Tutorial: How to restrict CSMs to only see the accounts they're assigned to

  • 14 July 2021
  • 3 replies
  • 75 views

Userlevel 7
Badge +1

A recent common use case we’re seeing is customers who need to be able to restrict permissions for certain users. An example would be only allowing a CSM to view the accounts he or she is assigned to. This is especially relevant for customers who operate in the public sector or any industry with strict security regulations.

There are a few different parts of the product that need to be set up to accomplish this use case in Gainsight. I hope this document can serve as a comprehensive guide, but here is some relevant documentation to reference as well:

 


Step 1: Identify your user group
 

  1. Determine which of your users need to have this permission restriction applied. If it’s all CSMs (like in my video tutorial below in Step 2), then this step will be fairly easy. 

  2. However, if your use case is more nuanced (perhaps only a certain segment of your CSMs need this restriction), then you’ll need a custom field on the User object (Administration > Data Management > User) that marks the person as such so that you can reference that field in Administration > Data Permissions > User Attributes

  3. You may have to maintain this field manually, but hopefully you can keep it updated via a rule.
     

Step 2: Set up your sharing group, using the user attribute(s) you just populated
 

  1. Once you have your criteria set, you’ll navigate to Administration > Data Permissions.

  2. Click on the Sharing Groups tab.

  3. Either add a new sharing group, or edit an existing one to populate the list of users who need the permission restriction. Below is an example: 


 

Step 3: Set your rule in Data Permissions

 

  1. Once your user group is set, you’ll stay in Administration > Data Permissions but slide over to the Resources tab. 

  2. Here you’ll see there are plenty of objects to apply permissions to. The important one in this case is Company. Click edit on Company once you scroll to it. 

  3. When here, expand the “Permissions attributes” section to make sure everything on the Company object that you might want available for your rule is populated. 

  4. Now that step 3 is done, you’ll unselect Everyone gets READ/WRITE access and instead select Conditional READ/WRITE access. Here is where you write your rule with the following suggested logic (again, you may need to tweak this depending on your exact use case: User Group = CSMs and CSM = GSID (of logged in user). See below screenshot and video tutorial for more detail. 

 

 

 

Other notes: 

 

  • With rare exceptions, you’ll want to select no for if you want to apply permissions to lookups if you get that popup. I ran into this issue in my (admittedly messy) demo org when setting this up. In “permissions attributes” (see screenshot below), the Company object had some attributes that were bringing in weird lookups that superseded the permissions I was trying to implement.

 

 


3 replies

Userlevel 6
Badge +1

@spencer_engel thanks for writing this, I have a question related to the permissions I’m hoping you can help with.

 

We have a subset of users (who we can identify based on their email domain) for who we want to limit which companies they have access to (again we can identity based on a field), everyone else should see everything. 

How do we set that up?  Do the permissions work like a case expression, where if they don’t fulfil the criteria they get defaulted to full read/write? 

I saw in your video that as a super-admin you can still see everything, but not sure if the same happens for non super-admins. 

Userlevel 7
Badge +1

@spencer_engel thanks for writing this, I have a question related to the permissions I’m hoping you can help with.

 

We have a subset of users (who we can identify based on their email domain) for who we want to limit which companies they have access to (again we can identity based on a field), everyone else should see everything. 

How do we set that up?  Do the permissions work like a case expression, where if they don’t fulfil the criteria they get defaulted to full read/write? 

I saw in your video that as a super-admin you can still see everything, but not sure if they same happens for non super-admins. 

Good question. Yes, your other users that aren’t explicitly referred to in your rule(s) will be defaulted to full read/write.

 

And if you need slightly different rules for different user groups, you can create additional rules for them. See my below screenshot for an example where I built an additional rule for Account Managers.

 

 

Userlevel 6
Badge +1

@spencer_engel so I just tested this, I created a rule for specific users;

and logged in with my personal email (just a gmail account) and couldn’t see any accounts :slight_frown:

Reply