If you are a university thinking of rolling out salesforce for your entire university or college or reevaluating your security with your current setup, the question of what security model do i follow with HEDA always plagues our mind? The challenge with the question is that what profiles do i start with , what roles and what level of access do i provide to my recruitment, admissions, marketing and financial aid folks? This blog post would help you to get started with best practices and provide you a free template to get started as well.
1.Define Organization wide defaults
This is the very foundation for your university and needs to be carefully thought about. In the salesforce world, the best practice always has been start with a restrictive model on the OWD( Organization wide defaults) and open up using profiles, roles and sharing rules. Here are the things which you can do for the objects.
- For all your standard objects namely Leads, Accounts, Contacts, Campaigns, Opportunities( Which universities need to use more) , ensure that all your organization wide default is set to Private.
- For Accounts the organization wide default is private and for contacts it should be driven by parent.
- For HEDA objects namely, courses, terms, programs , the organization wide default can set to controlled by parent(Account) and the course enrollment and program enrollment objects would also be controlled by parent(Contact).
The second step in the process is setting up profiles for your users. With salesforce standard profiles like system administrator, standard user, marketing user, the question is how many profiles do i need for my departments? The list below answers the question.
- Setup profiles for each department like marketing user, recruitment, financial aid, IT cloned from standard user.
- For system administrators, clone the system administrator profile and create a separate system admin profile for IT users. The reason you would want to do this is because your system admin profiles are not editable and you always want a customized system admin profile for your IT users and business users.
- Create a separate system admin profile for your advanced technical users in marketing and recruitment to perform the operations quickly.
3. Setup Data Access
Once the profiles and organization wide defaults are setup, the question is how do I provide data access to my entire department users? Salesforce Roles would be the solution to this. The problem is that most of the users misunderstand roles to be your organization roles which some times back fires because of cross data permission needs. So here are some best practices which are followed by other higher ed institutions.
- Create one role for each department like marketing, recruitment, financial aid, IT .
- If you are planning to roll out salesforce across Grad and Under grad in your enterprise, you can create a role called recruitment and create Grad and Undergrad as the child roles. This would ensure that the students can be easily divided to these departments and worked independently.
- If there are student records which needs to be shared between all departments, create sharing rules using criteria’s like program of interest, student status as an example and share it with your different department roles.
- For continuing professional education, you can use account teams to share organizational accounts( Companies) to be shared with marketing, recruitment and career services.
4. Exclusive permissions and Some NO-NO’S
There might be scenarios where you have to grant exclusive access to a group of users or departments based on some scenarios. Here are things which you can consider for this.
- Use permission sets to grant exclusive access to objects and records for some users due to unique business needs.
- In a scenario where you would have to share access records automatically like prospective students or marketing department needs, you can apex to program apex sharing rules which can automatically assign permission to users.
- Never provide delete all and modify all permissions to profiles other than your system admin profile. This would prevent major data disasters and accidental data deletes.
- Define account ownership for your university and never make integration user as the account owner. This has been done in some institutions because the integration batch process creates student records. As a best practice, you can make the recruitment user as the account owner for prospective student and student advisers as record owners for registered student records.
- If you plan to use Leads, use Lead queues as lead owners instead of individual user. This would help to assign prospective students (Leads) to a group of users . This would ensure that all your recruitment folks can access the lead record and act on them.
I hope the above guidelines provide you the foundation to start setting up security for the enterprise. Feel free to post your comments or email me at email@example.com for questions and i would be glad to answer it for you. I would like to thank Jolene Jackson from Bellevue university who helped me in creating this post. Please fill in your name and email in the below form to download the Getting started security template toolkit.