Migrate from Data Security Policies to Access Group Rules
You can provide users with access to sales and service data using data security policies, access group rules, or a combination of both.
If you started using the sales application before release 22B, the predefined job roles and any custom job roles you create provide users with data access using data security policies. But you can supplement or refine the access each type of role provides using either data security policies or access groups rules.
You can also configure custom job roles so that the data access they provide is achieved using only, or primarily, access group rules. For example, you might decide that you want users assigned a custom sales representative job role to access object records using access group rules. To do this, you deactivate the data security policies assigned to the custom job role, then assign access group rules that provide the same access to the system access group generated for the custom role.
There are five steps in the process of migrating a custom role to provide data access primarily through access group rules:
Identify the Data Security Policies to Deactivate
The first step in the process of migrating a custom job role to use access group rule data access is to identify the data security policies assigned to the custom role, then determine which policies you can deactivate and replace with access group rules.
Results:
At the end of the process, for your custom role and object, you should have identified and noted:- All the data security policies to be deactivated
- All the policies marked for deactivation for which you have to assign a corresponding access group rule
- The access levels you need to set for each rule you assign
Identify the Access Group Rules that Correspond to Data Security Policies
To replace data security policies with access group rules as a way of providing data access for a custom job role, identify the rule or rules that provide the same data access as each policy you're going to deactivate for the role. This chapter includes a table for each object that supports access groups. Each table lists the access group rules that correspond to each of the data security policies defined for the object.
Add Rules to the Access Group Generated for the Custom Role
Once you've identified the access group rule or rules that correspond to each policy you intend to deactivate for a custom job role, you then assign the rules to the system access group generated for the custom role when the role was created. This way, you don't lose your existing access paths to object data.
When you create a custom job role, a system access group is generated for the role but it isn't assigned any access group rules. You can add the rules you identified in the previous step to your custom access group manually but it's generally easier to copy the object sharing rules from another access group that provides similar access, then edit the rules as required.
For example, when you created the Sales Representative Custom job role, a system group, Sales Representative Custom Group, was generated. You can copy the object sharing rules from the group generated for the predefined Sales Representative job role (Sales Representative Group), then edit the rules as required for the Sales Representative Custom Group. Here are the steps to use.
- Navigate to the Sales and Service Access Management work area.
- On the Access Groups page, select System Groups-Role from the List menu.
- Select the access group whose rules you want to copy. For this example, select Sales Representative Group.
- On the Edit Access Group: Overview page, select the Copy Rules option from the Actions menu. The Copy Object Sharing Rules dialog is displayed.
- From the Copy to Group drop-down list, select the group you want to copy the rules to. In this example, select the Sales Representative Custom Group.
- Click Save. The rules are copied to your selected group.
- Click Save and Close on the Edit Access Group: Overview subtab.
- Once the rules are copied, on the Access Groups page, select the access group you've just copied the rules to, in this case, the Sales Representative Custom Group.
- On the Edit Access Group: Overview page, click the Object Rules subtab.
- Review the new rules assigned to the group against the list of rules you noted in the previous step (Identify the Access Group Rules that Correspond to Data Security Policies).
- Delete any rules that aren’t required by your access group by clicking the Delete icon for the rule.
- Add any additional rules needed by clicking Add Rule, then selecting the rules to add.
-
For rules that are required:
- On the Object Sharing Rules page, click Save and Close to save your changes.
- Publish the new rules you copied and enabled for your custom access group by navigating to the Access Groups page, selecting the Object Rules tab, then selecting Publish Rules from the Actions menu.
Deactivate Data Security Policies
Once you've added the required access group rules to your custom access group, in this case, the Sales Representative Custom group, deactivate the policies you identified as candidates for deactivation in the step Identify the Data Security Policies to Deactivate.
You can deactivate a policy by removing all the permissions assigned to the policy. Alternatively, you can enter an end-date for the policy and specify a date in the past using these steps.
Verify User Access to Data
Verify that the migration process didn't impact users access to object data.