Securing matter using the REST Api (Ethical Walls)

Owned by Angus Thompson
Jun 18, 2016
3 min read

Permissive security model

Salesforce uses a permissive model for applying security at a record level, the following document provides some background on the subject: https://resources.docs.salesforce.com/sfdc/pdf/salesforce_record_access_under_the_hood.pdf

 

Structure required to secure matters

Step 1 - Matter default access to private

Set the Matter object to have private security through Setup > Security Controls > Sharing Settings then click edit and set the default internal access to private

Once this has been completed, when a record is created the only user who will have access is the 


Step 2 - Share matters with no ethical wall restrictions with all users

Add a sharing rule to the matter by selecting the matter object from the Manage sharing setting for: picklist on the  Setup > Security Controls > Sharing Settings page.

Under Matter Sharing Rules select new and setup a new sharing rule to allow all users read/write access to all matters without an Ethical Wall. These matters will be identified by a field on the matter object.


Step 3 - Restrict Access to specific matters by adding Ethical wall information

To restrict access to specific matters, add Ethical Wall identification information into the Ethical Wall field. This will deactivate the sharing rule setup in step 2 and make the matter private to only the record owner (who in most cases will be the integration user).

 

Step 4 - Add access for users who are allowed access to the matter

Permissions can be added for individual users, public groups or roles. 

Groups

Step 4a.1 - Add a new public group

Step 4a.2 - Add users to a public group

Step 4a.3 - Add public group to matter with required permission

 

Users

Step 4b.1 - Add user to matter with required permission

Result

Code examples for the above implementation

StepAPI calls 
Step 3

HTTP Method:

Patch

REST API Call:

/services/data/v36.0/sobjects/OnePlace__Matters__c/a1H90000005Lm7r

JSON Update:

{
"Ethical_Wall__c" : "123456.ABC"
}

Step4a.1

HTTP Method:

Post

REST API Call:

/services/data/v36.0/sobjects/Group/

JSON Update:

{
"Name" : "123456.ABC"
}


Response:

{

"id" : "00G9000000307YwEAI",

"success" : true,

"errors" : [ ]

}

Step4a.2

HTTP Method:

Post

REST API Call:

/services/data/v36.0/sobjects/GroupMember/

JSON Update:

{
"GroupID" : "00G9000000307YwEAI",

"UserOrGroupId" : "00590000004tFoUAAU"

}

 

Response:

{

"id" : "011900000013M0TAAU",

"success" : true,

"errors" : [ ]

}

 

Step4a.3

or

Step4b.1

HTTP Method:

Post

REST API Call:

/services/data/v36.0/sobjects/OnePlace__Matters__Share/

JSON Update:

{
"AccessLevel" : "Edit",

"ParentId" : "a1H90000005Lm7r",

"UserOrGroupId" : "00G9000000307YwEAI"

}

 

Response:

{

"id" : "02c900000EIwzZrAQJ",

"success" : true,

"errors" : [ ]

}