URL, an error message is displayed.

Prerequisites

  • Data Permissions can be applied only on Gainsight users, which means data access is restricted to only Gainsight users.
  • Gainsight user should have been authorized with Gainsight Special Permission Set in Salesforce to configure Sharing Settings.
  • Gainsight org should have been authorized MDA.
  • Gainsight should have been installed standard objects.
  • Gainsight should have been enabled Salesforce Connector for user sync.
  • A remote site setting https://app.gainsight.com should have been added to your Salesforce remote sites. For more information on how to add remote sites, refer to the Configure Remote Site Settings Salesforce article.

Resources

This section explains how data access can be restricted on the Gainsight or SFDC objects to specific Gainsight users.

The Resources tab contains the following options:

Resources.png

  • Source Type: From the Source Type dropdown, you must select either MDA or SFDC to apply data permissions on the respective objects. The SFDC option is available only when your org is connected to SFDC through Salesforce Connector.
  • Resources: Resources column contains the objects on which data access restriction is applied by defining conditions.
  • Filter resources: You can use this search box to search an object.
  • Sharing Rules: This option for each resource lets you apply data permissions on each resource by configuring Resource Permission Attributes and Sharing Rules.
  • Refresh: You can click this button to refresh the resource list.

Sharing Rules

In the Sharing Rules column, when you click the edit icon to configure the resource permission attributes and sharing rules, the following two sections appear:

  • Permissions Attributes: This section has the list of attributes that can be used to define Sharing Rules. Attributes are a set of identifiers on a given resource, user, or environment which can later be used in setting up the conditions to enable access to the resource. Attributes can be used to define the security.
  • Sharing Rules: This section has the set up configurations for granting access to resources to all or specific Gainsight users.

Sharing Rules.png

For example, Data Permissions are used to restrict access to all companies for specific CSMs, and then grant permission to access data to only those companies which are in the Will Churn Stage.

IMPORTANT:

  • Data Permissions are not applied to super admins because they have access to all the data.
  • You can restrict access to a field (or even an object) through Data Permissions. If a restricted field has a lookup to an object then the restricted field is visible when viewed through the lookup object. Super admin should restrict the access to this field even through the object. For instance, if you restrict access to the Company object, users can still view restricted company details through CTA.
  • A delay of around two minutes can be expected before the access restrictions are implemented.

Add Permission Attributes

This section explains how attributes are added from the resource. These attributes are used to apply advice on them in the Sharing Rules section.

Permission Attributes.png

To add attributes for data permissions:

  1. Click the Edit icon against any resource. It navigates you to the page where you configure the Sharing Rules.
  2. In the Permission Attributes section, from the Add Attributes dropdown, select any attribute.
  3. Click +Attribute to add any attribute to the list of permission attributes.
  4. (Optional) Select the Add without lookup checkbox to add an attribute without lookup enabled for the dependent fields on this attribute.
  5. (Optional) Click Sort based on lookup to sort all the attributes by filtering the attributes based on the permissions that the attributes inherited from the parent objects.

Notes:

  • A maximum of 20 attributes can be added to the list.
  • Attributes are a set of identifiers on a given resource, user, or environment which can later be used in setting up the conditions which enable access to the resource. Attributes can be used to define the security.
  • Attributes can be inherited from any object such as Relationship, Activity Timeline, etc. 
  • Selecting the Add without lookup checkbox is not allowed for the attributes that are dependent on other objects such as User Id and Company Id.

Configure Sharing Rules

This section explains how to set up configurations for granting access to resources to all or specific Gainsight users in the Sharing Rules section. Access to a resource is granted to everyone by default, which means the Everyone gets READ/WRITE access toggle is switched ON by default.

Conditional access restricts access to limited/whole data in the resource to specific users or user groups. Data in the resource is filtered by setting advice and users or user groups are filtered by setting a criteria.

To configure Sharing Rules to users:

CAUTION: Once you turn ON the Everyone gets READ/WRITE access toggle switch, it doesn't allow you to configure Conditional READ/WRITE access and also deletes all the saved rules

  1. If you have not enabled access to everyone before you set the conditional access, turn ON the Everyone gets READ/WRITE access toggle switch to grant read/write access of the selected attributes to everyone.

  2. Switch the Everyone gets READ/WRITE access toggle OFF to enable configuring conditional READ/WRITE access.

Define Sharing Rules.png

  1. Click +RULE to set conditional read/write access. A window appears.

+Rule in the conditional access.png

  1. Create a Rule as shown below:
    1. Enter Rule name.
    2. Set user criteria to grant data access on a resource as shown below:
      1. Click +Criteria.
      2. From the Attribute dropdown, select any user attribute or user group. User attributes that you see in the dropdown are configured in the User Attributes tab and user groups are configured in the Sharing Groups section. For more information, refer to the User Attributes and Sharing Groups sections.
      3. Select the required operator and value for the attribute.
      4. Click the Save icon.
      5. (Optional) Add multiple criteria and apply advanced logic between them using the AND or OR operators.
    3. Set advice on the attributes of the resource as shown below:
      1. Click +Advice.
      2. From the Field dropdown, select any resource attribute. These attributes are configured in the Permission Attributes section.
      3. Select the required operator.
      4. From the Logged-in User Attributes dropdown, select any user field to match criteria between advice and user fields or enter value for the Advice field.
      5. Click the Save icon.
      6. (Optional) Add multiple Advice and apply advanced logic between them using the AND or OR operators.
    4. Click Save.

Notes: 

  • When you create multiple Criteria or Advice, the AND operator is applied by default. However, you can change it to OR operator, whenever required.
  • When you add multiple Rules, the OR operator is applied. You cannot modify this operator.

Define Sharing Rule.png

  1. Click Save.

Notes:

  • All the resources have read and write access by default at the Resource level. Admins can grant Conditional READ/WRITE access by creating Rules under the Sharing Rules section.
  • An administrator can define multiple condition sets, or a combination of conditions for every action on the resource to grant access to the end-users.

Configure Sharing Rules to Restrict Access to Specific Companies

This section explains how Data Permissions are used to grant access to only those companies which are in the Will Churn Stage.

To restrict access to specific companies:

  1. Navigate to the Resources tab.
  2. Click the Edit icon, for the Company Resource.
  3. Switch the toggle Everyone gets Read/Write access off, in the Sharing Rules section.
  4. Click Save Sharing Rules.

Now, CSMs cannot view any Company. The following image from the Data Operations page displays that there are three company records, but still displays No data found.

Data Operations _No Data.png

  1. In the Conditional READ/WRITE access section, click + RULE. A window appears.
  2. Enter Rule Name.
  3. Click + Advice.
  4. Set Advice as shown below:
  • Field: Stage
  • Operator: in
  • Value: Will Churn
  1. Click the Save icon.
  2. In the Rule Setup page, click Save.
  3. In the Resource page, click Save Sharing Rules.

CSMs can now see data associated with only ABC Corp Ltd Company, as this is the only company in the Stage, Will Churn. The following image from the Data Operations page displays only one company.

Data_Operations_Company.png

You can also set a criteria to restrict access to companies at user level. For instance, if you set a criteria which filters users belonging to the APAC region, then APAC users  can view only those companies that are in the Will Churn stage. Non APAC users cannot view data belonging to any company.

User Attributes Options

The User Attributes tab consists of all the attributes that can be used for defining/creating a rule/permission. You can use an attribute to create a rule which decides the access rights granted to a specific user.

Following are a couple of key terms related to User Attributes:

  • User: A consumer from whom the access needs to be protected for a given resource. A consumer can be the user who has a Gainsight User License or a system simulating user.
  • User Attributes: The properties which can be used to create Sharing Rules (in the Resources tab).

The User Attributes tab contains the following options:

User Attributes.png

  1. Add Attributes: From the User Attributes dropdown, you can select the required user field and click + to add user attributes to the list.

Note: User Attributes are not static but once added, cannot be deleted.

  1. Refresh User Data: The attributes list for rules is updated every hour. When you add a new user attribute, you must click Refresh User Data, to immediately start using the newly added attribute while creating rules.
  2. Clear Tenant Cache: The attributes list for rules is updated every hour. You can click Clear Tenant Cache to prevent reflecting newly added attributes while creating rules in the Resources section.
  3. Search in User Attributes: You can use this search box to find any user attribute.

Create Sharing Groups

This tab enables you to create a new user group(s). You can add users to this user group manually and/or by setting criteria on the User object.

To create a user group:

  1. Navigate to the Sharing Groups tab.
  2. Click +New Sharing-Group.
  3. Enter a name for the user group. Avoid using spaces and special characters as only alphanumeric strings are allowed.
  4. Click Ok.

You can add users to a group in two methods, manually and/or by setting criteria on the User object.

To add users to a group manually:

  1. Click the Edit icon of any user group.
  2. Click Add Users Manually. The Add New User window appears.
  3. Select the checkbox of the required users.
  4. (Optional) Select the Allow Inactive Users checkbox to add the inactive users also to the group.
  5. Click Save.
  6. (Optional) Select the user checkbox and click Delete Users to delete an added user.
  7. Click Refresh User Group, to refresh the user group.

Note: User groups are refreshed periodically but you can click the Refresh User Group button to refresh instantly.

You must set a criteria on the User object to add users by creating a rule. When you set a criteria, the list of users meeting the criteria is added to the User Group. You can delete any users, if required.

To add users to a group by setting a criteria on the User object:

  1. Click the Edit icon of any user group.
  2. Click + Criteria.
  3. Set criteria as shown below:
    1. Select a user attribute.
    2. Select the required operator.
    3. Select checkbox or enter value.
  4. Click the Save icon.
  5. (Optional) Add multiple criteria and apply advanced logic between them using the AND or OR operators.
  6. Click Update.
  7. Click Refresh User Group.

Note: It takes a maximum of five minutes to refresh and populate the user list.

To configure Sharing Rules on a resource using a user group:

  1. Navigate to the Resources tab.
  2. Click the edit icon of the Company Resource.
  3. Click the Edit icon of the R1 rule. There is an Advice created in this rule already.
  4. Click + Criteria.
  5. Set criteria as shown below:
    1. From the Attribute dropdown, Select User Group.
    2. From the Operator dropdown, select in.
    3. Enter CSMgroup1.
    4. Click the Save icon of the Criteria.
  1. Click Update.

Limitations

  • User attributes are not static but once added, cannot be deleted. User attributes can be deleted from the backend only upon request, whereas resource attributes can be deleted at any time.
  • You can delete resource attributes as these are specific to an object. Deleting them is not allowed when they are in use.
  • An activity performed by a user on a given resource is called an action. Every feature provides READ and WRITE actions on all the resources, by default.
  • If a user is added to a user group through a rule defined in the user group, removing the user from the group’s list manually does not ensure that user is no longer part of the user group. This is because all of the users that fulfill the group’s rule criteria are added again automatically.
  • Gainsight applies union on all the data permissions assigned to a user, while resolving data permissions. This means that the highest permissions of all the permissions are assigned to the user. Moreover, this behavior is the same while dealing with inherited permissions from parent to child objects. Union of all the permissions from the child and parent objects are applied to the user.

    For example, the Call to Action object has a lookup to the Relationship and Relationship Type objects. While resolving permissions on the Call to Action object, union of permissions on the Call to Action, Relationship, and Relationship Type are applied. If the Call to Action object has the Everyone gets READ/WRITE access permission, then permissions on the Call to Action object are superseded by the Relationship or Relationship Type permissions.

 

  • Was this article helpful?