Access Control

From the administration console's "Security > Access Control" menu, you can configure what operations are allowed for the permissions created on the permissions page.

To use the pages under the administration console's access control menu, the logged-in user must be a Salesforce administrator or be granted the "Modify Metadata Via Metadata API Functions" permission.

Operation Permission Settings

On the access control page, you can configure operations allowed on Mashmatrix Sheet based on the given permissions.

  • [A] Permission - Select the target permission from the dropdown. The "(Organization Default)" permission is always listed. This is a permission implicitly assigned to all users who use the Mashmatrix Sheet application. By setting possible operations for this permission, the bottom line of operations available to Mashmatrix Sheet users is determined.

  • [B] Globally Allowed Operations - Select operations allowed for the selected permission. If object-level access control described below is not enabled, these operation permission settings apply to records of all objects displayed in sheets. Even if object-level access control is enabled, operations not allowed by these operation permission settings will not be allowed for any object.

  • [C] Operation Details Settings - Displays a dialog to specify detailed settings (limits) for allowed operations. In the dialog, you can specify the upper limit of the number of records that can be processed in one operation for each operation (default is no limit). Operations with upper limits set will have the message "(Limit: N records)" added next to the label. For details on the settings, refer to "Setting Limits to Allowed Operations".

  • [D] In-Sheet Data Access Control - Configure access control for data stored in data columns added to sheets and data stored in scratch data sheets.

    • If "View In-Sheet Data" is not checked, data will not be displayed in data columns. Also, data will not be displayed in scratch data sheets.

    • If "Update In-Sheet Data" is not checked, data in data columns cannot be changed. Also, data in scratch data sheets cannot be created, edited, or deleted.

  • [E] Object-Level Access Control - Set whether to enable object-level access control for the selected permission. When object-level access control is enabled, you can explicitly specify objects that can be referenced and set operation permissions individually for each object.

When object-level access control is set to disabled, users with that permission can reference all objects accessible on Salesforce in sheets as well. If you don't want to allow access to objects, enable object-level access control and set no objects to be selectable for reference.

Object Access Settings

When object-level access control is set to enabled, you can specify objects that can be referenced by the given permission and further set possible operations for each object.

To specify objects accessible by the given permission, turn ON the reference checkbox from the object list table. Further turn ON checkboxes for operations you want to allow for that object.

For operations not allowed in the global operation permission settings for the given permission, or operations not originally allowed by Salesforce objects, checkboxes will be inactive and operations cannot be allowed.

Setting Limits to Allowed Operations

Operations allowed in operation permission settings have no upper limit on the number of target records by default. You can set upper limits for the number of records that can be processed in one operation for each allowed operation.

In global operation permission settings, click the "Operation Details Settings..." link, or in object access settings, select "Edit Operation Details Settings" from the menu at the right end of the target object row to display the dialog for setting upper limits.

In the operation details settings dialog, you can specify "No limit" or an upper limit value for each allowed operation. Upper limit values must be positive integers.

Field-Level Access Control

When object-level access control is enabled, you can enable field-level access control for each object to specify fields that can be referenced by the given permission and further set whether update operations are allowed or not for each field.

To enable field-level access control, select "Edit Field-Level Access Settings" from the menu at the right end of the target object row in the object list table. A dialog will be displayed where you can toggle field-level access control on/off. When field-level access control is enabled, you can set fields that can be referenced and whether update operations are allowed or not.

When field-level access control is disabled, all fields accessible on Salesforce can be referenced in sheets as well.

Regardless of whether reference is allowed as a field, object ID fields are always accessible.

Effects of Permission-Based Access Control

By configuring permission-based access control, the following effects are achieved when using the Mashmatrix Sheet application:

  • Restrict operations such as record creation, deletion, update, and download on a per-user basis without depending on sheet operation permission settings

  • When access to a sheet's object is not permitted, do not display data in that sheet (display an error during loading)

  • When access to a column's field is not permitted, do not display data in that column (display as blank)

  • When update operations are not permitted for a sheet's object, make those records uneditable

  • When update operations are not permitted for a column's field, make cells in that column uneditable

  • (By enabling object-level access control) Pre-filter and display object candidates shown in the dialog when creating sheets

  • (By enabling field-level access control) Pre-filter and display field candidates shown in the dialog when adding columns to sheets

Operation Permission Determination Rules

When a user displays a sheet in Mashmatrix Sheet, the permission/denial determination for each operation in the sheet is evaluated through the following steps:

  1. Salesforce access permission settings for objects displayed in the sheet (read, create, update, delete)

  2. Global operation permission settings configured in the administration console (create, update, delete, download, bulk copy)

  3. (When object-level access control is enabled) Object operation permission settings configured in the administration console (read, create, update, delete, download, bulk copy)

  4. Operation permission settings in the displayed sheet configuration (create, update, delete, download, bulk copy)

When operations are permitted with upper limits set, the most restrictive setting is selected when evaluating each step. The restrictiveness of operation restrictions can be compared in the following order:

More Freedom <-
<-
->
-> More Restrictive

Operation Allowed (No Limit)

Limit Set (Higher Number)

Limit Set (Lower Number)

Operation Not Allowed

Additionally, access permission/denial determination for columns is evaluated through the following steps:

  1. Salesforce access permission settings for fields displayed in the column (read, update)

  2. (When field-level operation permission is enabled) Field access permission settings configured in the administration console (read, update)

  3. Operation permission settings in the displayed column configuration (update)

For operations in the Mashmatrix Sheet application to be enabled, the operation must be permitted in all applicable steps, and when limits are set, the number of target records must be within the limit.

Examples of Operation Permission Determination

The diagrams below show how access control settings are reflected in actual sheet behavior.

When Object-Level Access Control is Disabled

When Object-Level and Field-Level Access Control are Enabled

When Operation Permissions Have Upper Limits Set

Mashmatrix Sheet's access control settings cannot grant access to Salesforce objects and fields that are not permitted by Salesforce settings. It is possible to restrict operations from the Mashmatrix Sheet application on access that is permitted for Salesforce objects and fields.

The "bulk copy to clipboard" operation applies to copy operations of records that equal or exceed the threshold specified as "Record num to require bulk-copy operation permission" on the administration console's organization configuration page. Therefore, copy operations up to this threshold are unconditionally always permitted, regardless of operation permission settings or upper limit settings in sheets, or operation permission and upper limit settings on the administration console's access control page.

Behavior When Multiple Permissions are Assigned

When multiple Mashmatrix Sheet permissions (including the "(Organization Default)" permission) are assigned to a user, if an operation is permitted in any of the permission settings, that operation will function as permitted.

When operations are permitted with upper limits set, the most permissive setting is selected from all assigned permission operation settings. For the permissiveness of operations, refer to the comparison table in "Operation Permission Determination Rules".

The diagrams below show how permission-specific operation permissions for an object are reflected as actual operation permissions when multiple permissions are assigned to a user.

When Only One Permission (Organization Default) is Assigned

When Two Permissions (Organization Default, Permission A) are Assigned

When Three Permissions (Organization Default, Permission A, Permission B) are Assigned

When Operation Permissions Have Upper Limits Set

PreviousPermissionsNextOrganization Configuration

Last updated