Prerequisites

When you configure the Salesforce Connector, you create an XML file (see The DocumentsXML File) that specifies what information to retrieve from Salesforce. To enable mapped security this file must meet some additional requirements.

Each document element that you include in the documents.xml file must have a basetype that is one of the following:

  • The Folder object type.
  • The Organization object type.
  • The User object type.
  • A securable object type.

    TIP: To obtain a list of these types, run the synchronize fetch action without the documents.xml file. The connector will connect to Salesforce and generate a documents.xml file that contains all of the document types that are available. Securable object types are listed under the SobjectType field of ObjectPermissions.

Unless the document basetype meets this requirement, the document element must also have a parentIdField attribute. The value of this attribute must be the name of the field that contains the reference of the parent object. The connector can then find the parent object, and find a parent securable object type (as defined above), possibly through a chain of other objects.

You can add the parentIdField attribute to a document where the basetype is a securable object. This indicates that there is a securable object chain that must be respected in the object's access control list.

Examples

In the following example, basetype="Lead" is a securable object type:

   <document basetype="Lead">
      <field name="Lead_*" query="*" />
   </document>

In the following example:

  • basetype="Document" is a securable object type.
  • the attribute parentIdField="FolderId" indicates that the connector can find the reference of the parent object in a field named FolderId. The connector must follow this reference and respect the permissions set on the parent object when it generates an ACL for the document.
   <document basetype="Document" parentIdField="FolderId">
      <file query="Body" />
      <field name="Document_*" query="*" />
      <field name="Document_Author_Manager_*" query="Author.Manager.*" />
      <field name="Document_CreatedBy_*" query="CreatedBy.*" />
      <field name="Document_LastModifiedBy_*" query="LastModifiedBy.*" />
   </document>

In the following example:

  • the attribute parentIdField="AccountId" on the contract object indicates that the connector can find the reference of the parent object in a field named AccountId. The connector must follow this reference and respect the permissions set on the parent object when it generates an ACL for the document.
  • basetype="Account" is a securable object type, but can have another account as its parent object. The attribute parentIdField="ParentId" indicates that the connector can find the reference of the parent account in a field named ParentId. The connector must respect the permissions set on any parent account(s) when it generates the ACL for the document.
   <document basetype="Contract" parentIdField="AccountId">
      <field name="Contract_*" query="*" />
      <field name="Contract_Account_*" query="Account.*" />
      <field name="Contract_Owner_*" query="Owner.*" />
      <subquery childrelationship="Notes">
         <field name="Contract_Note_*" query="*" />
      </subquery>
   </document>
  
   <document basetype="Account" parentIdField="ParentId">
      <field name="Account_*" query="*" />
      <field name="Account_MasterRecord_*" query="MasterRecord.*" />
      <field name="Account_Owner_*" query="Owner.*" />
   </document>