[box type=”note” align=”” class=”” width=””]The following excerpt is taken from the book Learning Einstein Analytics written by Santosh Chitalkar. This book includes techniques to build effective dashboards and Business Intelligence metrics to gain useful insights from data.[/box]
Before getting into security in Einstein Analytics, it is important to set up your organization, define user types so that it is available to use. In this article we explore key aspects of security in Einstein Analytics.
The following are key points to consider for data security in Salesforce:
- Salesforce admins can restrict access to data by setting up field-level security and object-level security in Salesforce. These settings prevent data flow from loading sensitive Salesforce data into a dataset.
- Dataset owners can restrict data access by using row-level security.
- Analytics supports security predicates, a robust row-level security feature that enables you to model many different types of access control on datasets.
- Analytics also supports sharing inheritance.
Take a look at the following diagram:
Salesforce data security
In Einstein Analytics, dataflows bring the data to the Analytics Cloud from Salesforce. It is important that Einstein Analytics has all the necessary permissions and access to objects as well as fields. If an object or a field is not accessible to Einstein then the data flow fails and it cannot extract data from Salesforce. So we need to make sure that the required access is given to the integration user and security user. We can configure the permission set for these users. Let’s configure permissions for an integration user by performing the following steps:
- Switch to classic mode and enter Profiles in the Quick Find / Search… box
- Select and clone the Analytics Cloud Integration User profile and Analytics Cloud Security User profile for the integration user and security user respectively:
- Save the cloned profiles and then edit them
- Set the permission to Read for all objects and fields
- Save the profile and assign it to users
Take a look at the following diagram:
Data pulled from Salesforce can be made secure from both sides: Salesforce as well as Einstein Analytics. It is important to understand that Salesforce and Einstein Analytics are two independent databases. So, a user security setting given to Einstein will not affect the data in Salesforce. There are the following ways to secure data pulled from Salesforce:
| Salesforce Security | Einstein Analytics Security |
| Roles and profiles | Inheritance security |
| Organization-Wide Defaults (OWD) and record ownership | Security predicates |
| Sharing rules | Application-level security |
Sharing mechanism in Einstein
All Analytics users start off with Viewer access to the default Shared App that’s available out-of-the-box; administrators can change this default setting to restrict or extend access. All other applications created by individual users are private, by default; the application owner and administrators have Manager access and can extend access to other Users, groups, or roles. The following diagram shows how the sharing mechanism works in Einstein Analytics:
Here’s a summary of what users can do with Viewer, Editor, and Manager access:
| Action / Access level | Viewer | Editor | Manager |
| View dashboards, lenses, and datasets in the application. If the underlying dataset is in a different application than a lens or dashboard, the user must have access to both applications to view the lens or dashboard. | Yes | Yes | Yes |
| See who has access to the application. | Yes | Yes | Yes |
| Save contents of the application to another application that the user has Editor or Manager access to. | Yes | Yes | Yes |
| Save changes to existing dashboards, lenses, and datasets in the application (saving dashboards requires the appropriate permission set license and permission). | Yes | Yes | |
| Change the application’s sharing settings. | Yes | ||
| Rename the application. | Yes | ||
| Delete the application. | Yes |
Confidentiality, integrity, and availability together are referred to as the CIA Triad and it is designed to help organizations decide what security policies to implement within the organization. Salesforce knows that keeping information private and restricting access by unauthorized users is essential for business. By sharing the application, we can share a lens, dashboard, and dataset all together with one click. To share the entire application, do the following:
- Go to your Einstein Analytics and then to Analytics Studio
- Click on the APPS tab and then the icon for your application that you want to share, as shown in the following screenshot:
3. Click on Share and it will open a new popup window, as shown in the following screenshot:
Using this window, you can share the application with an individual user, a group of users, or a particular role.
- You can define the access level as Viewer, Editor, or Manager
- After selecting User, click on the user you wish to add and click on Add
- Save and then close the popup
And that’s it. It’s done.
Mass-sharing the application
Sometimes, we are required to share the application with a wide audience:
- There are multiple approaches to mass-sharing the Wave application such as by role or by username
- In Salesforce classic UI, navigate to Setup|Public Groups | New
- For example, to share a sales application, label a public group as Analytics_Sales_Group
- Search and add users to a group by Role, Roles and Subordinates, or by Users (username):
5. Search for the Analytics_Sales public group
6. Add the Viewer option as shown in the following screenshot:
7. Click on Save
Protecting data from breaches, theft, or from any unauthorized user is very important. And we saw that Einstein Analytics provides the necessary tools to ensure the data is secure.
If you found this excerpt useful and want to know more about securing your analytics in Einstein, make sure to check out this book Learning Einstein Analytics.
