Security and Access Permissions
This article discusses various security configuration options when implementing iDialogue for Salesforce.
Note: to request a free security review and consultation at anytime, schedule a 60 minute open office hour session using this link.
API Connection
Initially connecting to the iDialogue API using a System Admininstrator profile user is sufficient for configuration and development.
The API user established in the Quick Start tab requires Read/Write access to all iDialogue managed package records.
System Admininstrators may optionally use one of 5 free Salesforce Integration users for the purposes of the iDialogue API connection user.
Create a new user, such as “iDialogue Connection”, and assign it the “Salesforce Integration” User license.
Salesfoce Integration users all share the “Salesforce API Only System Integrations” Profile.
At minimum, this profile requires access to the following objects. Fine-tune access depending on implementation requirements.
AI Assistant / FlowGPT
- AI Model
- AI Prompts
- Dialogues
- AI Actions
- iDialogue Events
Document Generation and Doc Rooms
- Room
- Room Member
- Room Item
- Enablement Rules
- Signatures
- Files
- Email Message
Payment Processing / Stripe Integration
- Payment Method
- Charges
Batch Document Generation
- Batch Definition
- Batch
Checklists / Customer Onboarding
- Checklist
- Checklist Item
Configuration / FlowCPQ
- Configuration
- Option
- Card
User Licenses
iDialogue is generally licensed on a “per-org” basis, and as such there are an unlimited number of licenses available.
However, in some environments, Salesforce users must be granted access to iDialogue features explicitly through the “Manage Licenses” feature.
To manage licenses and user access, go to Setup->Installed Packages.
- Does the installation have “Unlimited” users?
- If not, then click on “Managed Licenses” to grant specific users to licenses.
Public Group for File Libraries
Salesforce Users that generate documents, either via AI Assistants, Document Room Lightning component, or screen flows, must have access to the source document template.
Typically document templates are stored in a library dedicated to document templates. Member access to the document template library is granted either to individual users or groups.
It’s recommended to create one main public group for Users that have access to document templates.
Content Creators / Salesforce User
Users who create content, such as document/room/email templates, will require access to the “Room Builder” tab, CRM Content, and all custom objects in the “rooms__” namespace.
Salesforce Users
Users who generate documents and send invite links to customers for document signature require access to
- Content Library
- Room, Room Item, Room Member, Signature objects
Document Rooms
When Leads or Contacts visit rooms, they interact with Salesforce via the access permissions of the API connection user.
If web form elements in a room update fields on the room object, then the OAuth API user will require write/update access to those fields.
If signed documents are attached to records, then the API user requires access to ContentVersion (File) records.
Apex Class
All Apex classes in the managed package adhere to with sharing
enforcement, in addition to runtime DML that verifies a running user’s access to objects.
Therefore, it’s generally safe to add all rooms
namespace Apex classes to profiles and permission sets.
More granular access can be applied for solution-specific configurations. For example, end users do not require access to the Room Builder and Doc Builder Apex controllers.
Consult with your Account manager if there are questions about which Apex classes to add/remove.
Visualforce Pages and Lightning Web Components (LWC)
Admin users and Content Creators require access to all Visualforce pages and LWC.
All Admin and content creation feaures of iDialogue utilize lightweight VF pages to bootload ReactJS apps stored as static resources.
End users/profiles may not require access to any VF pages, unless they manually initiate document batch jobs.
Session Settings
Review all session settings to ensure key lightning component security features are enabled.
Settings->Session Settings
Note: some lightning components, when added to page layout, may throw unhandled exceptions if essential security settings are not enabled.
The iDialogue lightning web components generally assume the following are enabled:
- Enable Stricter Content Security Policy
- Enable XSS Protection
- Enable Content Sniffing protection
This setting improves component performance.
- Enable Content Delivery Network (CDN) for Lightning Component framework.
Lightning Web Security
As of 2023, the new Lightning Web Security feature is in beta and one iDialogue Aura component (Document Rooms) is known to have issues when LWS is enabled. We are collaborating with Salesforce to determine the cause of rendering issues.
To determine if LWS is enabled, or impacting the rendering of the iDialogue Document Rooms lightning component, go to Setup->Session Settings->Lightning Web Security.
Note: the iDialogue Rooms component implements it’s own validation rules and security, and does not require additional configuration to prevent cross-component injection.
Error Logging
All iDialogue errors are logged to the iDialogue Event custom object. Generally all Salesforce users should have write access to this record, but do not require tab visibility.
Permission Set
By default only System Administrators have access to all iDialogue features, unless the “Install for All Users” option is selected.
The button below installs an add-on Permission Set named “iDialogue User” with access to common iDialogue objects and Apex classes.
This permission set can be installed at anytime. The metadata source code for this package is available here