Appendix III: Permissions

Note:

2023 Release 1: Streamlined Permissions in Production Orgs

For Salesforce users who are interacting with standard Salesforce objects such as Contacts, Tasks, Events, Accounts, etc., ERX Core functionality will only be triggered when an ERX Core license is assigned, thus permissions no longer need to be assigned to an object like Package Configuration.

This does not apply to sandbox environments, since no ERX Core license is assigned. If you are upgrading in a sandbox, you must continue to follow the steps below for any affected profile.

Please see the Enforce CoreRx User Checkbox section (below) for additional details.

CoreRx GuestUser Access

In 2023 Release 2, a new Permission Set called CoreRx GuestUser Access has been added. This includes the minimum requirements for your Site Guest Users to access ERX Core functionality without additional configuration.

Enforce CoreRx User Checkbox

Important:
In sandbox orgs with 2023 Release 1 installed, this checkbox should always be left unchecked to avoid errors.
In ERX Core 2023 Release 1, we added a checkbox in Custom Settings labeled "Enforce CoreRx User."
Tip:
Go to Setup > Custom Settings and click the Manage button next to the Function Switches setting. On the Function Switches screen, click the Edit button. Scroll down for the Enforce CoreRx User checkbox.
When checked, this setting enables automated contact-level permissions for ERX Core licensed users and also means that you will not have to set any permissions for non-ERX Core licensed users for access to ERX Core objects.

This automation should only be enabled for the following users:

  1. ERX Core Licensed Users
  2. Site Guest Users (with sufficient permissions)
  3. Community Users (with sufficient permissions)
  4. Reader Rx Licensed Users (seat licensed)
  5. (Import Rx Licensed Users will always have an ERX Core license.)

Permissions

A. Give Contact record users Read access to these objects and their fields

If Enrollment Rx Core Release 1 2023 is not installed, all users (of any license type) who update Contact records need read access on all of the fields of these objects and a custom setting.

Edit the profiles (including profiles of site guest users) who need to update Contact records, and for each profile:

  • Enable the custom setting definition called “Enrollment Rx: Enrollment Rx Core.EnrollmentrxRx.Erx Fields Sync Settings”. Upon selecting the profile and scrolling to the section called Custom Settings Definition (or Enable Custom Setting Definitions Access), select Edit and under the Available Custom Settings Definition window, find “Enrollment Rx: Enrollment Rx Core.EnrollmentrxRx.Erx Fields Sync Settings” to move to the window Enabled Custom Setting Definition
  • Under “Object Settings” grant ‘Read’ object access to the following objects, and
  • Also under “Field Settings” grant "Read" Field Permission on all of the fields of the following objects

The objects

  • Application Requirement Set (EnrollmentrxRx__Application_Requirement_Set__c)
  • Package Configuration (EnrollmentrxRx__Package_Configuration__c)
  • Touch Point (EnrollmentrxRx__Touch_Point__c)
  • Touchpoint Configuration (EnrollmentrxRx__Touch_Point_Configuration__c)
  • Touchpoint Configuration Sets (EnrollmentrxRx__Touch_Point_Configuration_Set__c)

B. Check your Site Guest User profiles to make sure all the records of the above objects are shared with each guest user

For each of the above objects, make sure there is (or create) a sharing rule for each Site Guest User Profile that shares the object’s records with that profile.

  1. Go to Setup > Sites and click the site label, like this:

  2. Then click the button “Public Access Settings” to open the Profile of the Site Guest User:

  3. Write down the site guest user profile’s name:

  4. Go to Setup > Sharing Settings and select the name of the object from the dropdown labeled “Manage sharing settings for:” for example, the first of our objects listed above, “Application Requirement Set”:

  5. Under the heading “Sharing Rules”, check for the existence of a sharing rule configured as follows and if it does not exist, then create it by clicking the “New” button and configure a rule by:
    1. Giving it a name (Step 1) and
    2. Setting type to “Guest user access based on criteria” (Step 2)
    3. Setting the criteria to “Owner ID not equal to null”, (Step 3), and
    4. Sharing the records with the Site Guest User Profile whose name you noted in item 1, above (Step 4), like this:


C. Create/update entries in the Admin Panel’s “Allow Object Access” function (if you use Sites to trigger ERx Core functions)

As of Salesforce’s Spring 21 release, Salesforce limits the ability of Site Guest Users: they can Create and Read records, but cannot Update or Delete any records of any object.

ERX Core is built to support these security measures, but also to allow your sites to continue to trigger Core functions which, in turn, update records.

ERX Core functions that update records include: Lead Convert, Create Application, Field Sync, Touchpoint Creation, Documents Missing/Percent Complete, and Assignment Manager.

You may have a site that triggers these functions, such as:

  1. FormBuilder Community Site (for portal registration)
  2. FormBuilder Sites, for submitting Recommendations and Requesting Information
  3. Events Rx Registration site

If so, then you must use the “Allow Object Access” feature of ERx Core in order to keep such sites working.

We have built the “Allow Object Access” functionality to allow ERx Core to update records when a site form is submitted. (In our FormBuilder product we offer similar functionality to allow FormBuilder site forms to update records.) Since the Summer 20 release, we give you control over which sites get access to specific objects. In our 2019 and 2020 releases, you were required to type the API names of objects (and in some cases fields) into a custom setting; in Winter 2021, we give you a familiar point and click user interface (“UI”) that updates the custom setting behind the scenes. You will find the new UI in the Admin Panel, under “Allow Object Access.”

For any Site that triggers ERX Core to update any record (directly or indirectly), you must make sure that you have a correctly configured entry for that Site in "Allow Object Access." Instructions are available in Allow Object Access. These instructions are located in the User Manual section of the Core guide. Click the Back button to return to the Release Notes, or use the Release Notes dropdown menu at the top of the page.