Securing matter using the REST Api (Ethical Walls)
Permissive security model
Salesforce uses a permissive model for applying security at a record level, the following document provides some background on the subject: https://resources.docs.salesforce.com/sfdc/pdf/salesforce_record_access_under_the_hood.pdf
Structure required to secure matters
Step 1 - Matter default access to private
Set the Matter object to have private security through Setup > Security Controls > Sharing Settings then click edit and set the default internal access to private
Once this has been completed, when a record is created the only user who will have access is the
Step 2 - Share matters with no ethical wall restrictions with all users
Add a sharing rule to the matter by selecting the matter object from the Manage sharing setting for: picklist on the Setup > Security Controls > Sharing Settings page. | |
Under Matter Sharing Rules select new and setup a new sharing rule to allow all users read/write access to all matters without an Ethical Wall. These matters will be identified by a field on the matter object. |
Step 3 - Restrict Access to specific matters by adding Ethical wall information
To restrict access to specific matters, add Ethical Wall identification information into the Ethical Wall field. This will deactivate the sharing rule setup in step 2 and make the matter private to only the record owner (who in most cases will be the integration user).
Step 4 - Add access for users who are allowed access to the matter
Permissions can be added for individual users, public groups or roles.
Groups
Step 4a.1 - Add a new public group
Step 4a.2 - Add users to a public group
Step 4a.3 - Add public group to matter with required permission
Users
Step 4b.1 - Add user to matter with required permission
Result
Code examples for the above implementation
Step | API calls | |
---|---|---|
Step 3 | HTTP Method: Patch REST API Call: /services/data/v36.0/sobjects/OnePlace__Matters__c/a1H90000005Lm7r JSON Update: { | |
Step4a.1 | HTTP Method: Post REST API Call: /services/data/v36.0/sobjects/Group/ JSON Update: { Response: { "id" : "00G9000000307YwEAI", "success" : true, "errors" : [ ] } | |
Step4a.2 | HTTP Method: Post REST API Call: /services/data/v36.0/sobjects/GroupMember/ JSON Update: { "UserOrGroupId" : "00590000004tFoUAAU" }
Response: { "id" : "011900000013M0TAAU", "success" : true, "errors" : [ ] } |
|
Step4a.3 or Step4b.1 | HTTP Method: Post REST API Call: /services/data/v36.0/sobjects/OnePlace__Matters__Share/ JSON Update: { "ParentId" : "a1H90000005Lm7r", "UserOrGroupId" : "00G9000000307YwEAI" }
Response: { "id" : "02c900000EIwzZrAQJ", "success" : true, "errors" : [ ] } |