This blog will discuss setting up a security predicate for Dataset created from the CSV file. By default, when you load the CSV file to create a new dataset, the security predicate will be empty, which means everyone has access to the dataset can see all rows.
We can build a security predicate even for CSV file is not originally come from Salesforce, as long as there is an identifier that links between CSV file with Salesforce data. We can build a security predicate after the dataset created in Einstein Analytics.
<dataset column> <operator> <value>
'UserId' == "$User.Id"
- UserId is the API name of the dataset
- == is the operator
- $User.Id this is the current Salesforce User Id when open the dashboard or lens
If you check above basic syntax again, then change the syntax to "$User.Id" == 'UserId', this syntax become invalid and will be rejected by the system. Even the values are the same, but security predicate must always start with dataset column, and not the other way round.
You can use and and or logic in the security predicate
(‘Expected_Revenue’ > 4000 || ‘Stage Name’ == "Closed Won") && ‘isDeleted’ != "False"
Consider the following requirements for the predicate expression:
- The expression is case-sensitive.
- The expression cannot exceed 1,000 characters.
- There must be at least one space between the dataset column and the operator, between the operator and the value, and before and after logical operators. This expression is not valid: ‘Revenue’>100. It must have spaces like this: ‘Revenue’ > 100.
- Support string and numeric values, but not Boolean
- If you are using custom fields in the user object, make sure the Insights Security User has read permission to the custom fields
How to create exceptions?
This mean, a group of Salesforce users should not be impacted by security predicate. One of the simple ideas is to add unique values, such as User Role Id, or User Profile Id, or a custom field from User object to the dataset security predicate, and to the data itself.
Scenario: all users with Profile = Executive are allowed to see all data, otherwise, only see data the same with user Territory. In this scenario, Territory is a custom field in user object and also available in the Dataset.
1. Get the Profile Id of Executive Profile
2. Add Profile Id from (1) as a column to all rows in CSV file before loading to Einstein Analytics
3. Load the CSV file to Einstein Analytics
4. Edit the dataset created and create security predicate as follow
'Territory' == "$User.Territory__c" || 'Executive_ProfileId' == "$User.ProfileId"
The first part (in purple) is to allow users to see only data where Territory in the dataset is the same with Territory of user-defined in the user object.
The second part (in green) allows all users with Executive Profile allow to see all data, that's why we use or logic (||).
Using the same method, you can add Role as an exception too, just add another column and fill the Role Id to all rows. However, if you need to define more than 1 profile or 1 role, you need to keep duplicate the columns in CSV file add use || as the exception, e.g. 'Territory' == "$User.Territory__c" || 'Executive_ProfileId' == "$User.ProfileId" || 'Strategy_ProfileId' == "$User.ProfileId", I know this is not a pretty solution, but it works.
You can define dataset security predicate by edit the dataset and enter a valid Security Predicate.
The system will check and reject if the security predicate syntax is invalid, such as "$User.Id" == 'UserId' (wrong order), also if the value does not exist, such as: 'UserId' == "$User.Field__c" (Field__c field is not exist in User object). However, the system will not validate and not reject if the column name does not exist, such as: 'UserField' == "$User.Id" (UserField does not exist in the dataset column).
1. If you replace data for an existing dataset, the security dataset defined will be stayed, including when you restore from the previous dataset. This also includes if you change the Security Predicate value in the dataflow register node, the security predicate in the dataset regenerate will stay, so you need to manually update it in the dataset.
2. Dataset column <dataset column> <operator> <value> could be a multi-values, example: 'AccountTeam.UserId' == "$User.Id"
AccountTeam.UserId is lookup multiple values result in augment node, from User to Account Team. This security predicate allows any users in the Account Team able to see the dataset rows.