Company admins can configure access policies that cascade to linked objects. You can centrally administer your user groups, including partner users, at the partner program or plan level and be assured that the right access is granted across all objects in the purview of that program/plan.
Via these access policies, you can grant:
- Access to Solutions, Plans and Partner Profiles based on the user’s access to the linked Partner Program
- Access to Activities based on the user’s access to the linked Marketing Plans
- Access to Opportunities based on the user’s access to the linked Sales Plans, Solutions, Account and Partner Program (only if opportunities are directly linked to programs)
If the user is withdrawn from the linked object or the user’s access is updated on the linked object, the access granted by the policy is also automatically invoked or updated.
Users can still be directly invited or added to each object. Each object can have both members that were automatically added by these policies and also members directly added by other users.
Create / Edit Access Policies
Access policies can be configured by users with a Company Admin role. From your Company settings, go to Policies: Object Access Policies.
To configure an access policy:
- Enter a name for the policy
- Select the object that the policy will grant access to (e.g. Opportunities), for the members of the linked object (e.g. Sales Plans).
- In this scenario, members of Sales Plans will automatically be granted access to Opportunities added to the Sales Plans.
- Specify the scope of the policy, the linked objects that the policy applies to.
- You can configure a generic access policy for all of the linked objects e.g. members of all Sales Plans must be granted the same access on Opportunities. Simply select the option ”Select all Sales Plans across my company”.
- You can also create a policy specific to one or multiple linked objects e.g. select specific sales plans for this policy. For the selected sales plans, this policy will override any generic access policy.
- Configure the access rules. You define the access to be granted, based on the user’s access on the linked object.
- For example, define a rule that every Sales Plan member with Owner access is granted Collaborator access on opportunities linked to that sales plan.
- You can associate multiple conditions, based on the access that the user has on the linked object.
Activate / Deactivate Access Policy
When a policy is created, it is set to a Draft status and can be activated at any time. Once a policy is activated, it gets applied to all the linked objects and gives access to the users based on their access to the parent object.
An active policy can be deactivated at any time. As soon as it is deactivated, all access granted by that policy is removed immediately. A deactivated policy can be re-activated at any time. Once activated, it will again grant access based on the access rules in the policy.
Resolving Access Policy Conflicts
A user may be granted automatic access to the same object via multiple access policies. When this occurs, the user is granted the highest access level permitted from amongst the policies.
- Kerri is a Participant on a sales plan. Based on a sales plan access policy, she should get Participant access on all opportunities in that sales plan.
- Kerri is also Owner of a solution. Based on a solution access policy, she should get Collaborator level access on all opportunities linked to the solution.
- If an opportunity is linked to both the sales plan and the solution, she is granted Collaborator access on that opportunity. Collaborator is a higher access level than Participant.
A user can also be directly invited at a higher access level than the access granted by the policy. However, you cannot manually remove the user added by the policy or downgrade the access granted by the policy.
- John is a Viewer on a Sales Plan. Based on an access policy, John is automatically granted Participant access on all the opportunities link to that Plan.
- John is actively working on specific opportunities in that Plan. John is added with Collaborator access to an Opportunity and once John accepts the invite, his access is upgraded from Participant (from the policy) to Collaborator (from the direct invite).
To avoid conflicting access policies on the same object, only one policy can be created for a specific linked object and only the owner company of the linked object can specify the policy. For example, a Sales Plan called "NA Sales" is owned by two companies, Company A and Company B. Company A creates an access policy giving access to the linked Opportunities based on the membership of "NA Sales". After this policy is activated, if the admin of Company B tries to create a policy that gives access to the linked Opportunities based on the membership of "NA Sales" as well, the system will return an error. Because a policy created on an object applies to all the members of the objects, Company A’s policy will also give access to the linked opportunities to the Company B users as well.
In other words, when there are two or more co-owner companies on the same object, then only one of the owner companies can create an access policy for that sales plan.