Security: Scenario 4 Solution

The solution section provides an overview of how to solve this scenario, and why that solution was chosen.  The Solution Steps section immediately following outlines the exact steps used to replicate the solution.

Solution:

In order for some users to not have access to marketing leads, org-wide defaults for leads must be set to private.

When you create a queue, a list view is created for the associated object (in this case leads).  However, this list view is exposed to all users, regardless of whether they have access to the records within the queue.  The sharing criteria for the list view does not allow you to share with the list with only queue members.  However, you can specify a group.  Therefore, it is a good practice to create a public group for each queue if org-wide defaults for that object is private.

It is possible to solve this scenario without using a group, although the solution outlined below includes a group:

  1. Set the org-wide default for leads to private.
  2. Create public group “Marketing Queue”.
  3. Create lead queue “Marketing Queue”
    Assign the public group “Marketing Queue”.
    Assign the queue to the leads object.
  4. Edit the Marketing Queue lead list view.
    Assign visibility to the Marketing Queue.

Solution Steps:

  1. Setup –> Security Controls –> Sharing Settings.  Edit Org-Wide Defaults.  Set Lead to Private.  Save.
  2. Setup –> Manage Users –> Public Groups.  New.  “Marketing Queue”.
    Assign the role “SVP, Sales & Marketing”.
    Assign the role and subordinates “VP, Marketing”.
  3. Setup –> Manage Users –> Queues.  New.  “Marketing Queue”.
    Add Leads to Select Objects.
    Add Public Group “Marketing Queue” to select members.
    Save.
  4. Select the Sales App.  Click the Leads Tab.  Select the Marketing Queue list view.  Edit List View.  Remove any entries from Restrict Visibility if present.  Add “Group: Marketing Queue” to list of Shared To.  Save.

 

63 Responses to “Security: Scenario 4 Solution”

  1. rishabhsrana August 1, 2017 at 11:13 pm #

    It would be great if you could share the screenshots of each scenario you executed at your end.

    Thanks,
    Rishabh

  2. rashminder@techneosys.com March 2, 2017 at 3:31 pm #

    Hi John,

    I am logged in as a marketing user and can see the marketing queue in the leads tab but unable to reassign it.i cannot see the change owner option.what is amiss?

    thanks
    rashminder

    • rashminder@techneosys.com March 2, 2017 at 3:42 pm #

      worked it out!can change the owner now!

  3. nk005347 October 3, 2016 at 5:11 pm #

    Hi, i s the reason to create public group instead of directly assigned to Role to enable users from other roles provided access to queue if necessary? Otherwise we could provide access to Marketing Leads view directly to marketing profile

    • JohnCoppedge October 3, 2016 at 8:00 pm #

      You can’t share a list view with a queue- in order for the list view to only be selectable by queue members, its best to share the list view with a group (since queue is not an option) – then add the queue to the group.

      • Matt Knutson October 5, 2016 at 4:30 pm #

        Hi John,
        Not sure I follow. I set queue members equal to only the various marketing profiles. Then, I restricted visibility of the list view to “certain groups of users” sharing with only the same roles who are members of the queue. Only users in the assigned roles see the list view. Could you expand on why it’s best practice to share with a group in stead of roles?
        Thanks for the great site! Taking my test today, we’ll see how it goes.
        Matt

        • JohnCoppedge October 6, 2016 at 1:40 pm #

          Fast forward – this logical grouping (currently a role) expands to two roles. You now have to update this in two places (list and sharing rule).

          Queue lets you update in one place

          • Matt Knutson October 6, 2016 at 7:01 pm #

            Got it, thanks. Passed my test yesterday thanks in large part to you!

          • JohnCoppedge October 17, 2016 at 4:42 pm #

            Awesome, congrats!!

      • Lisec July 7, 2017 at 10:29 pm #

        I am wondering why I can’t solve this whole thing with Roles. I can share a list view with Roles and I can put Roles inside a queue. Isn’t that similar to what you are doing with Groups, except with Groups I can pull from a variety of people rather than just with one role. Is this correct?
        -Lise

  4. fredrik.schenatz@eins.se July 6, 2016 at 12:41 pm #

    Works perfect, its a good way to learn the system in this way 🙂

  5. eethomps June 22, 2016 at 6:55 pm #

    I cannot locate the marketing queue list view. It isn’t an option when I click on the Leads tab. Help?

  6. jcrook@jdcrook.com April 5, 2016 at 3:09 am #

    John –
    Following your navigation on step 2:
    Setup –> Manage Users –> Public Groups. New. “Marketing Queue”.
    Assign the role “SVP, Sales & Marketing”.
    Assign the role and subordinates “VP, Marketing”.
    I don’t have an option in roles for SVP, Sales & Marketing. I know I have seen it in the dev org before, but it isn’t on this list. I am logged in as the system admin.
    Any clue?

    • CarlosSiqueira May 16, 2016 at 1:55 am #

      My highest role for Marketing is VP of Marketing, so I had the same thought as the 1st comment from Maria Huemmer, like just creating the queue and assigning Roles + Subordinate as VP of Marketing. It worked.
      After that, I created a similar queue and the public group as John suggested and it worked as well. Change both queues to different public groups back and forth, all working. It was trick to see the results, since I had to create a lead and change the owner to the queue, so that other members could see it. If you delete the queue or the public group, you lose the “links” (at least it happened to me). As John stated, it is a matter of preference and I liked doing without the public group, however, I will rely on John’s experience, time will tell.

  7. nerd.sfdc February 24, 2016 at 11:05 am #

    I am not getting solution needs more detail. I could not find lead tab marketing queue

  8. jessicamackay8@gmail.com February 8, 2016 at 10:52 pm #

    “Select the Sales App. Click the Leads Tab. Select the Marketing Queue list view. Edit List View. Remove any entries from Restrict Visibility if present. Add “Group: Marketing Queue” to list of Shared To. Save.” Pretty sure I am having a brain freeze, but where do I “Select the Sales App”?

    • jessicamackay8@gmail.com February 8, 2016 at 11:07 pm #

      Nevermind. I understand what you meant now.

  9. buinguyenphat January 17, 2016 at 5:13 pm #

    Hi, John,
    My question is why do we have to do that without setup–>… ?
    I dont quite understand step 4 and the reason why I have to do it.

    • JohnCoppedge January 18, 2016 at 5:25 am #

      You want to limit access to the list view to the users that can view the records. Otherwise you could have users that could select the Marketing Queue list view, but not be able to view any records within.

      • buinguyenphat January 18, 2016 at 9:26 am #

        When I login as a vp, Marketing user, after I did all the steps:
        1/ I couldn’t see the lead tab
        2/ I couldn’t see other profile when I tried to assign other profiles to the account i just created. Only 1 option: Force.com- App Subscription User.
        3/ I couldn’t put the checkmark on Marketing User on the account I just created as VP, Marketing either.

        Do you have any clue?

        • JohnCoppedge January 19, 2016 at 4:17 am #

          It sounds like your user license was not assigned the ‘Salesforce’ license type – you may need to deactivate an existing user to free up the license.

  10. simran.arora January 7, 2016 at 12:24 pm #

    Hi John, I have assigned Marketing user profile to James Smith. I can see ‘Marketing queue’ under Leads when logged in with my account but not when logged in as James Smith?

    • JohnCoppedge January 9, 2016 at 12:16 am #

      The profile does not determine which list views or queues the user is assigned. You would need to assign James to the queue as well – the security matrix in this section may help alight these concepts.

  11. responce4mee@gmail.com December 5, 2015 at 10:38 am #

    Thanks for this comprehensive explanation. but i have one suggestion after this configuration there should be expatiation steps to test scenario for much better understating about this scenario( Specially who are learning SFDC from basics ) .

  12. nevinoregan79@gmail.com July 27, 2015 at 10:02 am #

    Hi John,

    Same as above and I have removed the check from the “Enable Improved Setup User Interface” checkbox.

    How to I “Add Leads to Select Objects”?

  13. Ryan Werner July 13, 2015 at 8:44 pm #

    For the solution step 2) Setup –> Manage Users –> Public Groups. New. “Marketing Queue”, can’t you just assign the role “Marketing Team” since this would allow the “Marketing Team” including “SVP, Sales & Marketing” and “VP, Marketing”, to assign leads? I’ve tested it out using the various marketing roles in my sf environment and it seems to work fine, but let me know if I’m overlooking something….Thanks!

    • JohnCoppedge July 20, 2015 at 5:23 pm #

      Adding the public group allows you to share the list view out to the same set of users referenced in security, but is not required.

  14. Pixsy June 26, 2015 at 2:22 pm #

    Wonder if you could assist – on the edit view (step 4) Remove any entries from Restrict visibility – I can’t seem to deselect ALL options, one has to be selected. In that case, should I select “visible to certain groups of users” as we have then selected the Marketing Users public group as the shared to group? Thanks

  15. Kaye Akins May 18, 2015 at 3:56 am #

    Hi John,
    A small ‘typo’ in Step 3 of Solution Steps, “Marking Queue”. I think you meant ‘Marketing Queue’

  16. Dorothy Narvaez April 2, 2015 at 11:19 pm #

    I did it differently in the beginning (not using groups) but somehow when I tried to follow the steps above, the user can’t see the list view anymore. I think some how the James user is under the subordinate role of the SVP … so when I “Assign the role “SVP, Sales & Marketing” and Assign the role and subordinates “VP, Marketing” … nothing would come up for the list view for my James user. 🙁 but when i changed it to Roles and Subordinates of SVP Sales & Marketing it shows up for him. Is my Hierarchy below somehow different from others?

    Hierarchy: DJs Practice account » CEO » SVP, Sales & Marketing » VP, North American Sales » Director, Direct Sales » Western Sales Team <– this is James current role,

    • JohnCoppedge April 3, 2015 at 1:58 pm #

      Hard to tell without looking at the org – make sure to trace back where you are sharing.

      In this example, we are going from List View –> Public Group –> Queue –> User. You will need to ensure that the user is connected to the queue, the queue to the group, the group to the view, etc.

  17. Alex Messinger January 15, 2015 at 4:10 pm #

    I set OWD on lead to private, but then I set up a queue called ‘marketing’ with membership equal to the marketing team role. Then I entered a lead sharing rule as follows: “if the lead is owned by the marketing queue, share it with the marketing team role.” That seemed to work. Any problems with that solution?

    • JohnCoppedge January 15, 2015 at 9:52 pm #

      Why use a queue on one side of the rule and a role on the other? I would keep it consistent – either share role to role or queue to queue, other than that all good!

  18. Henry Ho December 30, 2014 at 7:32 pm #

    Hi John,

    This is a great exercise. I think you should note the creation of new leads will not be automatically be populated in the “Marketing Queue” list until the workflow is setup or I’m not following the solution correctly. Please confirm.

    • JohnCoppedge December 30, 2014 at 11:09 pm #

      Correct, you will need a lead assignment rule, workflow rule, or to manually assign leads to change the owner.

  19. Harleen MANN December 21, 2014 at 10:28 am #

    Very good exercise. this one. the prev ones were little noob. cheers.

    • Munira Majmundar October 7, 2015 at 7:06 pm #

      I would not call it noob 🙁 However, I agree, this one was the hardest 🙁

  20. Edward Santandrea November 6, 2014 at 7:26 pm #

    John – I seem to be having the same brain lock as noted Kim above.

    “Kim Snyder September 7, 2014 at 3:33 pm #
    Everything has been quite clear up until this scenario. I can’t seem to see where you can do the second step in this sequence :
    Setup –> Manage Users –> Queues. New. “Marketing Queue”.
    Add Leads to Select Objects. (???? how)
    Add Public Group “Marking Queue” to select members.”

    • JohnCoppedge November 6, 2014 at 9:41 pm #

      You may have the new setup interface turn on?

      Instructions within this guide make the assumption that the Improved Setup User Interface is disabled.

      I suggest you double-check your org settings by navigating to Setup –> Customize –> User Interface; ensure “Enable Improved Setup User Interface” is not checked.

      If you enable this feature, step-by-step instructions within scenarios and exercises will not line up correctly (as the setup navigation menus will be different).

  21. Jody Mycka November 6, 2014 at 3:03 am #

    Thanks for the tip, I had marketing queue selected as the owner for the lead list view filter criteria. I changed it to unconverted.

    P.S. This is a GREAT resource for Salesforce admins!

  22. Jody Mycka November 5, 2014 at 9:48 pm #

    I followed the instructions above but when I select “Marketing Queue” within the leads tab I do not see any leads listed. Thoughts?

    • JohnCoppedge November 5, 2014 at 9:56 pm #

      You will need to ensure that at least one lead is owned by a user in one of the roles referenced in step 2 or simply transfer a lead to the marketing queue itself.

      • Margo Schwartz-Newton June 25, 2015 at 10:56 pm #

        Hi John,

        I followed all the steps you outlined in the solution, correcting the many mistakes made when trying to solve on my own, and so far, so good…except I, too, don’t see any leads in the marketing queue. There is a “homemade” lead, perhaps made from an earlier exercise (I don’t recall) owned by the test user James Smith, and though James falls under the marketing group assigned to the queue, this lead still does not appear in the queue.

        You mention transferring a lead to the marketing queue itself, but I can’t find anything offering this option. When I searched help for “transfer lead to queue,” 7575 results appeared, and none at first glance were applicable to this situation.

        Suggestions?

        Many thanks for your help and for this wonderful site!

        • JohnCoppedge July 2, 2015 at 9:45 pm #

          Change the owner of the lead and select the queue – if the queue is not selectable check the queue settings to ensure the lead object is assigned to the queue.

  23. Odelya Bouganim October 25, 2014 at 7:10 pm #

    All steps are perfectly clear but the last one, I can’t find the Marketing Queue list view, what might I be doing wrong ? Thanks !!

    • JohnCoppedge November 5, 2014 at 8:16 pm #

      Did you complete this step?
      Setup –> Manage Users –> Queues. New. “Marketing Queue”.
      Add Leads to Select Objects.
      Add Public Group “Marking Queue” to select members.
      Save.

  24. Scott Waddell September 16, 2014 at 5:38 pm #

    I’m not sure I understand why you need to create a group. When I created my queue, I just added the Marketing Team role as a member of the queue. Wouldn’t that do it?

    • JohnCoppedge September 17, 2014 at 7:08 pm #

      Yes. Adding a group will allow you to reference the queue within a sharing rule.

      Otherwise you would need to add the members of the queue to the sharing rule. If the members change, you have to update it in two places.

  25. Kim Snyder September 7, 2014 at 5:09 pm #

    Nevermind. I was having a brain freeze and figured this one out. I think of queues as being more of a workflow issue, but since it’s affecting data visibility I see why it’s here.

  26. Kim Snyder September 7, 2014 at 3:33 pm #

    Everything has been quite clear up until this scenario. I can’t seem to see where you can do the second step in this sequence :
    Setup –> Manage Users –> Queues. New. “Marketing Queue”.
    Add Leads to Select Objects. (???? how)
    Add Public Group “Marking Queue” to select members.

    Thanks.

    • Kim Snyder September 7, 2014 at 5:10 pm #

      Nevermind. Figured it out. Was having a brain freeze.

  27. Maria Huemmer August 10, 2014 at 7:15 pm #

    You can restrict views to be accessible to roles + subordinates, so if you grant access to the lead queue to VP Marketing + subordinates, you can do the same for the lead queue to ensure that sales does not see it. This accomplishes the scenario without needing to create a group.

    • JohnCoppedge August 11, 2014 at 1:15 am #

      You could do it that way – just a matter of preference. I personally would prefer to have the group match the queue exactly (thus maintain the members in one place), but you are correct – the group is not a requirement.

      • Kathy Brown February 12, 2015 at 6:35 pm #

        Would you mind explaining? By setting up a Group, then a Queue, how is that maintaining the member in one place?

        Seems like an unnecessary step? But trying to understand the logic, as questions do seem very “tricky” for no other reason then trying to trip people up.

        • JohnCoppedge February 13, 2015 at 1:22 am #

          It is not a required step – you could solve this scenario without the use of a group, and that would be fine. The use of a group is a recommendation based on my experience.

          What the group allows you to do is reference the same container for both the sharing rule and to share access to the list view.

          Think of it this way- you create a queue and a list view. Both of these are shared with 2 roles (the marketing roles listed in step 2).

          Sixth months later, you get a request to change who has access to the queue. No problem, you go into the queue and add another role. Are you going to remember to also grant that role access to the list view? Now, extend this same scenario out to access to 5 report folders, list views on opportunities, etc. You can’t share many of these components directly through a queue, but you can through a group – and the group can reference the queue. This step is really just trying to illustrate how you can use groups to streamline those updates in the future.

          • Munira Majmundar October 7, 2015 at 7:01 pm #

            Great insight! Now I understand the value of creating a group to maintain sanity 🙂

            I did accomplish the above, after getting a clue from the solution that I needed to change the Lead permission to Private :(, and without creating a group.

    • Leanne Harkin December 29, 2014 at 12:56 pm #

      Thanks!! That’s the way I did it.. glad I’m not on my own

    • Kevin Parsakia February 3, 2015 at 7:50 pm #

      Yeah i went with the same approach

Leave a Reply