One of my favorite features of Salesforce is the ability to share information with your community, be it through the Partner Portal, Customer Portal, Salesforce Sites, or Salesforce to Salesforce. Bringing a Salesforce Cloud to your community is a great way to foster better and more efficient communication.

But cloud computing is a lot like a first date. Sometimes too much sharing can be a bad thing.

As valuable as a Salesforce Cloud can be to you, your partners, and your customers, it’s important not to expose too much data or give the wrong data to the wrong people. Thankfully, there are some easy steps you can take to ensure this doesn’t happen. Administrators, you can use this as a checklist to ensure you are sharing just the right amount of information.

1. Organization Wide Defaults

Adopt a private sharing model for objects you plan to expose in the customer or partner portal. This ensures that partners/ customers only see records owned by them, those below them in the role hierarchy, or shared with them. You do not need to go private on an object you don’t plan to expose in a portal as long as the portal user profiles are not granted access to these records.

2. Sharing Rules

Use sharing rules to create exceptions to the organization wide defaults. For example, if you have set leads to ‘private’ but want to have an internal public model, create a sharing rule such as the following so that all internal users have visibility to all leads whether they are owned by internal or external users.

I cannot tell you how many times I see this type of rule incorrectly defined, or not defined at all, which causes visibility issues.

Review all existing sharing rules, with particular attention to any that have a ‘Shared With Roles and Subordinates’ setting since you may be inadvertently exposing records to portal users. This is a very common occurrence for companies that have recently implemented a portal but have not updated their sharing rules. Thankfully you don’t have to delete the rule and re-create it. You can use the ‘Convert Portal User Access’ tool in the portal setup to migrate these rules.

3. Profiles

Check externally focused profiles to ensure that the profiles do not have any extraneous object access. Many companies do not uncheck object access (especially when new objects are created), which allows portal users to have these records included when searching.

Also, check public permissions (e.g. Manage Public Documents, Manage Public List Views, Manage Public Reports, & Manage Public Templates) on internally focused profiles to make sure that a limited number of users have access to these permissions. Otherwise when an internal user creates a list view (for example, one called ‘My Hot Leads!’) the default setting is to show this list view to all users including portal users. While the list view may not return any data to the portal user, they will see the list view name.

Review the ‘Run Reports’ and ‘Export Reports’ permissions on externally focused profiles to ensure that you give these permissions to the correct users if appropriate.

4. List View/ Report Folder/ Document Folder/
Since Salesforce uses list views and folders as a common navigation metaphor, we suggest that you review what list views are visible to portal users. Do this by logging into the portal to see the exposed list views on each tab, and the report and document folder selections if you have exposed these tabs.

While being able to see a list view does not automatically grant you access to all records meeting the list view criteria (that would be governed by your access rights) the idea of showing too many list views in a portal (or even in the core CRM application) may be confusing to the user.

Companies that have granted public create permissions to a lot of users likely have a lot of folders that have ‘Visible to all users’ as the default. When you turn on the customer or partner portal these list views will be visible, and you need change visibility to a more restrictive setting such as ‘All Internal Users’. This is a time consuming but necessary step.  If you had previously set up visibility using ‘Role and Subordinates’, and have now enabled the portal you can migrate these views/ folders automatically to ‘Roles and Internal Subordinates’ using a wizard available in the portal set up page.

5. Page Layouts

A few tips on page layouts:

• Create external and internal page layouts and assign appropriately
• Make the external page layout as minimal as needed by removing extraneous fields, and custom links

6. Search
If you have exposed a search component on your portal, then try a test search for common first names, document names etc to see what records are returned to your partner/ customer user. It’s a great way to see if there is unintended sharing going on!

This is in no means meant to be a comprehensive guide. If you’ve got further questions or concerns, feel free to let me know. We can set you up for a free security consultation.

To the point…

• The Salesforce Cloud is a great platform for sharing data wide and far, but you need to respect the force!
• Business processes change so security reviews should be an ongoing process and not just initial implementation considerations
• It’s easy to hide or inadvertently share data and features so conduct periodical security reviews to ensure the right data is being shared.

Apprivo can help with a free security consultation Contact Us.