The Security User & Row-Level Security in CRM Analytics

Learn what the CRM Analytics Security User does: previewing data in recipes and reading User-object fields for security predicates that drive row-level security.

The Security User & Row-Level Security

Alongside the Integration User, CRM Analytics ships a second special account: the Security User. It has a narrow but important job, and — like the Integration User — you must never delete it. This lesson explains its two roles and uses them to introduce one of the platform's most powerful ideas: row-level security.

The Security User's two jobs

The Security User exists to do exactly two things:

Preview data in recipes

Powers the "view as" data preview while you build datasets in Data Prep recipes, so you can see sample rows as you transform data.

Read User-object fields for predicates

Reads fields on the User object at query time so security predicates can decide which rows each running user is allowed to see.

The second job is the one worth understanding deeply, because it is what makes row-level security work.

Do not delete or deactivate the Security User either. If it loses access to the User fields your predicates rely on, row-level security can silently break and users may see too many rows — or none at all.

What row-level security actually is

Imagine two people open the exact same dashboard at the same moment. I run it and see 1,000 rows; you run it and see 2,000 rows. Nothing about the dashboard changed — what changed is who is running it. That is row-level security: the platform filters the rows of a dataset per user, based on who they are.

The mechanism behind it is a security predicate — a filter rule attached to a dataset that is evaluated at query time against the running user. A predicate can say things like "show only rows where the record's owner equals the running user" or "show only rows for the running user's region." Because it runs at query time, the same dataset serves different slices to different people automatically.

A security predicate is evaluated fresh on every query, for whoever is running it. That is why one dataset can safely serve a rep who should see only their accounts and a VP who should see the whole region — without building separate datasets.

Where the Security User comes in

To evaluate a predicate, CRM Analytics has to read attributes about the running user — their user id, role, region, team, or any other field on the User object. It reads those fields as the Security User. That is precisely why the Security User needs access to the User object: it is the account that looks up "who is this person and what are their attributes?" so the predicate can filter accordingly.

The custom User field gotcha

You can build a predicate on any field on the User object — standard fields like UserId and Role, or your own custom User fields (say, a custom Region__c or Team__c). But there is a catch that mirrors the Integration User's:

If your predicate references a custom field on the User object, the Security User must have read access to that field. Miss this and the predicate cannot read the value, and row-level security will not filter correctly.

Two special users, one pattern

Notice the symmetry across this lesson and the last. Both the Integration User and the Security User are system accounts you must keep alive, and both share the same custom-field gotcha: standard fields work automatically, but custom fields need explicit read access. Internalize that pattern and two whole categories of setup bugs disappear.

Next we look at the org-level Analytics settings that switch features on and off — and how to get a free org to practice in.

Discussion

No comments yet — be the first to start the discussion.