Declarative Sharing

8. 1.6- Community Users Security - Part 1

This is section one, declarative sharing, and this lecture is about community user security. The topics of this lecture are community overview; community user licenses; external sharing settings; record access and sharing roles; advanced sharing; sharing sets and shared groups; and finally, super user access. At its most basic level, a community is simply a group of people who share a common mission or goal. You can define what collaboration model best fits your needs. In other words, a community is simply an extension of your salesforce.org. To explain communities in Salesforce, we can look at the image on the right side. As you can see, this image has your internal salesforce.org on one side, and your internal users use it to log in using login salesforce.com. And then, on the other hand,we have two community options. First, we have the Customer Community, which enablesyour customers to collaborate with your internal teams,like, let's say, the support team. Your customers can create cases and edit them on the community, and at the same time, your internal team can also create cases on behalf of your customers who can also access these cases from the community. Second, we have the partner community, which enables your partner channels to become more collaborative. For example, they can create leads and opportunities that are visible to your internal team. So, in conclusion, a community is simply a part of your salesforce.org that is visible and accessible to your external users, like the customers and partners. You can choose what objects to expose in the community, like cases, like leads, like opportunities, and whatrecords that will be available to the community users. There are many different licence types for Salesforcecommunity users, but I will be explaining the main basic types, which are three. All three types offer the following chatter: activities and tasks, baseline, standard objects, and some custom objects and knowledge. Note that this is based on the current offeringby Salesforce and it can change at anytime, though I haven't seen major changes to these three base licenses. But you never know. The first step is the Customer Community License,which is used for customer community for up to 10 million external community users. This licence can access the case object, and it can also access other base objects like that count and the contact. This licence has a very limited sharing model. There are no rules, no manual sharing, and no sharing rules. And of course, no apex sharing because it can support up to 10 million users. No rules can be created and the main reason for that is that, as we have seen before,more rules means more system groups created by Salesforce and more calculations will be needed in the background to determine the record access. The only way to share records is through sharing sets, which we will explain in detail in this lecture. The second type is the Customer Community Plus license. This type of licence is used for up to 2 million external community users. This licence can access the case, object, and base objects like the account and the contact. And on top of these objects, repos and dashboards are also available in this community licence type. When it comes to the sharing model, roles, and advanced sharing like manual sharing,sharing rules, and Apex Sharing, they are all available. And finally, we have the partner community user license. As the name implies, this is a community licence for your partners as opposed to your customers, meaning that it should give access to some sales cloud objects. The extra feature that this licence offers,in addition to the Customer Community Pluslicense type features, is the access to these sales objects, campaigns, leads, and opportunities. Otherwise, it has almost the same features as the Customer Community Plus licence type, up to 2 million external community users, access to thebasic objects, and access to reports and dashboards in addition to the sales cloud objects. And finally, roles and advanced sharing are all available. Now that we know about the different types of community licenses, this is a rough guide that lets you know which type of licence to get. For that, ask yourself some questions. First of all, the first question to ask is: do your community members need access to leads, opportunities, and campaigns? If the answer is yes, then you need the partner community licenses. If the answer is no, then you have to ask this question: Do your community members need access to reports and dashboards, to delegation, to content libraries, and to advanced sharing? If the answer is yes, then you probably need to buy some customer Community Plus licenses. And if the answer is no, then you will need to buy some customer community licenses. This is all taking into account that the number of external users would be less than 2 million. If the number is more than 2 million,then you will need a customer community license. These are the steps that are needed to create a community and then add users to it. First, enable communities and the.org from the setupmenu and set a community domain name. Second, create a new community and choose the template. And then, of course, this community should be fully configured. The final step is to create the community users. To do so, first make sure that you have an accustomed community user profile because it can be edited. and then enable the contact as a community user. This is done from the contact page. So we have to go to a contact and then we have to click on enable this contact as a community user. And then we need to assign a user licence and a profile to this new community user. And now the community user has a lookup contact who has a lookup for that account. To enable a partner user, roughly the same steps should be followed. But what's different here is that we need to enable an account as a partner first and then enable the contact that belongs to this account as a partner user. All other steps are the same as for the customer community user. And finally, we need to make sure the profile is part of the community. And to do so, we have to go to Setup and then we have to go to all communities. We have to choose the community that we did configure and then we have to go to the workspace next to the community. Click on Administration and then click on Members. And on this page you can add the profiles that are part of this community. Now let's jump to Salesforce to explain the licences and profiles and then we will start building our community. First, let me show you the licences that I have. For that, we need to go to the company information link and then you can see that I have 20 customer community licenses, 20 customer community plus, and then I also have 20 partner community licenses. Now let's create three customprofiles for these three licenses. For that we have to go to the profilelink and then, as you can see, for each one of these licences I have a profile. So you can see that I have a profile for the customer community user. I have one for the customer community plus user and, of course, I have one for the partner community user. Now I can use these profiles when I want to build my community, but because they are standard profiles, I cannot edit them. So, that's why let's clone them. So let's start with the customer community user. And then, as you can see now, I have three custom community profiles. So I have this one, this one and this one. Now if I click on, let's say, thepartner community user profile, you can see that if I scroll down, you can see that there are different permissions for different objects. So as you can see, I have access to all of these objects because this profile has a licence that allows this access. As can be seen, I have access to the lead, object, opportunity, and order. So these are mainly sales items. Now if I go to the customer community profile, you can see that these objects don't exist. I can access the account assets case, but I cannot access the opportunity, lead, or campaign. Now let's enable the communities. For that, we need to go to the community settings and then we need to check this checkbox and then we need to specify the domain name. So for that, I will choose this one and then we'll check if it exists. Yes, and then save. As you can see, it is now enabled. So now I can go ahead and start creating my community. To do so, I need to click on New Community. And the first step is to choose from one of these templates. The most popular one is the customer service template. So let's pick this one. Let's call it the support community. Okay, so as you can see now, the community is up and running. We have to go to the builder to see the look and feel of this community. So, as you can see, what you see is what you get. So, which means that if I change something there,I can see it live on the page. So let's first add some objects to this community. For that, I will click on this navigation menu, edit, and let's add the case object. We'll also add the opportunity object. As you can see, I have these two objects exposed to the community. But of course, I need to configure my sharing and page layouts and all of that for community users to be able to access these objects. So now what I will do is click on publish. So, in this case, the community will be published, and let's also add the profiles to that community. For that, we need to go to the administration, and then we need to go to the members, and we need to add the profiles. Okay, now we have to click on Save, and then we have to activate the community. Okay, now what we can do is create the users. For that, we have to go to the accounts in question. As you can see, I have created three customer accounts and two partner accounts. Let's go ahead to the customer A account and, as you can see, I have five contacts. So now I have to click on any one of them. And then on the top right, I can click on Enable customer user. So this will convert. It will create a user that will be associated with this contact, and this user will be able to log in to the community because we have added the profile of the community. So we have to make sure that the profile of this user is the one that we have added to the community. Let's do that. As you can see, this is just like any new user page. I need to specify the email, the username,the nickname, the license, and the profile. And of course, all of the other fields. Let me follow the same username pattern that I have. Okay, so I would call this one a one at SDPEprep and then I will use my email and now I can choose a profile, I can choose my first license. So this will be a customer community license, let's say. And then the profile will be the custom profile that we have made. And as you can see, the address will be taken from the contact address, which is taken from the account address. You can also check this checkbox for the user to get a new password and reset email. I will do the same for the others. But now let me do one for the partner. So let's go to partner A and what should I do now? I should not jump to the contact. I should first enable this account as a partner. To do so, I need to use this action. Now this account is enabled. As a partner, I can now disable it. Now I can go to each one of its contacts to make them partner community users. I can choose from these two options. But now let's choose the enabled partner user you.And that's it. So now I have two community users. Let me check my emails. As you can see, now I can log into the community. So this is the partner one contact, and I can do the same for the other. So I can click on cases. I can now create new cases and so on. But you know, remember that this is still not configured. Of course, I need to configure the pagelayout, I need to configure the object level security, the sharing and all of that. Once you enable community, you get more sharing settings. For community users, the Owd will have its own settings. This is now the default external axis. As you can see, on the right side I have the default external axis, which is the one that is only specific to the community users. And this is totally independent from the default OWD. Internal Access To configure the external sharing model, we have to go to the sharing settings and setup. And just like the internal OWD for each object,the available access levels are private, public read only,public read, write and controlled by parent. And finally, a very important point. The default external access level must always be more restrictive or equal to the default internal access for each object. There are also two settings that control which users are visible to a community user. These two settings are two checkboxes. The first one, the Portal user visibility, Community users in the same customer or partner portal account can see each other regardless of the OWD if this option is enabled. And the second one is community user visibility. If enabled, community users and the same community can see each other's regardless of the Owd. As a summary for users' visibility and communities' visibility, if both community user visibility and portal user visibility are checked, then community users are visible only to themselves and to users higher in the road hierarchy who are members of the same community. If only the Portal user visibility is checked, then community users can see other community users in the same account and in the same community. If the community user visibility is checked and regardless of whether the portal user visibility is checked or not,then community users can see all other community users even if they don't belong to the same account. There are also other settings in the sharing settings for community. One example is the granting of community users access to related cases. When checked, users with Customer Community Pluslicense can view and edit cases in which they are listed as the contact. Now let's jump to Salesforce to see the external sharing settings. As you can see, I will go to the sharing settings and, as you can see, I now have this column that I can edit. So now I have an independent OWD for external users. So this means it's for the community users. So, as you can see, I can change that. So if, let's say, we go to thecase, you can see it's set to private. I cannot see this as being more than that. I cannot say that it's public read only. If I save, it will not let me. So I need to make it private because it can not be more than the one on the internal OWD. Let's do something. Let's make it public heat only and public heat only for this. So what will happen now? I have cases where public heat is only for both. Now, if I go to the community and I click on all cases,you can see that this user can see all of the cases. If I go back to the settings and then, let's say I make it private, and then go back to this page and refresh again, So I don't see any cases right now. So this is mainly the external OWD. What I can also change: I can change the portaluser visibility and the community user visibility again. This will allow me to see the users of my account. This will allow me to see the users of the whole community.

9. 1.6- Community Users Security - Part 2

Now let's talk about how to open up record access to community users. Through sharing Community users can see records that they own and records that they have access to. Access to other records can be granted via different types of sharing mechanisms like sharing rules and sharingsets, depending on the licence type and which sharing mechanism is available for this licence type. This table shows you what each licence type can be used to do. Sharing the basic Customer Community licence gives you access only to sharing sets to operate access to community users based on their account or contact record and share groups to share records owned by community users with other internal or external users. The more advanced but more expensive Customer Community Pluslicense gives you sharing sets plus a bunch of more advanced sharing tools like a super user, manual sharing, road hierarchy, and sharing rules. For much more advanced sharing requirements,Apex Sharing can also be used. Finally, the partner community licence is the most expensive, and it gives you access to the same sharingtools as the customer community plus license. In addition to team sharing, these are accounts, cases, and opportunities. Team Sharing and finally, out of box sharing are available by default to any user. This is mainly access to records based on ownership and based on Owd. Now, let's go through each of these sharing options. We will start with out-of-box sharing. Out of box sharing means that the record is accessed through record ownership or through OWD. When this is used, Well, out of box sharing is used when the object's Owd is something other than the least restrictive, which gives read or edit access to records for all users. It is also used when a user is the owner of a record. How to configure it? Well, nothing should be done here. As its name implies, it is out of the box, meaning that no direct configuration is needed. You just need to set the external OWD. And as you can see, this is available for all three licence types. Then we have roles and Advanced Sharing.Roles are used when a partner or Community Plus user needs to access more records via role hierarchy when the user is in a role above the owner's role. And advanced sharing is used when we need to share records with either internal or external users. Roles can be configured through the road hierarchy and advanced sharing can be configured using a bunch of sharing mechanisms like sharing rules, which are criteria-based and ownership based.And for even more advanced requirements, we can use Apex Sharing. As we will see later in another lecture, this is available only for Customer Community Plus and partner community licenses. Team sharing, as we have seen, is the ability to add users to teams to collaborate on accounts, opportunities or cases. Team sharing is used when a community member needs to access certain accounts, opportunities or cases as part of a team. Team sharing should first be enabled, and then community users can be added to teams, and role and access level should also be defined. I will not go into detail about team sharing in this lecture as it has its own lecture,but what you need to know is that team sharing is only available to partner community users. Next, we have sharing sets. Sharing sets are used when the community user needs to access more records associated with their account or contact. To configure it, access mapping should be added to the sharing set in question. Let's say we have cases and, as you know, cases have a lookup to account and, at the same time, the community user has a lookup to contact which has a lookup to account. So to share these cases that belong to the same account of this community user, we can use sharing sets. Then we have Shared Groups, which are used to share records owned by community users with internal or external users. A shared group is activated from an existing sharing set by clicking the Share group settings tab. It is only available to customers with a community user license. And finally, we have Super User Access, which is used when a specific community user needs to access more records on the same account. Its configuration is different depending on the user. For a partner user, first the partner superuser setting should be enabled in the community settings and then the superuser setting should be enabled via a partner user's contact record. For a customer community plus user,it is configured via a permission set. Superuser access is only available to both partner and customer community plus licences and is not available to the customer community license. Now let's talk in detail about these sharing techniques. We will start with roles and advancedsharing that are only available to partners and to the customer community, plus licenses. Up to three roles can be configured: executive, manager, and user, but the system default is one, which is the user. The number of rows can be changed from setup, community settings, and community settings. Other settings can also be changed, like the partner super user and many different other settings. To avoid role proliferation, it's better to use one role only and grant super user access to those users who need access to other users' records. To apply a role to a community user, first a contact should be set as a community user, and then after creating the user and setting a licence and a profile for this user, you can edit the user and now you can access the role. The role picklist can contain up to three different roles depending on the settings. Note that the account owner must have a role so that the new community user role will be under the account owner role or you will get an error. What I mean by account is the account that the community contact belongs to. Why is this required? Well, because a community user can have up to three roles: manager, executive, The user role sits under the manager, and then the manager role sits under the executiverole, which sits under the account owner's role. When it comes to sharing, community roles can be used in sharing rules. And when setting sharing rules, community roles can be found under Porter rules. On top of that, community roles can be used as a criteria to specify records to be shared or as the users to share records with. It is unnecessary to say that we can add community user roles to groups and use these groups and share rules. Finally, we have to remember that role-sharing rules are only available for Partner and Community Plus licenses. Another way to share records is through Apex Sharing. As per the other advanced sharing mechanisms, apexSharing is only available to customer community pluslicenses and to partner community licenses. Apex Sharing is not part of this lecture,but it will have its own lecture, and then we will talk in detail about it. Now, let's jump to Salesforce to see the external sharing settings. To start, let me show you the list of users that I have. As you can see, I now have a long list of users. I have so many community users. In fact, I have three accounts that were used as customers: Customer A, Customer B, and Customer C. A and B are using the Customer Community license, and C is using the Customer Community Plus license. And then I have two partner accounts. Partner A and Partner B. Partner A and Partner B are using the partner license. Now, if I go back to the community settings, you will see that this is where we specify the number of roles. I have two options. The first option is to specify the number of customer roles. This is only applicable to the customer community plus licenses. And this is applicable to the partner licences as well. I will leave it at one, but you can make it one, two, or three. So in this case, when you create a community user, you can specify an executive, manager, or user. Now, let me show you how these users report to the owner of the account. So I will go back to users and then I will click on any user that is using the Customer Community Plus license. So in this case, I need to go to Customer C As you can see, the role is set to Customer User. So if I click on Edit, you can see that. Now I can play this role. And because I have only one role, I can only use it. I am unable to play any other role. But if I go and I make the number of roles three, I can choose three different roles instead of one. So what happens if I click on this role? If I click on this role, you will see the details of this role. You will see the users that are associated with that role. And then this is important. You will see that this role reports to this internal role. Well, why is that? Because the account is owned by auer, that is part of this role. So let's see it in detail. You can see that this role is called Western Sales Lead. So now if I go to any of these users, you can see that it has a lookup to the contact. Remember, this contact is where we created the user. So we went to this contact and then, from this contact, we created this community user. Now this contact is part of an account. You can see that this is the account and that this account is owned by a user. If I click on Roy, you can see that role. You can see that Roy is playing a part in this role.This means that all community members who use this account report to that role. Now let's go to the sharing rules. So I will go to sharing settings and let's go to the case object and then let's click on New Sharing rule. So, as you can see now, I can use both of these two types. Let's go to the first one. You can see now I have Porter's Sands Porter Rows and somehow in it. And then I can use this. I can use these two and this step or in that step. So I can use this role to specify that I want the records owned by users of this role to be shared with another entity. We have three different accounts. We have one customer Community Plus account,one partner account, and another partner account. And then we can also share. Let's say I want to share this. I can also share it with a porter role. Okay, so the first one is the account name, but for some reason it's displayed as the ID. So this is the ID of the account. And then, as I said, these can be used in both step three and step four. So I can use them to specify the recordor. I can use them to specify the target. And of course, I can add themes for the partner community users. So let's go to the account. And if I go to the teams, you can see that I can add a team member. You can see that I can also add partner users. And finally, let's talk about manual sharing. So to do that, I need to switch to the classic interface. Let's go to Account, choose this account, and then click on Sharing Add so I can share this with Porter roles. Now let's talk about sharing sets. Sharing sets are used to grant community users access to other records that are related to their accounts or contacts. To understand sharing sets, an example is required. As we mentioned, a community user has a lookup to a contact who has a lookup to an account. On the other hand, a case has a lookup to an account with sharing sets. We can share these cases with the community users. How? Well, by relying on the account which is common between the case and the user. In other words, sharing sets will share all cases that have a lookup to, let's say, account a with all community users that also have a lookup to account a. In this case, these community users can access these cases. This is another example where a community user has a lookup to a contact which has a lookup to an account. At the same time, an entitlement record has a lookup to this same account and a case record has a lookup to this entitlement record. So the account is a common lookup between the community user and the case via the entitlement. In this case, we can use sharing set to share the cases that have a lookup to this entitlement that in turn has a lookup to the account. These cases will be shared with the community users that have a lookup for the same account. This is the list of all objects that can be used with sharing sets. As you can see, we have accounts, we have assets, we have campaign case contacts, we have individuals,we have lead opportunity orders, services, appointment services, contractuser work orders, and also custom objects. On the other hand, share groups allow you to share all records owned by customer community users, and these records can be shared with other community users or with internal users. Each shared group has shared group members that get access to the records owned by the customer community users, and shared group members can be public groups, roles, territories or users. Why is a shared group needed when many-record access capabilities are available in Salesforce? Advanced sharing capabilities are not available for customer community licence users because they require a role within the salesforce hierarchy and, as we know, customer community licences do not have a role. You can't set a shared group until you have a sharing set and shared groups apply across all communities and the org Now let's jump to Salesforce to show you sharing sets and share groups. To configure sharing sets and share groups, we have to go to community settings and if I scroll down, you can see that I have a section for sharing sets and within it I can define the share groups. So I click on you and then I need to give a title. So let's share the cases with the community users. So, in this case, the common lookup will be the account. So in any case that has a lookup to configure sharing sets and sharing groups, we have to go to thecommunity settings and if I scroll down you can see that there's a section for sharing sets where I can configure the sharing sets and then within each sharing set I can configure a shared group. So let's call this "sharing cases with community users." This will be based on the account, so anycase that has a lookup to, let's say accountA, will be shared with the community users that have a lookup to the same account A. Then we have to specify the profiles. So let's go to all of the custom profiles that we have and then we have to specify the objects. So let's say the case. Now you can see that I have an accessible that I need to configure for this case. I need to click on setup and there I need to select the mapping so the user has a lookup to the contact who has a lookup to the account and then the case also has a lookup to this account, which means that any case that has a lookup to the account that a community user has also has a lookup too will be shared with that user. And then I can specify the access level. It can be read only or it can be read and written. Click on Save. So the sharing set is now done. Now if I go down and then if I clickagain on this one, you can see I have another tab for the share group. I need to activate it. And now we have to click on Edit. So there we have to share the records owned by the community users with which entities. We can specify the entity that will have access to the records owned by the community users. So I can say roles and subordinates and then I can choose the highest role. In this case, all of the records owned by any community user will be shared with this role and with the subordinates, which means that all of the roles will have access. The final piece that should be covered in this lecture is super user access. As you mentioned, super user access gives a specific community user access to more records on the same account. It is available for partner community and customer community plus users, but it's not available for the customer community user license. And enabling it to a partner community user is different from enabling it to a customer community user. As we will see, for partner superuser access to be enabled, first you have to go to the community settings page and check the enabled partner superuser access in there.The second step is to go to a specific user's contact record and enable the superuseraccess over there using a quick action. Note that you will not see the enabled superuseraccess quick action on the contact if you don't enable the superuser access in the community settings. Also, a partner community user should be created first. And finally, the super user access for partner users opens up access to the records of the following: case, lead opportunity, and custom objects. There are three different access options for the super user depending on the role. As you are now aware, We can have up to three different roles: executive, manager, and user for the Partner executive role. A user with this role who has super user access can now access data owned or shared by all Partner users and Partner super users in the same role, as well as Partner users with Manager and users roles below the Partner manager role's hierarchy. A user with this role who has super user access can now access data owned by or shared with all partner users and partner super users in the same role and partner users with user roles below them in the hierarchy for the partneruser role A user with this role who has super user access can now access data owned by or shared with allPartner users and Partner super users in the same role as the Community Plus Super User. This is enabled through permission sets, and the permission set in question is called Portal superuser. This Superuser access lets a customer communitypress user have this extra access. All cases can be viewed, edited, and transferred by a single person. Second, make contact cases. three view and edit all contacts, related or unrelated Four, view account details when they are thecontact on a case, and five, report all contacts, whether portal enabled or not. And if the repos tab is added to your community and the user has the run repos permission, Now let's go to Salesforce and show you how to configure Superuser. We will start with the Partner super user.So in this case, we have to go to the community settings and, as you can see, I have to check this box to enable partner Super User Access Now let's go to the list of users and we have to choose a partner user. So let's go to partner B, CONTACTB five. As you can see, this user has a lookup to contact and from this contact we can enable the superuser access. We can do that from a quick actionable Superuser Access Once we do that, this user will have access to all cases, to all leads, and all opportunities for the account that he belongs to. Now let's do the same, but this time for the Community Plus license. For that, we need to create a permission set and we have to specify the license. So, in this case, it will be a Customer Community Plus license. Now we can assign this to Community Plus users. So let's say that we want this customer C and then contact C one.So now in this case, this user will have the extra access granted to him by the customer community Blasteruser Access, and that's it for this lecture. In this lecture we talked about Salesforce Community, which is simply an extension of a salesforce.org.We talked about the different types of licenses. Customer community, customer communityplus, and partner community are all available. The Customer Community License gives access to up to 10 million users, but it doesn't have any roles or any advanced sharing. The Customer Community Plus gives access to up to 2 million users, but it also has access to reports and dashboards,and it has access to roles and advanced sharing. The Partner community is exactly the same as the Customer Community Plus, but it gives access to sales objects like campaigns, leads, and opportunities. So, as a summary of the community sharing and access options, this is what each licence can offer. The basic Customer Community License gives you access only to sharing sets to open up record access to community users based on their account or contact record,and to share groups to share records owned by community users with other internal or external users. The more advanced but more expensive Customer Community Pluslicense gives you sharing sets plus a bunch of more advanced sharing techniques like the Superuser Access Manual, sharing, role hierarchy, and sharing rules. For much more advanced sharing requirements,we can use Apex Sharing. And finally, the Partner Community License is the least expensive, and it gives access to the same sharing tools as the Community Plus license. On top of that, it gives access to team sharing. And finally, as usual, thanks for watching.

ExamSnap's Salesforce Certified Sharing and Visibility Designer Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Salesforce Certified Sharing and Visibility Designer Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.