Roles + Profiles + Sharing Rules = One Big Mess

Before I undertook a complete re-building of my company’s roles in SFDC, I thought that I understood how user roles worked. I also thought that security settings were simple and easy to understand. That was some highly delusional thinking! During this project, I learned so much about roles, sharing rules, and profile permissions – and made countless mistakes while learning – that I decided it was worth a blog post. In my Before Implementing SFDC post, I barely mentioned the subject – but security settings are a huge consideration and involve some very complex relationships. Here are a few tips that I hope will save you some effort.

1) You do not necessarily need a role for every title. Roles exist to provide levels of access in the form of a hierarchy. Let’s say you have three Sales Team Managers, and you want them to have access to objects owned by each other’s teams, but keep the team members from seeing anything outside of their team’s ownership. You would give all of the managers the role “Sales Team Manager” and then assign separate roles to the users on the teams:

However, if you do not want the managers to have access to any team other than their own, you would set it up like this:

2) The role hierarchy is part of the sharing rules. A user can access objects owned by users in roles below theirs in the hierarchy. Keep this in mind when assigning roles, and when selecting the organization-wide defaults for your sharing rules. “Private” actually means “anyone above me in the role hierarchy can see my stuff.”

3) You can add sharing rules to share access of specific objects with groups, queues, or roles that do not have access in the existing role hierarchy. Let’s say you want your sales reps to have access to leads owned by Marketing. This is the sharing rule you would create:

This would give everyone under the VP Sales role access to leads whose owner has the Marketing Team role – without forcing you to rearrange the entire role hierarchy just to change security settings on one object.

4) Any user who requires access to the entire database should be assigned the highest role in the hierarchy. An SFDC support rep gave me this advice, and it saved me a lot of trouble! Put your System Administrator role at the very top of the hierarchy:

5) “View All” and “Modify All” permissions in profiles will affect your sharing rules. Let’s say you’ve got the System Administrator role somewhere in the Sales role hierarchy, and a sharing rule that grants access to everything owned by users in the VP Sales role hierarchy to each other:

This will cause major issues! (I am assuming that anyone in the System Admin role has “View All Data” and “Modify All Data” enabled in their profile.) Anyone within the hierarchy in the sharing rule now has access to the same data as the System Admin. You must consider profile permissions when you create a sharing rule. Also – and this is a best practice no matter how you look at it – be extremely selective about enabling “View All” or “Modify All” in profiles other than the System Administrator profile.

If you’re only going to remember one thing from this post, here it is: When you look at your role hierarchy, it should have at the top those who require the most access, and work down to those who require the least access. The System Administrator would be the highest role, and users who only access their own objects would be at the bottom (meaning, they should have no roles under theirs).

For more info: SFDC provides useful demos on Managing Users and Security and Customizing User Profiles. Best of luck!

Why we should visit the IdeaExchange

Are you the only Salesforce admin at your company? Most of the time, that will be a “yes.” And most likely, maintaining your database is only one in a long list of job responsibilities. Once upon a time, I was managing a sales prospecting team, handling all of my company’s renewal customers, and maintaining our SFDC instance. Sound familiar? This is when I discovered the Salesforce Customer Community. When I am struggling with an issue and don’t find the answer in the Help and Training documentation, I always turn to the community site. Unless you are the smartest SFDC admin in the world, you can always learn from your peers. There is much more information at your fingertips than you realize, and the community will save you time and frustration.

My favorite part of the community is the IdeaExchange. For a long time, I thought of an “Idea” site as a dumping ground – or perhaps even a cemetary – for feature requests. However, Salesforce actually uses this information to help plan future releases, which gives me the impression that they may actually be paying attention to us! Of course, not every idea can be turned into a feature. But there are so many users – many of them Salesforce support reps – who post workarounds for our issues, that it is always worthwhile to post or promote an idea. My favorites are below, with links so that you can read the entire idea and comments.

One example of an idea that offers a workaround:
Allow Page Layouts to Display Fields from Related Objects
This is a great idea – but thanks to cross-object formula fields, there is also a decent workaround.

Another idea that I really like (and honestly, I don’t understand why it isn’t already there):
Include Date and Time in Reports
This seems silly to me because the date and time show up on detail views (Created By, Modified By, etc.) but in a report you can’t get the time, only the date. The suggested workaround is to create a custom date/time field, and then you will be able to report on it.

How many of you remember when we could not use workflows to trigger other workflows? This idea was just included as a new feature in the Spring 2012 release. It’s awesome! (screen shot below)

One of the areas in Salesforce that I think can still be be improved is workflow rule actions. How about a workflow rule that triggers creation of a record? I’d like to see this feature because it would eliminate the need to write code for certain things. It could be used to clone opportunities, add people to a campaign, create custom objects, etc.

There are so many other ideas I’ve promoted, but I won’t list them all here. A few of my favorites are better drill-down options on history reporting, an ‘Add to Campaign’ button on custom report types, multiple contacts on one activity, and (this one is under consideration) more granular administration.

One word of advice: before posting your idea, search the IdeaExchange in case it’s already there. Most of the things that have occurred to me were posted by someone else – and when that’s the case, be sure to promote that idea to give it more points!

Which ideas have you posted/promoted, and why? Comment with your favorites!

My favorite Validation Rules

Okay, let’s be honest – we can’t always trust our users to enter all of the data that we’d like to have in our database. And I don’t like to place the blame on the user – some of the most spectacular salespeople in the world just aren’t blessed with great attention to detail. This is why validation rules exist. They will trigger an error message when the user tries to save a record with incomplete or incompatible data entry, saving administrators the hassle of checking everything after the fact.

Here are the formulas for some of my favorites, based on real-life needs or complaints of SFDC admins. The formula builder can be intimidating if you are not familiar with writing these kinds of formulas, but it’s fairly easy to learn. Use the “Insert Field” button to replace the sample fields in my formulas with fields of your own.

“I want all US and Canadian states to have the standard two-character state format.”
These formulas are for billing addresses, but can easily be modified for shipping addresses, in contacts as well as accounts. You can also use them for leads, but the field name is “State/Province” instead of “Billing State.”

AND (
OR(BillingCountry = “US”, BillingCountry=”USA”, ISBLANK(BillingCountry)),
OR(
LEN(BillingState) < 2,
NOT(
CONTAINS(“AL:AK:AZ:AR:CA:CO:CT:DE:DC:FL:GA:HI:ID:” &
“IL:IN:IA:KS:KY:LA:ME:MD:MA:MI:MN:MS:MO:MT:NE:NV:NH:” &
“NJ:NM:NY:NC:ND:OH:OK:OR:PA:RI:SC:SD:TN:TX:UT:VT:VA:” &
“WA:WV:WI:WY”, BillingState)
)))

AND (
OR(BillingCountry = “CA”, BillingCountry=”CAN”),
OR(
LEN(BillingState) < 2,
NOT(
CONTAINS(“AB:BC:MB:NB:NL:NT:NS:NU:ON:PC:QC:SK:YT”, BillingState)
)))

“I want a field to have a certain number of digits.”
This formula is useful if you have invoice numbers or customer numbers that are a certain length. It specifies seven digits but is easy to modify.

AND(
ISBLANK(AccountNumber),
LEN(AccountNumber) <> 7
)

“I have a field that only the record owner should be allowed to edit.”

AND(
ISCHANGED( Custom_Field__c ),
Owner <> $User.Id
)

“I have a text field that should only be used if another field is populated.”
I like this rule because sometimes I create text fields for a specific purpose, and then my users fill them with text that belongs in the Description field or elsewhere.

AND(
NOT( ISBLANK( Custom_Text_Field__c ) ),
ISBLANK( Other_Custom_Field__c )
)

“I don’t want an Open case to be allowed to be set back to New.”
Because you never know when someone will decide to make it look like they have not yet received a support case.

AND(
ISCHANGED( Status ),
NOT(ISPICKVAL(PRIORVALUE( Status ), “New”)),
ISPICKVAL( Status, “New”)
)

“End Date cannot be earlier than Begin Date.”
This is a must if you have fields pertaining to the begin and end dates of a subscription product or a service engagement.

Begin_Date__c > End_Date__c

“I don’t want opportunities to go beyond a certain stage without containing products.”

AND(
OR ( ISPICKVAL( StageName, “Stage4″ ), ISPICKVAL( StageName,”Stage5″ ),
ISPICKVAL( StageName,”Stage6″ ), ISPICKVAL( StageName,”Closed Won” ) ),
NOT( HasOpportunityLineItem ), NOT( ISNEW () )
)

“I don’t want an opportunity closed without approval if it is above a certain amount.”
This will only work if you have an approval process in place. Another easy way to monitor opportunities of large amounts is to create a workflow rule that sends an email notification when these opportunities are created and/or edited.

AND(
OR(
ISPICKVAL(StageName,”Closed Won”),
ISPICKVAL(StageName,”Closed Lost”)),
(Amount > 500000),
NOT(ISPICKVAL(Approval_Status__c ,”Approved”)))

“I want to prevent discounts above 40 percent.”
This is only useful if your maximum discount is carved in stone. Nobody can get past an active validation rule, not even us admins! Note: it needs to be used on the opportunity product rather than the opportunity.

Discount > .40

“I have a picklist value of Other, and I want to require additional info when that value is selected.”
In some cases, you can use field dependencies instead of a validation rule for this situation. But when that is not ideal, this formula will do the trick.

AND(
ISPICKVAL( Reason, “Other” ),
ISBLANK(Other_Reason__c)
)

“If Custom Field #1 has a value of Abcxyz, then Custom Fields #2 (date field), #3 (text field), and #4 (lookup field) must be populated when the opportunity is set to Closed Won.”
This is a complicated one – I’m adding it because I had to write it myself, and it took me forever! Sometimes there is information that should only be mandatory in some opportunities – and this formula will help you if you cannot confine those opportunities to a single record type. Note: remove the 2nd line of the formula if stage doesn’t matter.

AND(
( ISPICKVAL( StageName , “Closed Won” ) ),
( ISPICKVAL( CustomField1__c , “Abcxyz” ) ),
( OR (
ISNULL( CustomField2__c ), ISBLANK( CustomField2__c ), ISBLANK( CustomField3__c )
) )
)

These are just a sampling of validation rules that you may want to consider. You can find many, many more here. I’m not gonna lie – I stole a lot of mine from the Help & Training. I hope I’ve saved you a little bit of effort. Please feel free to comment with your favorites. You may be able to help the rest of us!

Before Implementing Salesforce.com…

Did you spend enough time planning the setup of your Salesforce.com instance? If you are like most of us, you did not. Most likely, you needed a database long before the purchase went through and now you’re in a hurry to get your data uploaded. You may not want to hear this right now, but you need to slow down. With the right pre-upload planning, you can avoid costly, time-consuming data cleanup – and I don’t mean a weekend’s worth of work. I’ve seen databases that require enough cleanup to keep an admin busy for years. So if you’re lucky enough to be starting from scratch, do yourself a favor and keep reading. And if you’ve already inherited someone else’s messy database, keep reading anyway – we can all learn from the mistakes of our predecessors.

Learn the language and the layout. Make sure you know what SFDC means by Lead, Contact, Account, Opportunity, Product, Asset… you already know what those things mean in your organization, but it’s crucial to understand how your database treats them, and how they relate to one another.

  • Leads vs. Contacts – The most common mistake that I’ve seen is the tendency to mass create accounts and contacts from a spreadsheet of – well, contacts! SFDC’s “Contact” is really referring to a customer contact, or at least a potential customer. Every Contact should begin as a Lead. The most important reason for this is tracking.
  • Lead Conversion – Remember how I just said tracking? If you begin with a Lead, you are on the right track. When you convert a lead, what began as a single piece of information is turned into an Account, a Contact, and an Opportunity – and what makes this so important is, there are reports you can run to track a customer from the Lead through every stage of the Opportunity in your sales process. If you create an Account from scratch, and add a Contact and an Opportunity to it afterward, you lose that level of reporting ability.

Know what you will need to track, long-term. Many objects (accounts, contacts, leads, etc.) in SFDC allow you to track the history on any field on that object. This means that you will be able to run reports on changes made to those fields. Some of the most common are in Opportunities – it’s good to have a recorded history of changes made to the Close Date or to the Amount. Decide now what to track – and it’s better to choose more than less. You can always end the tracking of a piece of info, but if you decide down the road that you wish you’d been tracking, say, changes to the “Billing Address” field in your Accounts – you’ll be out of luck.

Speaking of fields… There are several things to consider carefully in relation to fields. Of course, many are standard – Accounts have fields for the account name, address, phone number, fax, website, etc. There are many other standard fields that you may or may not need. (You can add or remove fields from page layouts as necessary.) You can also create custom fields – but ask yourself these questions first!

  • Is there already a field that can give me this info? Look closely at all of the default fields that you already have – it’s easy to go overboard with custom fields and just create clutter.
  • What type of info will my custom field contain? I cannot emphasize this enough: choose the right field type the first time! There are several types of text field. There is a field type of date, and one of date/time. There are picklists, and multi-select picklists. Let’s say you created a custom field that was a picklist (where you have to select a single option from the list). Years later, after that info is populated in thousands of records, you decide you need it to be a multi-select picklist so that your users can select more than one thing from the list. You can change the field type… but all of the existing data in that field will be erased when you do.
  • Should this field be required? Whether or not to make a field mandatory doesn’t seem like a big deal now. However, what if you don’t make a field mandatory – and later on, you change that? Not a big deal. Unless you run reports based on that information and realize that it is missing from all of your previous records, leaving you with incomplete or inaccurate reports.
  • How could future events change the way we use this field? This relates to all of the above points. If you are creating a picklist field, you’ll want to make sure that the values on the list will be relevant later on, perhaps as you add more to the list. If you are making a field mandatory, if you are making a text field a certain length, etc. – think about whether that will continue to make sense. You may not be psychic, but what if you knew that next year your company would release a brand new product and expand its marketing efforts? That info can shape the decisions you make about setting up your database.

Know your sales process. Do you have a rapid, simple sales cycle that only requires 3 or 4 stages of an Opportunity? Or is your process so complex that a potential sales deal generally goes through a dozen stages between qualifying and closed? Opportunity stages are fully customizable – it’s up to you to make them fit your unique process. You may want each Opportunity stage to have a set probability percent, or you may want the two to be independent of each other. You may need certain fields to be required only if the Opportunity has reached a specific stage – for this, you’ll want to put validation rules in place.

Know your users. Think about this before creating users in your SFDC instance. Who should have access to certain info, and how much access are we talking about? FYI – when you create custom fields, you can set what’s called “field-level security” based on user profiles. There is also a feature called “permission sets” – one of my favorites – that will allow you to add specific permissions to an individual user rather than setting them for an entire profile. What this means is, there is no need to create a ton of profiles that have very minor differences. Look at the profile permissions, and the standard profiles that SFDC provides, and map out which users will need certain profiles. This will save so much future cleanup!

Know that your data will not manage itself. How are you going to ensure data accuracy going forward? Will your database require minimal maintenance, or do you need someone to manage it on a daily basis? This is different for every organization, but really has nothing to do with the size of your company. Make sure you have a plan in place, and make at least one person responsible for data cleansing and updating. Keep up with the latest releases and make use of SFDC’s many support and training resources.

There’s no way I’ve covered absolutely everything you will want to think about prior to your SFDC implementation. (Come on, I’m not writing a book here!) These are just the things that I think are most crucial as a starting point – many of them things that make me shake my head and say, “I wish we had done it that way.” Hopefully you will be one of those that say, “I’m so glad we did it that way!”

We use cookies to ensure you get the best experience on our website. By continuing, you consent with our privacy and cookie policy
Accept