Security: Scenario 4 Solution

[ScenarioSolutionIntro]

[sc:ScenarioSolution ]

In order for some users to not have access to marketing leads, org-wide defaults for leads must be set to private.

When you create a queue, a list view is created for the associated object (in this case leads).  However, this list view is exposed to all users, regardless of whether they have access to the records within the queue.  The sharing criteria for the list view does not allow you to share with the list with only queue members.  However, you can specify a group.  Therefore, it is a good practice to create a public group for each queue if org-wide defaults for that object is private.

It is possible to solve this scenario without using a group, although the solution outlined below includes a group:

  1. Set the org-wide default for leads to private.
  2. Create public group “Marketing Queue”.
  3. Create lead queue “Marketing Queue”
    Assign the public group “Marketing Queue”.
    Assign the queue to the leads object.
  4. Edit the Marketing Queue lead list view.
    Assign visibility to the Marketing Queue.

[sc:ScenarioSolutionSteps ]

  1. Setup –> Security Controls –> Sharing Settings.  Edit Org-Wide Defaults.  Set Lead to Private.  Save.
  2. Setup –> Manage Users –> Public Groups.  New.  “Marketing Queue”.
    Assign the role “SVP, Sales & Marketing”.
    Assign the role and subordinates “VP, Marketing”.
  3. Setup –> Manage Users –> Queues.  New.  “Marketing Queue”.
    Add Leads to Select Objects.
    Add Public Group “Marketing Queue” to select members.
    Save.
  4. Select the Sales App.  Click the Leads Tab.  Select the Marketing Queue list view.  Edit List View.  Remove any entries from Restrict Visibility if present.  Add “Group: Marketing Queue” to list of Shared To.  Save.

 

58 thoughts on “Security: Scenario 4 Solution”

  1. Hi, i s the reason to create public group instead of directly assigned to Role to enable users from other roles provided access to queue if necessary? Otherwise we could provide access to Marketing Leads view directly to marketing profile

    1. You can’t share a list view with a queue- in order for the list view to only be selectable by queue members, its best to share the list view with a group (since queue is not an option) – then add the queue to the group.

      1. Hi John,
        Not sure I follow. I set queue members equal to only the various marketing profiles. Then, I restricted visibility of the list view to “certain groups of users” sharing with only the same roles who are members of the queue. Only users in the assigned roles see the list view. Could you expand on why it’s best practice to share with a group in stead of roles?
        Thanks for the great site! Taking my test today, we’ll see how it goes.
        Matt

  2. John –
    Following your navigation on step 2:
    Setup –> Manage Users –> Public Groups. New. “Marketing Queue”.
    Assign the role “SVP, Sales & Marketing”.
    Assign the role and subordinates “VP, Marketing”.
    I don’t have an option in roles for SVP, Sales & Marketing. I know I have seen it in the dev org before, but it isn’t on this list. I am logged in as the system admin.
    Any clue?

    1. My highest role for Marketing is VP of Marketing, so I had the same thought as the 1st comment from Maria Huemmer, like just creating the queue and assigning Roles + Subordinate as VP of Marketing. It worked.
      After that, I created a similar queue and the public group as John suggested and it worked as well. Change both queues to different public groups back and forth, all working. It was trick to see the results, since I had to create a lead and change the owner to the queue, so that other members could see it. If you delete the queue or the public group, you lose the “links” (at least it happened to me). As John stated, it is a matter of preference and I liked doing without the public group, however, I will rely on John’s experience, time will tell.

  3. “Select the Sales App. Click the Leads Tab. Select the Marketing Queue list view. Edit List View. Remove any entries from Restrict Visibility if present. Add “Group: Marketing Queue” to list of Shared To. Save.” Pretty sure I am having a brain freeze, but where do I “Select the Sales App”?

    1. You want to limit access to the list view to the users that can view the records. Otherwise you could have users that could select the Marketing Queue list view, but not be able to view any records within.

      1. When I login as a vp, Marketing user, after I did all the steps:
        1/ I couldn’t see the lead tab
        2/ I couldn’t see other profile when I tried to assign other profiles to the account i just created. Only 1 option: Force.com- App Subscription User.
        3/ I couldn’t put the checkmark on Marketing User on the account I just created as VP, Marketing either.

        Do you have any clue?

  4. Hi John, I have assigned Marketing user profile to James Smith. I can see ‘Marketing queue’ under Leads when logged in with my account but not when logged in as James Smith?

  5. Thanks for this comprehensive explanation. but i have one suggestion after this configuration there should be expatiation steps to test scenario for much better understating about this scenario( Specially who are learning SFDC from basics ) .

  6. Hi John,

    Same as above and I have removed the check from the “Enable Improved Setup User Interface” checkbox.

    How to I “Add Leads to Select Objects”?

  7. For the solution step 2) Setup –> Manage Users –> Public Groups. New. “Marketing Queue”, can’t you just assign the role “Marketing Team” since this would allow the “Marketing Team” including “SVP, Sales & Marketing” and “VP, Marketing”, to assign leads? I’ve tested it out using the various marketing roles in my sf environment and it seems to work fine, but let me know if I’m overlooking something….Thanks!

  8. Wonder if you could assist – on the edit view (step 4) Remove any entries from Restrict visibility – I can’t seem to deselect ALL options, one has to be selected. In that case, should I select “visible to certain groups of users” as we have then selected the Marketing Users public group as the shared to group? Thanks

  9. I did it differently in the beginning (not using groups) but somehow when I tried to follow the steps above, the user can’t see the list view anymore. I think some how the James user is under the subordinate role of the SVP … so when I “Assign the role “SVP, Sales & Marketing” and Assign the role and subordinates “VP, Marketing” … nothing would come up for the list view for my James user. 🙁 but when i changed it to Roles and Subordinates of SVP Sales & Marketing it shows up for him. Is my Hierarchy below somehow different from others?

    Hierarchy: DJs Practice account » CEO » SVP, Sales & Marketing » VP, North American Sales » Director, Direct Sales » Western Sales Team <– this is James current role,

    1. Hard to tell without looking at the org – make sure to trace back where you are sharing.

      In this example, we are going from List View –> Public Group –> Queue –> User. You will need to ensure that the user is connected to the queue, the queue to the group, the group to the view, etc.

  10. I set OWD on lead to private, but then I set up a queue called ‘marketing’ with membership equal to the marketing team role. Then I entered a lead sharing rule as follows: “if the lead is owned by the marketing queue, share it with the marketing team role.” That seemed to work. Any problems with that solution?

  11. Hi John,

    This is a great exercise. I think you should note the creation of new leads will not be automatically be populated in the “Marketing Queue” list until the workflow is setup or I’m not following the solution correctly. Please confirm.

  12. John – I seem to be having the same brain lock as noted Kim above.

    “Kim Snyder September 7, 2014 at 3:33 pm #
    Everything has been quite clear up until this scenario. I can’t seem to see where you can do the second step in this sequence :
    Setup –> Manage Users –> Queues. New. “Marketing Queue”.
    Add Leads to Select Objects. (???? how)
    Add Public Group “Marking Queue” to select members.”

    1. You may have the new setup interface turn on?

      Instructions within this guide make the assumption that the Improved Setup User Interface is disabled.

      I suggest you double-check your org settings by navigating to Setup –> Customize –> User Interface; ensure “Enable Improved Setup User Interface” is not checked.

      If you enable this feature, step-by-step instructions within scenarios and exercises will not line up correctly (as the setup navigation menus will be different).

  13. Thanks for the tip, I had marketing queue selected as the owner for the lead list view filter criteria. I changed it to unconverted.

    P.S. This is a GREAT resource for Salesforce admins!

      1. Hi John,

        I followed all the steps you outlined in the solution, correcting the many mistakes made when trying to solve on my own, and so far, so good…except I, too, don’t see any leads in the marketing queue. There is a “homemade” lead, perhaps made from an earlier exercise (I don’t recall) owned by the test user James Smith, and though James falls under the marketing group assigned to the queue, this lead still does not appear in the queue.

        You mention transferring a lead to the marketing queue itself, but I can’t find anything offering this option. When I searched help for “transfer lead to queue,” 7575 results appeared, and none at first glance were applicable to this situation.

        Suggestions?

        Many thanks for your help and for this wonderful site!

  14. I’m not sure I understand why you need to create a group. When I created my queue, I just added the Marketing Team role as a member of the queue. Wouldn’t that do it?

    1. Yes. Adding a group will allow you to reference the queue within a sharing rule.

      Otherwise you would need to add the members of the queue to the sharing rule. If the members change, you have to update it in two places.

  15. Nevermind. I was having a brain freeze and figured this one out. I think of queues as being more of a workflow issue, but since it’s affecting data visibility I see why it’s here.

  16. Everything has been quite clear up until this scenario. I can’t seem to see where you can do the second step in this sequence :
    Setup –> Manage Users –> Queues. New. “Marketing Queue”.
    Add Leads to Select Objects. (???? how)
    Add Public Group “Marking Queue” to select members.

    Thanks.

  17. You can restrict views to be accessible to roles + subordinates, so if you grant access to the lead queue to VP Marketing + subordinates, you can do the same for the lead queue to ensure that sales does not see it. This accomplishes the scenario without needing to create a group.

    1. You could do it that way – just a matter of preference. I personally would prefer to have the group match the queue exactly (thus maintain the members in one place), but you are correct – the group is not a requirement.

      1. Would you mind explaining? By setting up a Group, then a Queue, how is that maintaining the member in one place?

        Seems like an unnecessary step? But trying to understand the logic, as questions do seem very “tricky” for no other reason then trying to trip people up.

        1. It is not a required step – you could solve this scenario without the use of a group, and that would be fine. The use of a group is a recommendation based on my experience.

          What the group allows you to do is reference the same container for both the sharing rule and to share access to the list view.

          Think of it this way- you create a queue and a list view. Both of these are shared with 2 roles (the marketing roles listed in step 2).

          Sixth months later, you get a request to change who has access to the queue. No problem, you go into the queue and add another role. Are you going to remember to also grant that role access to the list view? Now, extend this same scenario out to access to 5 report folders, list views on opportunities, etc. You can’t share many of these components directly through a queue, but you can through a group – and the group can reference the queue. This step is really just trying to illustrate how you can use groups to streamline those updates in the future.

          1. Great insight! Now I understand the value of creating a group to maintain sanity 🙂

            I did accomplish the above, after getting a clue from the solution that I needed to change the Lead permission to Private :(, and without creating a group.

Leave a Reply