Views:

Details

Scenarios / Symptoms

  • Need roles for Agents vs. Supervisors with different privileges.
  • Need to restrict sensitive fields (e.g., Customer Tier, Credit Limit, PII fields).
  • Want to prevent accidental deletes while allowing create/read/update.

Root Cause

  • Default roles are too broad or not aligned to your process.
  • Sensitive attributes not protected, causing data exposure.

Resolution Steps

Part A: Create Security Roles

  1. Duplicate a baseline role
    • Go to SettingsSecuritySecurity Roles.
    • Open a role similar to your target (e.g., Customer Service Representative).
    • Click ActionsCopy Role → Name it CSR – Case Agent.
  2. Set core privileges (example: CSR – Case Agent)
    • Case (Incident): Create/Read/Write at Business Unit; Append/Append To = BU; Assign/Share = BU; Delete = None (optional).
    • Account/Contact: Read at Parent: Child BU (optional), Write at BU, Delete = None.
    • Activities/Notes/Attachments: Create/Read/Write at BU.
    • Queues/Queue Items: Read at Org; Append/Append To = BU; Create = BU.
    • KB Article (Knowledge Article) / Knowledge Search Model: Read at Org.
    • Teams/Business Unit: Read = None or User (as required).
    • Customization and System tabs: Keep minimal.
  3. Create Supervisor role (CSR – Supervisor)
    • Start from CSR – Case Agent copy.
    • Increase scope to Parent: Child BU or Org for Case Read/Assign/Share.
    • Add Approve knowledge, Publish knowledge, and Reopen case if using such actions.
  4. Knowledge Manager role (CSR – Knowledge Manager)
    • Grant Create/Publish/Archive on Knowledge Article at BU/Org based on governance.
    • Grant Relevance Search configuration (read) if required.
  5. Assign roles to Teams (preferred)
    • SettingsSecurityTeams → Select Team → Manage Roles.

Part B: Protect Sensitive Fields with Field Security Profiles

  1. Enable field security on columns
    • Maker PortalTablesSelect table (e.g., Contact) → ColumnsSelect column (e.g., National ID, Customer Tier) → Field security = On → Save/Publish.
  2. Create Field Security Profile
    • SettingsSecurityField Security ProfilesNew → Name CSR – Sensitive Fields – Read Only.
    • Add Users/Teams to the Profile.
  3. Grant Field Permissions
    • Open the profile → Field Permissions → For each field, set:
      • Read: Yes for users who should view.
      • Update: No (read-only) for most users.
      • Create: No unless needed.
  4. Test with Agent vs. Supervisor
    • Confirm Agents cannot view/edit restricted fields; Supervisors can based on separate profile.

Validation / Expected Outcome

  • Agents can work cases without the ability to delete or see highly sensitive fields.
  • Supervisors and Knowledge Managers have elevated privileges appropriate to their role.
  • Sensitive columns are visible/editable only to authorized users.

FAQs / Notes

  • Field Security applies to model-driven apps, web services, and SDK.
  • If a field is required but hidden by field security, users may be blocked—consider business rules or defaulting logic.
  • Prefer profiles over JavaScript for true security (JS can hide UI, not protect data access).
Keywords: Security Roles, Column Security Profiles, FSP