Background
Einstein Analytics is a power analytics engine that allows you to explore and create analytics dashboards with Salesforce as well as external data. Analytics dashboards and datasets can be created from Salesforce data, external data through connected systems or external data imported using CSV files.
Salesforce advertises that Einstein supports row-level security on data sets using either inherited sharing from Salesforce data or using security predicates for custom security mode. More information on these are available in the following links:
In the below solution, I aim to describe a solution for implementing security on external datasets that are related to Salesforce data that follow a custom security model facilitated through junction object. Essentially a many-to-many sharing model in which many users have access to many records in the external data set.
Solution (Github)
Security Model
In our example, the Account object will be used to link to external data. The custom security model is implemented on the Account object using a junction object called User Account Assignment. The key point in the security model is that a single account can be shared by multiple users. The diagram below shows a visual representation of the security model.
In the above example User 1 has access to Account 1 and User 2 has access to Account 1 and Account 2. The below screenshot shows the User Account Assignments in my analytics developer org which I will use to implement the security in Einstein analytics on an external dataset of orders that relate to the account record using the account number.
Analytics Setup
The snapshot of the orders dataset we will be using in our demo is shown below. The key field in the dataset is the Account_Number field which maps the order to a Salesforce account record.
The key to the solution is to extract the User Account Assignment records (a formula field to expose the account number for the join key is needed) and join the external orders dataset using the account number. The purpose of the join is to add a user ID column to the joint dataset to allow us to use a security predicate to filter to rows with logged-in user's id. The data flow and the definition (.json) in the data flow are shown below. The dataflow creates a joint dataset that replicates order rows for every user account assignment that is matched.
OrdersWithAccountAssignments.wdf
{
"sfdcDigest_UserAccountAssignment": {
"action": "sfdcDigest",
"parameters": {
"fields": [
{
"name": "Account_Number__c"
},
{
"name": "User__c"
}
],
"object": "User_Account_Assignment__c"
}
},
"OrdersWithUsers": {
"action": "sfdcRegister",
"parameters": {
"name": "OrdersWithUsers",
"alias": "OrdersWithUsers",
"source": "augment_OrdersWith"
}
},
"edgemart_Orders": {
"action": "edgemart",
"parameters": {
"alias": "Orders"
}
},
"augment_OrdersWith": {
"action": "augment",
"parameters": {
"right_key": [
"Account_Number__c"
],
"left": "edgemart_Orders",
"left_key": [
"Account_Number"
],
"right_select": [
"User__c"
],
"right": "sfdcDigest_UserAccountAssignment",
"relationship": "UserAccountAssignment",
"operation": "LookupMultiValue"
}
}
}
In the above definition JSON you can see that the order records are augmented with the User Account Assignment records using theAccount_Number__ckey and registered into a new dataset calledOrdersWithUsers. This dataset is the joint dataset where we will apply the security predicate to filter the records according to the user. The below screenshot shows the security predicate and the dataset properties.
Demo
For the demo, we have set up the User Account Assignment records as shown below. So orders associated with Test Account 2 and Test Account 3 will be shown if logged in as me and Test Account 1 and Test Account 2 orders will be shown if logged in as the Test Analytics user in the OrdersWithUsers dataset created with the security predicate applied. The demo video below the screenshot confirms the same.
Comments