From f561fd52e92a0709606cee251f530d1893695f66 Mon Sep 17 00:00:00 2001 From: moxarth-elastic Date: Thu, 11 Jan 2024 18:56:03 +0530 Subject: [PATCH 1/4] Documentation for Salesforce DLS --- docs/document-level-security/SALESFORCE.md | 57 ++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 docs/document-level-security/SALESFORCE.md diff --git a/docs/document-level-security/SALESFORCE.md b/docs/document-level-security/SALESFORCE.md new file mode 100644 index 000000000..f9a7b0675 --- /dev/null +++ b/docs/document-level-security/SALESFORCE.md @@ -0,0 +1,57 @@ +### Setting up the Salesforce connector + +See the [Developer guide](../../docs/DEVELOPING.md) for setting up connectors. + +## Document level security + +Document level security (DLS) enables you to restrict access to documents based on a user'­s permissions. This feature is available by default for the Salesforce connector. +Salesforce connector DLS supports for both standard & custom objects. + +Refer to [document level security](https://www.elastic.co/guide/en/enterprise-search/master/dls.html) for more information. + +Salesforce allows users to set permissions in different ways i.e. via Profiles, Permission sets and Permission set Groups. + +Refer this tutorial to get more idea on setting the permissions - [link](https://howtovideos.hubs.vidyard.com/watch/B1bQnMFg2VyZq7V6zXQjPg#:~:text=This%20is%20a%20must%20watch,records%20in%20your%20Salesforce%20organization.) + +### Set Permissions using Profiles + +Follow below steps to set permissions via Profiles: +1. From the setup page, go to `Administration` section => `Users` => `Profiles` and create a new profile +2. Choose `Read Only` or `Standard User` for the Existing Profile dropdown, give a name to the profile and save it. By default, `Read Only` or `Standard User` have the read permission to access all standard objects. There can be some more profiles which do have a read access to standard objects but these are some of them. +3. Now, edit the newly created profile and under `Object Permissions`, assign at least a `Read` access to the standard objects and custom objects you want to ingest into ElasticSearch. + +**Note:** If users specify advanced sync rules then they need to assign a `Read` access for that specific object in the profile. + +### Set Permissions using Permissions Set + +Users can have only one profile but, depending on the Salesforce edition, they can have multiple permission sets. You can assign permission sets to various types of users, regardless of their profiles. Permission sets are used to grant access for a specific job or task. + +For example, if the profile does not have read access to any custom object and does not want to update the profile then a permissions set comes into the picture. + +We can create a custom Permission Set that will have a read permission to that custom object and assign it to the user. Permission sets can do many more things like setting an app permissions, object permissions, etc. + +1. From the setup page, go to `Administration` section => `Users` => `Permission Sets` and create a new permission set. +2. Provide a label to the permission set and select the License for which you want the permission set work. +3. Now, you can set the permissions from the object permissions option. + +### Set Permissions using Permissions Set group + +Permission set groups are used to combine the multiple permission sets as per the requirement of the access. + +From the setup page, go to `Administration` section => `Users` => `Permission Set Groups` and create a new permission set group. + +Users can add multiple permission sets in a group as well as object permissions can also be set. + +### Set Profiles, Permission Set and Permission Set Groups to the User + +Go to the `Administration` section => under `Users` section, select `Users` and choose the user to set the permissions to. Now, we can set the Profile, Permission Set and Permission Set Groups created in above steps. + +**Note:** Refer to [DLS in Search Applications](https://www.elastic.co/guide/en/enterprise-search/master/dls-e2e-guide.html) to learn how to ingest data from Salesforce with DLS enabled, when building a search application. + +#### Additional Configuration + +##### `Enable document level security` + +Toggle to enable [document level security (DLS)](https://www.elastic.co/guide/en/enterprise-search/master/dls.html). When enabled: +- Full syncs will fetch access control lists for each document and store them in the `_allow_access_control` field. +- Access control syncs will fetch users' access control lists and store them in a separate index. From 3bbacbac977c272774aaab9aa7884740e89b8623 Mon Sep 17 00:00:00 2001 From: moxarth-elastic Date: Thu, 1 Feb 2024 12:29:17 +0530 Subject: [PATCH 2/4] Remove the extra content and attach links to the official docs --- docs/document-level-security/SALESFORCE.md | 23 +++------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/docs/document-level-security/SALESFORCE.md b/docs/document-level-security/SALESFORCE.md index f9a7b0675..b91a2a8f2 100644 --- a/docs/document-level-security/SALESFORCE.md +++ b/docs/document-level-security/SALESFORCE.md @@ -15,32 +15,15 @@ Refer this tutorial to get more idea on setting the permissions - [link](https:/ ### Set Permissions using Profiles -Follow below steps to set permissions via Profiles: -1. From the setup page, go to `Administration` section => `Users` => `Profiles` and create a new profile -2. Choose `Read Only` or `Standard User` for the Existing Profile dropdown, give a name to the profile and save it. By default, `Read Only` or `Standard User` have the read permission to access all standard objects. There can be some more profiles which do have a read access to standard objects but these are some of them. -3. Now, edit the newly created profile and under `Object Permissions`, assign at least a `Read` access to the standard objects and custom objects you want to ingest into ElasticSearch. - -**Note:** If users specify advanced sync rules then they need to assign a `Read` access for that specific object in the profile. +Refer the [official documentation](https://help.salesforce.com/s/articleView?id=sf.admin_userprofiles.htm&type=5) to know how to set permissions via Profiles. ### Set Permissions using Permissions Set -Users can have only one profile but, depending on the Salesforce edition, they can have multiple permission sets. You can assign permission sets to various types of users, regardless of their profiles. Permission sets are used to grant access for a specific job or task. - -For example, if the profile does not have read access to any custom object and does not want to update the profile then a permissions set comes into the picture. - -We can create a custom Permission Set that will have a read permission to that custom object and assign it to the user. Permission sets can do many more things like setting an app permissions, object permissions, etc. - -1. From the setup page, go to `Administration` section => `Users` => `Permission Sets` and create a new permission set. -2. Provide a label to the permission set and select the License for which you want the permission set work. -3. Now, you can set the permissions from the object permissions option. +Refer the [official documentation](https://help.salesforce.com/s/articleView?id=sf.perm_sets_overview.htm&language=en_US&type=5) to know how to set permissions via Permissions Sets. ### Set Permissions using Permissions Set group -Permission set groups are used to combine the multiple permission sets as per the requirement of the access. - -From the setup page, go to `Administration` section => `Users` => `Permission Set Groups` and create a new permission set group. - -Users can add multiple permission sets in a group as well as object permissions can also be set. +Refer the [official documentation](https://help.salesforce.com/s/articleView?id=sf.perm_set_groups.htm&type=5) to know how to set permissions via Permissions Set Groups. ### Set Profiles, Permission Set and Permission Set Groups to the User From 2669308f72daad260a32a826e557f54a629b0b30 Mon Sep 17 00:00:00 2001 From: moxarth-elastic Date: Thu, 1 Feb 2024 12:40:18 +0530 Subject: [PATCH 3/4] add statement to read permission --- docs/document-level-security/SALESFORCE.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/document-level-security/SALESFORCE.md b/docs/document-level-security/SALESFORCE.md index b91a2a8f2..3dd4f7356 100644 --- a/docs/document-level-security/SALESFORCE.md +++ b/docs/document-level-security/SALESFORCE.md @@ -9,10 +9,12 @@ Salesforce connector DLS supports for both standard & custom objects. Refer to [document level security](https://www.elastic.co/guide/en/enterprise-search/master/dls.html) for more information. -Salesforce allows users to set permissions in different ways i.e. via Profiles, Permission sets and Permission set Groups. +Salesforce allows users to set permissions in different ways i.e. via Profiles, Permission sets and Permission set Groups. Refer this tutorial to get more idea on setting the permissions - [link](https://howtovideos.hubs.vidyard.com/watch/B1bQnMFg2VyZq7V6zXQjPg#:~:text=This%20is%20a%20must%20watch,records%20in%20your%20Salesforce%20organization.) +To ingest any standard or custom objects, users must ensure that at least `Read` permission is granted to that object through any of the following methods for setting permissions. + ### Set Permissions using Profiles Refer the [official documentation](https://help.salesforce.com/s/articleView?id=sf.admin_userprofiles.htm&type=5) to know how to set permissions via Profiles. From 188dad11969ec6b7fedffda88ee0cadfbd356731 Mon Sep 17 00:00:00 2001 From: moxarth-elastic <96762084+moxarth-elastic@users.noreply.github.com> Date: Thu, 8 Feb 2024 11:11:35 +0530 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Liam Thompson <32779855+leemthompo@users.noreply.github.com> --- docs/document-level-security/SALESFORCE.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/document-level-security/SALESFORCE.md b/docs/document-level-security/SALESFORCE.md index 3dd4f7356..52b455cb6 100644 --- a/docs/document-level-security/SALESFORCE.md +++ b/docs/document-level-security/SALESFORCE.md @@ -11,27 +11,29 @@ Refer to [document level security](https://www.elastic.co/guide/en/enterprise-se Salesforce allows users to set permissions in different ways i.e. via Profiles, Permission sets and Permission set Groups. -Refer this tutorial to get more idea on setting the permissions - [link](https://howtovideos.hubs.vidyard.com/watch/B1bQnMFg2VyZq7V6zXQjPg#:~:text=This%20is%20a%20must%20watch,records%20in%20your%20Salesforce%20organization.) +For guidance, refer to these [video tutorials](https://howtovideos.hubs.vidyard.com/watch/B1bQnMFg2VyZq7V6zXQjPg#:~:text=This%20is%20a%20must%20watch,records%20in%20your%20Salesforce%20organization) about setting Salesforce permissions. -To ingest any standard or custom objects, users must ensure that at least `Read` permission is granted to that object through any of the following methods for setting permissions. +To ingest any standard or custom objects, users must ensure that at least `Read` permission is granted to that object. This can be granted using any of the following methods for setting permissions. ### Set Permissions using Profiles -Refer the [official documentation](https://help.salesforce.com/s/articleView?id=sf.admin_userprofiles.htm&type=5) to know how to set permissions via Profiles. +Refer to the [official documentation](https://help.salesforce.com/s/articleView?id=sf.admin_userprofiles.htm&type=5) for setting permissions via Profiles. ### Set Permissions using Permissions Set -Refer the [official documentation](https://help.salesforce.com/s/articleView?id=sf.perm_sets_overview.htm&language=en_US&type=5) to know how to set permissions via Permissions Sets. +Refer to the [official documentation](https://help.salesforce.com/s/articleView?id=sf.perm_sets_overview.htm&language=en_US&type=5) for setting permissions via Permissions Sets. ### Set Permissions using Permissions Set group -Refer the [official documentation](https://help.salesforce.com/s/articleView?id=sf.perm_set_groups.htm&type=5) to know how to set permissions via Permissions Set Groups. +Refer to the [official documentation](https://help.salesforce.com/s/articleView?id=sf.perm_set_groups.htm&type=5) for setting permissions via Permissions Set Groups. ### Set Profiles, Permission Set and Permission Set Groups to the User -Go to the `Administration` section => under `Users` section, select `Users` and choose the user to set the permissions to. Now, we can set the Profile, Permission Set and Permission Set Groups created in above steps. +1. Go to `Administration` under the `Users` section. +2. Select `Users` and choose the user to set the permissions to. +3. Set the `Profile`, `Permission Set`or `Permission Set Groups` created in the earlier steps. -**Note:** Refer to [DLS in Search Applications](https://www.elastic.co/guide/en/enterprise-search/master/dls-e2e-guide.html) to learn how to ingest data from Salesforce with DLS enabled, when building a search application. +**Note:** Refer to [DLS in Search Applications](https://www.elastic.co/guide/en/enterprise-search/master/dls-e2e-guide.html) to learn how to ingest data with DLS enabled, when building a search application. #### Additional Configuration