Record-level sharing settings configured in Salesforce are honored by the Gainsight application (with the exceptions noted below under Limitations). No changes are made automatically. Your Salesforce Admin must set the permissions in Salesforce to control which users can see which records based on object permissions, profile setting, role hierarchy and shared settings.
In Gainsight, on the Administration > Security Controls page, simply turn on or off the option to honor Salesforce permissions in 5 areas of the product where users can view reports.
The Gainsight modules and report sections for which you can provide permissions:
- Gainsight Home page
- C360 and R360 Related List sections
- Customers tab
- Engagement tab
- Widgets (Gainsight widget displayed on SFDC Account or Opportunity page)
- Export to CSV and Success Snapshots do not honor SFDC Sharing Settings yet. We are working on extending this functionality in a future release.
- Exports in Gainsight do not respect the permissions set in SFDC, so all users will be able to export from Gainsight dashboards, C360, etc.
This tutorial demonstrates how Salesforce’s existing sharing settings can now be honored in Gainsight. Admins can select an individual object in the org and share it with other users. Salesforce provides organization-level sharing settings to set the baseline access for the records, so that you can set the sharing separately for every object. If you want to restrict your users’ access to data of an object, set the object’s Default Internal Access or Default External Access setting as private. This ensures that the records created by you are visible only to you (record owners), and those above your role in the hierarchies. If required, you can extend access to other users by manually sharing the records. Salesforce sharing settings can be accessed at [Click on user profile] > Setup > Administration Setup > Sharing Settings.
For the purposes of this tutorial, two users are created in the organization:
- System Admin 1: Higher in the role hierarchy and hence has full access.
- East CSM: Lower in the role hierarchy and hence has limited access.
As per the role hierarchy, System Admin 1 can view all of the records created by East CSM. East CSM cannot view the records created by System Admin 1.
The following procedure provides you the step-by-step instruction on how an Admin can limit Account records sharing for an end user. Also, we will review how System Admin 1 can manually share records with East CSM.
- Navigate to Profile > Setup > Sharing Settings.
- Click Edit.
- Set the appropriate object as Private. In the following image, the Account, Contract and Asset objects are set as Private. This means that the Account records created by the System Admin 1 will not be visible to East CSM. Basic access will be present for the East CSM to read, create, edit, and delete records that are lower in the hierarchy, but East CSM will not be able to access/modify all the records that are above its hierarchy in the org.
- In Gainsight, navigate to Administration > Security Controls and select the modules where you want the sharing settings to be honored. In the following image, Home Page and Report Builder are selected.
- Navigate to Administration > Report Builder and create a report with the Account object. You can see two records for East CSM(end-user) and System Admin 1(CS Manager). In the current scenario, System Admin 1 ranks higher in the hierarchy and has all of the privileges; East CSM ranks below System Admin 1 and hence should not be able to see records created by System Admin 1 in this org. The following records are visible when the report is accessed from the System Admin 1 user’s profile:
- Total number of records of System Admin 1 = 25K
- Total number of records of East CSM = 2K
- Save the report and add it to the Gainsight Home dashboard.
- Access the same report from the East CSM user.
- Login to the organization as the East CSM user. (For more information on controlling login access, refer to SFDC article.)
- Navigate to Gainsight Home and view the report on the dashboard. The following records visible in the report:
- East CSM = 2K
- System Admin 1 = 0 (no records are shared with East CSM)
When this report is accessed by the East CSM user, there are no records of System Admin 1 present. As the Account object is set as private and the System Admin 1’s profile ranks higher in the hierarchy, the records created by the System Admin 1 will not be visible to the East CSM user
Manually Sharing a Record
Admins can manually share a record with CSMs from Salesforce. Perform the following steps to manually share a record:
- To manually share a record, navigate to the object details in Salesforce. The following image shows an example of account details. Objects can be accounts, tasks, playbooks, and so on.
- Click Sharing. The User and Group Sharing page appears.
- Click Add.
- Search by users and select your desired user.
- Click Save. The object’s records will be shared with the selected user. If East CSM user accesses Gainsight Home, the following report appears:
- In this scenario, three records are visible in the report. The reason three records are visible is because they are manually shared by the System Admin 1 with the East CSM.