The sharing model One of the first steps when designing a new Salesforce CRM implementation is to set up data access using the sharing model engine. This specifies who can see what! To understand how this works, have a look at the following diagram: Salesforce sharing architecture Profiles determine Object-Level Security (OLS) and Field-Level Security…
Secure Data Access – Certified Advanced Salesforce Admin Exam Guide
Secure Data Access In each Salesforce organization, the administrator is the key holder: they are the guardian of the company’s data and thus their main concern is protecting this valuable asset. The right object permissions shape data according to the kind of user who accesses it, while planning the right sharing strategy enables users to…
IAM roles – Google Cloud Engineer Exam Guide
In Google Cloud, permissions are not assigned to users and groups directly. Instead, users have roles assigned to them. Roles are a collection of permissions. Permissions usually match API methods that describe which operations are allowed on a resource and have the following form: <service>.<resource>.<action>. Figure 12.12 – Example of a role, which is a…
Building a resource hierarchy
In the Google Cloud resource hierarchy, an organization is provisioned automatically and it is the top-level node above all other folders, projects, and resources. Any policies or restrictions set at the organization level will apply to the folders, projects, and resources that fall under it. The hierarchy helps to manage access to resources, so there…
Users and groups – Google Cloud Engineer Exam Guide
You can create accounts for each user to be managed by Cloud Identity manually in the Users tab in the Directory section of the Google Admin console by selecting Add new user as shown in Figure 12.7. Alternatively, you can upload user accounts via a CSV file, sync users with your existing LDAP directory, such…
Implementing Identity and Security in Google Cloud
In the previous chapters, topics such as roles, users, and service accounts often appeared in the context of what permissions are needed to access or configure a specific Google Cloud service. This chapter will provide more visibility on identity and access in Google Cloud. In addition, we will focus on the security aspter and learn…
Predefined roles for Google Cloud’s operations suite services
When working with Google Cloud’s operations suite products described in this section (Debugger, Profiler, and Trace, but also Logging and Monitoring, which were presented earlier in this chapter), it is essential to know what the permissions model looks like. For example, what role can be assigned to a user that wants only to view dashboards?…
Using cloud diagnostics to research an application issue
It is possible to diagnose an issue caused by a code in your application using Cloud Monitoring alone. Still, you will have to somehow go from metrics to the request and logs that generated that metric’s data point. Also, examining logs from a web service in Logs Explorer to track the most common errors would…
Configuring log sinks to export logs to external systems
We configured a sink to route logs to a new log bucket in the previous section. Log buckets are the default choice for storing logs. It is also possible to route all or a subset of logs to alternative locations for longer retention (Google Cloud Storage), in-depth analysis (BigQuery), or third-party applications (in the cloud…
Configuring log routers – Google Cloud Engineer Exam Guide
Imagine a situation where you have a policy in your company that requires you to keep all logs coming from your workloads in a specific geographic region. Because the _Default log bucket is global (logs generated in a particular region are stored in this region), you must change this default behavior. To modify the destination…