Identify Key Roles and Permissions
Learning Objectives
After completing this unit, you’ll be able to:
- Identify the key roles involved in managing the archiving process.
- Identify important permissions required for key roles.
- Describe how permission sets and security features in Archive control access to archived data.
Key Roles in the Archiving Process
Effective data archiving is not just about moving data–it’s also about ensuring that the right people have the right access at the right time. Understand the key roles and permissions involved in the archiving process to make sure that your organization’s data remains secure and accessible to the right people.
Business Owner
While the business owner is not a defined role in your Salesforce system, it’s one of the most important roles to identify in the archiving process. The business owner is the primary stakeholder and the person ultimately responsible for all of the data. This role defines the business needs and compliance requirements for archiving. They work closely with sys admins to ensure that the archiving strategy aligns with the organization’s goals and regulatory requirements.
Sys Admins
Sys admins play a crucial role in setting up and managing the archiving process. They set up the Authenticated User account; work closely with stakeholders to define archiving and purging policies; manage the technical configuration for Salesforce integration; audit archive job performance and adjust policies as needed; ensure compliance with regulatory requirements; and manage end user access by creating permission sets (or adding existing ones to user accounts).
Authenticated User
In Archive, the authenticated user refers to a system user account. This is typically a single, dedicated account with specific permissions designed to facilitate the technical connection between Archive and the Salesforce org. The account is created and defined by the sys admin and has the necessary system permissions to query Salesforce records, access and move data between Archive and the Salesforce production org, and perform system-level operations required for archiving.
End Users
End users are the individuals in your organization who need to access archived data for various business needs, such as historical referencing, reporting, or compliance audits. Their primary role is to view and search for archived records to retrieve the required information when needed.
Permissions in Archive
Matt, our Salesforce admin at Cumulus Cloud Corporation, has learned a lot about how to use Archive to manage his company’s archiving process. He’s identified key roles within the company, and knows which stakeholders he needs to work with for optimal success. Now, he needs to figure out the right permissions so that the right people have the right access to the data they need at the right time.
Matt is already familiar with Salesforce permission sets, which are collections of settings and permissions that grant users access to specific tools and functions. Salesforce permission sets extend access beyond a user’s profile permissions, without modifying the core user profile. Permission sets, in addition to some additional security settings, play an important role in ensuring that Archive users can access the data that they need.
Let’s look at some of those permissions now.
Sys Admin Permissions and Considerations
Typically, sys admins require a comprehensive set of permissions with full access to configure, manage, set up, interact with, and manage the Archive product in a Salesforce org. This ranges from setting up archiving policies to monitoring and managing archived data. The exact permission sets that are required for this role vary depending on the specific Salesforce implementation.
The primary permission sets required by the sys admin role are Salesforce System Admin Profile and the Archive Admin Permission. These provide comprehensive permissions for managing the Archive application and include several included permission sets. Additional permissions that might be required include the Archive Analyzer permission, which grants read access to the entire archive, and the Archive Policy Permission set, which provides delete capabilities.
Sys admins can also create and assign permission sets to other roles to control access to archived data. These permission sets define which users can view, manage, and unarchive data.
Field-Level Security
In addition to permission sets, sys admins need access to Field-Level Security (FLS) settings. Sys admins use FLS to prevent access to specific fields and make sure that users see only the data they are authorized to access.
Sys admins configure FLS to protect sensitive information within archived records. FLS settings are especially important for compliance with data privacy regulations. By carefully managing FLS, sys admins can maintain the integrity and security of archived data while ensuring that end users have the necessary access to perform their tasks.
Authenticated User Permissions
Authenticated users have specific permissions to access and manage archived data. Sys admins define these permissions and can include the ability to search, view, and unarchive records.
The required permission sets for an authenticated user depend on the specific implementation. The primary required permission sets are Salesforce System Admin Profile and the Archive Admin Permission, as these provide comprehensive permissions for managing the Archive application and include several included permission sets.
Authenticated users also require the following permissions:
- Modify All
- Bulk API
- Query All Files
- Set Audit Fields upon Record Creation
- Update Records with Inactive Owners
When setting up field-level security, it’s recommended that sys admins grant the authenticated user role permission to access all fields of an archived object. However, you can prevent the authenticated user from viewing some fields–but if the authenticated user doesn't have read access to a field, the associated field values won't be included in the archived records.
End User Permissions
End users have limited ability to access archived data based on their role and the permissions set by sys admins. Typically, an end user can view and search for archived records but doesn't have the ability to manage or unarchive data. These actions are often reserved for sys admins and authenticated users.
Even though archived data isn’t needed in the active Salesforce org, end users might require access because the data can contain valuable historical or reference information. Carefully define and manage end user permissions so that your end users have the access they need while maintaining the security and integrity of your archived data.
For example, a senior manager at Cumulus Cloud needs to prepare for an upcoming compliance audit. The audit requires her to provide detailed historical data from the past 5 years, including information about closed cases and customer interactions. Cumulus Cloud archives all closed cases after 3 years, so she needs to access archived sales records to gather the necessary information for the audit.
To ensure that end users can search for and view archived data, you must do two things.
- Provide end users with the Archive View Archived Records permission.
- Set up and customize Archive Widgets, which enable you to display archived data as related lists in Salesforce.
When you use Archive Widgets, your end users can still access and view archived data in the familiar Salesforce interface, even though the data has been archived and is no longer stored directly in Salesforce. In situations where you require stricter access control over archived records, you can set up a widget to prevent users from downloading files.
Congratulations on completing this module! You're now ready to strategically archive your Salesforce data, reduce your storage costs, and improve productivity with Salesforce Archive.