Securing Customer Data through ‘Data Mask’ – how it is different than Platform Encryption?

Business Context

In today’s world, securing customer data is one of the most critical aspects considering various compliance, regulations & strict data privacy rules. From application security standpoint, even when proper security setup is done using OWD, role hierarchy, sharing rules etc. there is one critical question that always remains alive – how if any user is enabled any additional access over customer data than the intended access? There are multiple mechanisms with which it can be ensured that this will never happen in Production, but this could be quite possible that other actors e.g. Developer, Tester, External User in Sandbox environment might get additional access over customer sensitive data which is replicated from Production (e.g.  full copy, partial copy sandbox data replication).

What is Data Mask?

And that is the right context when Data Mask - Salesforce’s one of most recent security related product offerings should be used. This feature enables to mask or delete data in sandbox environment where above mentioned actors could be provided additional access and thus gain access to sensitive data (e.g. PI, PII etc.).

With this, we get three options regarding masking

• Anonymization (i.e. masking fields values into unreadable values e.g. Jag becomes 9$jstktreW),
• Pseudonymization (i.e. masking fields values into readable but unrelated values based on library that comes as part of managed package of this product offering e.g. Anik becomes Sunil)
• Deletion (i.e. nullifying field value)

At high level, there are two parts of it the way it works

• Configure masking policies (i.e. the options mentioned above)
• Execute the configuration to mask data

In which part of the application development life cycle this should be used?

As mentioned above this is applicable to mask sandbox data. Best practice is to have it configured in production, so when sandbox is refreshed the same configuration flows down in sandbox environment where accordingly data is masked by admin. Also, configuration can be done in Sandbox environment as well and then the same can be executed to mask the data.

How it is different than Platform Encryption?

I think this is a very common and interesting topic while talking about Data Mask. But it has a very simple straight forward explanation – however both of them to secure customer data, the objective of this two features are different - while Platform Encryption encrypt customer data while it is stored in Salesforce data store (i.e. encryption at rest), it does not mask data at ‘view layer’ i.e. when user with proper access views the data the same is displayed in its original value – but Data Mask scramble /delete the entire value of field so when the same is viewed by user they don’t see its original value ever.

N.B. Classic encryption has in built masking feature; however, it has limitation over encrypting any standard fields. Review difference of classic vs platform encryption in detail

Considerations

·         While Platform Encryption is used because of security privacy related need, considering Data Mask is very much relevant.

·         Some fields are not supported by Data Mask. Any alternative should be devised in case of possibility of data breach.

·         As of date, the automated data masking at the time of sandbox refresh is not available i.e. when sandbox is refreshed from production,  data which is copied over (in case of full copy) to sandbox is not masked automatically based on masking configuration defined (however the same masking configuration flows down automatically).

Reference

https://success.salesforce.com/sessions?eventId=a1Q3A000021ea1UUAQ#/session/a2q3A000002BJQNQA4

https://trailhead.salesforce.com/en/content/learn/modules/salesforce-data-mask 

Einstein Analytics Dashboard on Community and Accessing it through Mobile

Business Context

Salesforce Einstein Analytics is the latest generation Analytics offering from Salesforce, that allows us to build and visualize data in a smart way helping business having best view to analyse and act on it. These modern dashboards not only help your management to view and analyse business data, also helps your customers (i.e. your external users) to take informed decisions. And it is becoming quite common use case (I have experienced similar use cases for few banking customers) where the ask is to enable your external users to view the dashboards and allow them to access from any devices. In this article let’s discuss how we can approach it and relevant challenges.

The Solution approaches and the Challenges

The first step - off course is to build the Dashboards using Einstein Analytics Studio (using data set, lenses etc) and perform couple of fundamental steps – 1| make sure you share it to community through share option of it’s relevant Einstein Analytics app (‘Enable sharing with Communities’) 2|also from Analytics Settings you need to enable ‘Share Analytics with Communities’. Let’s go to next step (I am purposefully skipping “Mobile Layout” now, will come back on this area later while describing the challenge below)

The next step is to expose your Einstein dashboard into Salesforce Community (but only catch is users with Customer Community plus, Partner Community and Lightning App license can access it as of today from the community). You can expose Einstein dashboard into your community in multiple ways – if you’re using lightning template, the easiest option is to use built-in “Wave Dashboard” component and embed your Einstein dashboard, few other option is to develop lightning component or visualforce page embedding Einstein dashboard (while this custom option gives more flexibility, the lightning component is latest way of handling this).

And the final step is to make this “Community with embedded Dashboards” available for your external users who will access it through mobile. Needless to say this is the “challenging area”. To elaborate this – interesting question is how your customer would access this? Few possible options –  through  1|Salesforce 1 mobile app? 2| Salesforce Analytics for mobile app? 3| mobile web browser? 4|custom developed mobile app 5| new offering from Salesforce?

Let’s talk about it each…

Salesforce 1 mobile app CAN’T be an option at all if you’re using lightning community since it is not supported.

Salesforce Analytics is also NOT supported for community users i.e. external users.  

So far we have seen most of customers using mobile web browser to access Salesforce lightning community, it works well (even though not supports all mobile browsers, check it limitations), however it does not show the mobile layout configured for the Einstein dashboard (that you configured in Einstein studio) intelligently, so you might not see a very good view in your small screen.

Possible mitigation

When you’re following mobile web browser option, the above limitation can be handled (with a bit nasty way) but you can configure 2 set of Dashboards for each requirement – one for desktop version and second one for mobile version, and then develop a lightning component which will show the dashboard dynamically based on user accessing from desktop or mobile (use $Browser global value provider in conjunction with aura:if and wave:waveDashboard), finally embed that lighting component to your community page.

Moving ahead towards remaining two options, ‘custom mobile development’ approach certainly provides ability to represent wide spectrum of custom functionalities with APIs; but remember this will cost effort and off course a good amount of mobile development expertise. 

And finally, the last option – new offering from Salesforce? YES, you’re right, with Spring ’19, Salesforce released a revolutionary offering called “Mobile Publisher” that you can use to promote your Lighting community (also Salesforce application) as mobile app which can be downloaded in android or iOS. With this new feature your go-to-market strategy will certainly be accelerated in lightning speed! 

Considerations before you implement…

• Since Customer Community license does not work for Einstein Analytics, consider reviewing Salesforce Community license. 
• ‘Salesforce Mobile Publisher’ feature is not free; you need to purchase license to avail. 
• Mobile layout should always be low weight containing assets compare to your desktop version of the application, so be mindful to design it.

Salesforce Campaign Member Status – Does your marketing business need custom values?

Business Context

Campaign member status is a critical field from marketing standpoint since it depicts the progression of a Campaign member for a marketing event (i.e. Campaign). We all know when we add Lead/Contact as Campaign member to a Campaign, we see Campaign member status as either ‘Sent’ or ‘Responded’ but think about a scenario when Prospects (i.e. Leads/Contacts) are nurtured in various marketing events through Campaign, there could be need to set different Campaign member status value of that Campaign, for instance, “Click URL”, “Registered Event” – this could be few statuses of type ‘Responded’. Since this status is one type of drilled down value of Sent/Responded, definitely having configured a new picklist field at Campaign member level could be one way to address this ask, but how if from a Marketing platform (e.g. Pardot) it is required to set/change the Campaign member status while adding/nurturing the prospect to a marketing campaign?

In this article, I shall show how this business scenario could be handled using current Salesforce offerings.  

Creating new (customized) values for Campaign Member Status

The first step for this business case is to enable additional picklist values for Campaign member status.

In classic, for any Campaign record, go to ‘Advanced Setup’, and ‘Edit/Replace’ new values – that’s it.

For lightning, you need to include ‘Campaign Member Status’ into the Campaign page layout and then add/edit Campaign member status of your choice.

And after doing these changes, if you notice, there will be new values in status picklist field at Campaign member object. So, to make change in meta data level, you’re doing change in data through related record. Definitely different, but so Simple!

But wait. This will address for that Campaign record only for which you did all this hard work! How if for any new/existing active campaigns, business wants to enable this new Campaign member status values? Will the above-mentioned approach be able to address the need? Answer is NO. For this you need to run extra mile. Let’s follow…

Campaign Member Status for new/existing Campaign records

For this you have two options –

Option 1 – create a “template” type Campaign and for that record do all the manual work you did above, (thus that Campaign record having additional Campaign member status values) and then “clone” that Campaign while creating the new Campaign.

Option 2 - create Campaign member status record automatically when you create a Campaign. So, in general this option is all about establishing process automation at Campaign level so that Campaign member status is created. Towards a low maintenance approach, custom metadata type can be used to store the Campaign member status, and then a flow in conjunction with process builder can be configured which will read the values from custom meta data type, and create Campaign member status records when Campaign will be created. Similarly, apex trigger can also be developed to do this.

And for existing active campaign records, inserting Campaign member status records through any API client will be the approach for both the options mentioned above.

Few Considerations while enabling Campaign member status

• While having a new Campaign member status value, ensure whether it will be marked as ‘Responded’ since it has significance impact towards campaign statistics.
• Determine what will be the default value when you’re having multiple Campaign member status.
• Replacing Campaign member status triggers all Campaign records update.

Lead Conversion – associating with an existing Opportunity

Business Context

There is a very common business scenario where you need to associate your Leads (which are onboarded from multiple sources) /converted Leads to an existing Opportunity. This is a very simple yet a business critical topic.

Salesforce already providing a great capability for Lead Management supporting Lead conversion. In recent upgrade, it has introduced way more user (both Business as well IT) friendly Lead conversion wizard in Lightning along with new method in LeadConvert class. Let’s talk about the possible ways to address this business case, considering this stunning feature.

Solution with new Lightning Lead Conversion feature

As mentioned above, Salesforce now provides a brilliant Lead Conversion Wizard. This allows not only to associate existing Account, it also allows to associate to existing Contacts and Opportunity. On top of it - the beauty is: ‘Enforced Data Governance’ – option for existing Opportunity only available if existing Account is selected, and it will only show selected Account’s Opportunities. Moreover, it leverages standard matching rule for Contact match and Account match while showing matched existing Account, Contact options.

So, for this business scenario, using lightning Lead Conversion wizard is highly recommended since this gives provision to on board Leads and then convert them to existing Opportunity (apart from associating it with existing Account & creating new Contacts or associating with existing Contacts)

Solution with Upgraded LeadConvert Class – useful in Classic

Technically when a Lead is converted, Lead’s ‘IsConvert’ field is set to true, also few other fields are populated e.g. ConvertedAccountId, ConvertedContactId, ConvertedOpportuintyId, above wizard automatically populate those fields as user selects existing Account, Contact, Opportunity. However this wizard is not available in Classic.

Currently Salesforce provides ‘setOpportunityId()’ method in ‘LeadConvert’ Class, which facilitates to set the Opportunity id for the converting Lead. That means, if programmatically Lead is required to be converted, in that case also it can be associated to existing Opportunity. This is very useful in Classic theme as mentioned above Classic does not support this enhanced Lead Conversion Wizard today.

Earlier version of the solution when Lightning Lead Conversion feature or setOpportunityId() was not available

Honestly there was not any such “clean solution” to address this business ask earlier when there was not enhanced Lead conversion wizard or ‘setOpportunityId()’ available. One of the alternate solution options was to have Opportunity lookup configured at Lead level, and then when Lead’s Opportunity is populated by user, a process automation (process builder/flow/trigger) to take place ensuring either Contact creation or identifying matched Contact and then adding it to existing Opportunity’s Opportunity team or do any other actions as per business acceptance.

Considerations to align with this feature

So, with this new feature in place, the existing solution along with its relevant data requires re-evaluation to leverage best of the offerings of the platform. Though completely depends on how you have designed your current solution, there will be Lead data which may undergo some manipulation, but we should remember that for any already converted Lead, you can’t update ConvertedOpportunityId (this might not a valid scenario for your solution).

Salesforce Campaign Influence – Made Easy

Introduction

Salesforce Campaign Influence is a great feature to track influential Campaigns for an Opportunity. Salesforce had introduced new feature in this module and as part of a customer implementation I implemented & explored this module, in this content, I shall articulate my findings along with few interesting facts. 

Holistic View of Salesforce Campaign Influence Module

Earlier Version - Campaign Influence (still exist in classic) 

The original version of Salesforce Campaign influence tracks influential Campaigns for Opportunity. To highlight few basic properties of this feature, at Campaign record detail from ‘Opportunity related list’ you can create a new Opportunity with the same Campaign as ‘Primary Campaign Source’, alternatively you can set the ‘Primary Campaign Source’ from the Opportunity detail. This will show one entry in Opportunity’s related Campaign Influence list (assuming the ‘Campaign Influence’ related list is present at Opportunity detail page layout), additionally in that related list it flags (also allow you to uncheck) the campaign as primary.  

Also, if ‘Auto Association’ is enabled, when any Contact is added to the Opportunity through ‘Opportunity Contact Role’ (‘Opportunity Contact Role’ related list required to be present in Opportunity layout) the Campaign(s) associated to that Contact (through Campaign Member) will be automatically added to ‘Campaign Influence’ section of the Opportunity. Also auto association rule can be fine-tuned to restrict while generating the Campaign Influence automatically.

(Above picture shows how Campaign Influence created for this version.)

Things to remember here

• Campaign Influence object is NOT API exposed, i.e. you can’t query it, neither report on it.
• Campaign Influence related list is not available in LEX
• No ‘Attribution Model’ available (i.e. no way to show Influence % or revenue share of related Campaigns for the Opportunity)
• No specific permission set is required to access this feature
• You can add associate Campaign manually as well with the Opportunity.

Campaign Influence 1.0

Salesforce now provides option to enable ‘Campaign Influence’ from setup which allows a great way to track Campaign’s attribution (Influence %, revenue share) on Opportunity.

This version brings access to object “Campaign Influence” which is API exposed and can be extended with additional attributes and process automation, validations.

This enforce auto-association by default, you can just fine-tune rule to restrict while generating the Campaign Influence records automatically.

(Above picture shows how Campaign Influence created for this version)
This also enforce ‘Primary Campaign Source Model’ where Opportunity's ‘Primary Campaign Source’ gets 100% influence credit, and any other Campaigns in related Campaign Influence of the Opportunity gets 0% influence credit.  Let me elaborate it with one example - let’s say a Campaign named ‘start’ (what’s in a name? 😊) is the Primary Campaign Source of an Opportunity, and if multiple Contacts associated to the Opportunity are also engaged with the same Campaign ‘start’, there will be multiple Campaign Influence records created, and in that case 100% Influence of that Campaign is distributed equally amongst the Campaign Influence records which are having different Contacts tied to it.

In above example, con1 and con4 both are associated to Campaign ‘start’, since that Campaign is marked as ‘Primary Source Campaign’ for the Opportunity, all 100% Influence is evenly distributed to Campaign Influence records tied the Contacts i.e. con1 & con4.

Things to remember here

• Supports in Lightning Experience as well
• Campaign Influence object is API exposed, reportable, extendable, process automation & validation can be developed
• Auto Association can’t be disabled
• Permission set with license ‘CRM User’ or ‘Sales User’ needed to access Campaign Influence

Customizable Campaign Influence

Customizable Campaign Influence is a super set of the previous, with all features & setup requirements included, it additionally allows you to go beyond the default attribution model (described above), and this is where ‘Campaign Attribution Model’ comes into the consideration. Following two implementation option of custom attribution model based on your customer scenario-

Option 1 - When you enable B2B Marketing Analytics , following model is generated automatically – First Touch Model (the Campaign with which the Contact was associated first is considered for having the credit for the Opportunity) , Last Touch Model (the Campaign with which the Contact engaged most recently is considered for having the credit for the Opportunity ), Even Distribution Model (all Campaigns associated through Contact of that Opportunity are considered for having equal distribution of the credit for the Opportunity), you can make any of it as default to follow its attribution model. I find the article 'Everything You Wanted to Know About Marketing Attribution Models' very helpful on this context. 

Option 2 - You can create a custom attribution model from ‘Model Settings’ from the setup. In order to provide credit to associated Campaigns as per your customer way of business (custom multi touch etc.), you can develop apex trigger (on Campaign Influence object or any other objects depending on business case) ensuring Campaign Influence records are created with defined Influence% and Revenue Share (setting relevant Model id in it). I find the article "Implement Custom Campaign Influence Models with Apex Triggers" is very helpful 

Things to remember

• Ability to go beyond default attribution (Influence % & revenue Share) to address any business need
• While setting up your custom attribution model, you can mark it as default. Additionally, you can either set it lock, if it is not locked, it will allow user to associate ‘Campaign’ (through Campaign Influence) of an Opportunity manually as well. 

Summary

If your customer only looks for related Campaigns for an Opportunity and your customer is using classic, the 'earlier version of Campaign Influence' suits your need. If your customer implementation is on Lightning Experience, and also need campaign attribution you may use Campaign Influence 1.0 with little setup configuration, and finally if your customer is looking for more robust and complex credit calculation to related Campaigns, Customizable Campaign Influence is for you.

Important Understanding

While Salesforce knowledge articles are extremely helpful, here I wanted to highlight one open question & the understanding. As per the article, What’s the Difference Between Customizable Campaign Influence and Campaign Influence 1.0?

the “API Access” is NOT available in ‘Campaign Influence 1.0’ but available in ‘Customizable Campaign Influence’ However, as per ‘Campaign Influence 1.0’ setup, the article  Configure Campaign Influence instructs to enable ‘Campaign Influence from setup' and when it is enabled, you can always use API towards Campaign Influence however it does not make any sense to use API for Campaign Influence when ‘Primary Campaign Source Model’ is used (i.e. Campaign Influence 1.0), but then the question is if both Campaign Influence 1.0 and Customizable Campaign Influence requires to enable ‘Campaign Influence’ from setup, what is “that” which comes “without enabling Campaign Influence from setup” at all? My understanding is - it is the ‘Earlier Version of Campaign Influence’ (refer diagram at section ‘Holistic View of Salesforce Campaign Influence Module’ above)