Hands-On: Assigning CRM Analytics Access

A click-by-click walkthrough of CRM Analytics setup: check Analytics settings, inspect a user's license and permission sets, then build and assign a scoped permission set.

Hands-On: Assigning Access

Time to put the concepts to work. This lesson is a practical walkthrough through Salesforce Setup — checking the Analytics settings, inspecting how a real user is licensed and permissioned, and then building a brand-new scoped permission set from scratch. Open your free Developer org and follow along.

Step 1 — Check the Analytics settings

Start in Setup → Quick Find → Analytics → Settings. This is where you confirm the org is ready. Two things worth noticing here:

  • Rows used — CRM Analytics has a data-row limit, and this page shows how much of it you have consumed. Keep an eye on it as your datasets grow.
  • Getting started — links and toggles that confirm analytics is enabled and point you to the Studio.

A quick glance here tells you the platform is switched on before you start assigning access.

Step 2 — Inspect a user's access

Now go to Setup → Users and open a user who already has analytics. On their user record you will see the two layers from earlier in this section, side by side:

Permission-set licenses

The CRM Analytics (Tableau CRM) Plus PSL that entitles the user — and possibly an app license like Sales Analytics alongside it.

Permission set assignments

The permission sets granting actual capabilities. The default admin set has most analytics System Permissions pre-selected.

Open the System Permissions of that default admin permission set and you will see nearly every analytics permission — Manage Analytics included — already checked. That is what a full administrator looks like. Most of your users should look nothing like this.

Step 3 — Build a scoped permission set

Now the real exercise: create a new, tightly scoped permission set for an everyday dashboard builder — someone who should build and view analytics but must not touch data plumbing.

  1. 1

    Create the permission set

    In Setup → Permission Sets, click New, give it a clear name like CRMA Dashboard Builder, and save.

  2. 2

    Open System Permissions

    Inside the new set, open the System Permissions section and click Edit to choose analytics capabilities.

  3. 3

    Grant the everyday capabilities

    Enable "Use Analytics", the ability to download and use dashboards, and permission to create apps and dashboards.

  4. 4

    Withhold the risky ones

    Leave OFF the ability to add data connections and edit dataflows — those belong to admins, not builders.

  5. 5

    Save and assign

    Save the permission set, then use Manage Assignments to assign it to the target user (who must already hold the PSL).

The result is a user who can create apps, build and download dashboards, and explore data — but cannot add connections or alter dataflows. That is least privilege in action, and it is exactly the kind of set you will hand out most often in a real deployment.

Name scoped permission sets after the role they represent — "CRMA Dashboard Builder", "CRMA Viewer", "CRMA Data Engineer". Future-you (and every admin who inherits the org) will thank you when it is obvious what each set is for.

Where to go deeper

Salesforce maintains thorough official documentation for every permission and setting you have seen here. When you need the authoritative list of System Permissions or the current state of a beta toggle, go to the source:

That wraps the practical walkthrough. You can now provision a user end to end: license them, assign a thoughtfully scoped permission set, and confirm they see exactly what they should. Next, prove it with the graded quiz.

Discussion

No comments yet — be the first to start the discussion.