[{"data":1,"prerenderedAt":337},["ShallowReactive",2],{"navigation":3,"page-\u002Fsetup\u002Fthe-security-user":130,"\u002Fsetup\u002Fthe-security-user-surround":331,"comments-\u002Fsetup\u002Fthe-security-user":336},[4],{"title":5,"path":6,"stem":7,"children":8,"page":129},"En","\u002Fen","en",[9,53,87],{"title":10,"path":11,"stem":12,"children":13,"icon":52},"CRM Analytics Foundations","\u002Fen\u002Ffoundations","en\u002F1.foundations\u002F1.index",[14,16,20,24,28,32,36,40,44,48],{"title":15,"path":11,"stem":12},"Welcome & Dev Org",{"title":17,"path":18,"stem":19},"Graded Quiz","\u002Fen\u002Ffoundations\u002Fquiz","en\u002F1.foundations\u002F10.quiz",{"title":21,"path":22,"stem":23},"What Is CRM Analytics?","\u002Fen\u002Ffoundations\u002Fwhat-is-crm-analytics","en\u002F1.foundations\u002F2.what-is-crm-analytics",{"title":25,"path":26,"stem":27},"Architecture","\u002Fen\u002Ffoundations\u002Farchitecture-and-data-flow","en\u002F1.foundations\u002F3.architecture-and-data-flow",{"title":29,"path":30,"stem":31},"The Data Layer","\u002Fen\u002Ffoundations\u002Fthe-data-layer","en\u002F1.foundations\u002F4.the-data-layer",{"title":33,"path":34,"stem":35},"The Design Layer","\u002Fen\u002Ffoundations\u002Fthe-design-layer","en\u002F1.foundations\u002F5.the-design-layer",{"title":37,"path":38,"stem":39},"The Intelligence Layer","\u002Fen\u002Ffoundations\u002Fthe-intelligence-layer","en\u002F1.foundations\u002F6.the-intelligence-layer",{"title":41,"path":42,"stem":43},"Hands-On Tour","\u002Fen\u002Ffoundations\u002Fhands-on-tour","en\u002F1.foundations\u002F7.hands-on-tour",{"title":45,"path":46,"stem":47},"Six Adoption Steps","\u002Fen\u002Ffoundations\u002Fsix-steps-and-interview-prep","en\u002F1.foundations\u002F8.six-steps-and-interview-prep",{"title":49,"path":50,"stem":51},"Interview Questions","\u002Fen\u002Ffoundations\u002Finterview-questions","en\u002F1.foundations\u002F9.interview-questions","i-lucide-compass",{"title":54,"path":55,"stem":56,"children":57,"icon":86},"Setup & User Provisioning","\u002Fen\u002Fsetup","en\u002F2.setup\u002F1.index",[58,60,64,68,72,76,80,83],{"title":59,"path":55,"stem":56},"Provisioning Users",{"title":61,"path":62,"stem":63},"Licenses & Permissions","\u002Fen\u002Fsetup\u002Flicenses-and-permission-sets","en\u002F2.setup\u002F2.licenses-and-permission-sets",{"title":65,"path":66,"stem":67},"Integration User","\u002Fen\u002Fsetup\u002Fthe-integration-user","en\u002F2.setup\u002F3.the-integration-user",{"title":69,"path":70,"stem":71},"Security User","\u002Fen\u002Fsetup\u002Fthe-security-user","en\u002F2.setup\u002F4.the-security-user",{"title":73,"path":74,"stem":75},"Analytics Settings","\u002Fen\u002Fsetup\u002Fanalytics-settings","en\u002F2.setup\u002F5.analytics-settings",{"title":77,"path":78,"stem":79},"Hands-On Access","\u002Fen\u002Fsetup\u002Fhands-on-assigning-access","en\u002F2.setup\u002F6.hands-on-assigning-access",{"title":17,"path":81,"stem":82},"\u002Fen\u002Fsetup\u002Fquiz","en\u002F2.setup\u002F7.quiz",{"title":49,"path":84,"stem":85},"\u002Fen\u002Fsetup\u002Finterview-questions","en\u002F2.setup\u002F8.interview-questions","i-lucide-settings-2",{"title":88,"path":89,"stem":90,"children":91,"icon":128},"Creating Datasets","\u002Fen\u002Fcreating-datasets","en\u002F3.creating-datasets\u002F1.index",[92,94,97,101,105,109,113,117,121,125],{"title":93,"path":89,"stem":90},"What Is a Dataset?",{"title":17,"path":95,"stem":96},"\u002Fen\u002Fcreating-datasets\u002Fquiz","en\u002F3.creating-datasets\u002F10.quiz",{"title":98,"path":99,"stem":100},"The Data Landscape","\u002Fen\u002Fcreating-datasets\u002Fthe-data-landscape","en\u002F3.creating-datasets\u002F2.the-data-landscape",{"title":102,"path":103,"stem":104},"Upload a CSV","\u002Fen\u002Fcreating-datasets\u002Fload-data-from-csv","en\u002F3.creating-datasets\u002F3.load-data-from-csv",{"title":106,"path":107,"stem":108},"Grain, Lookups & Joins","\u002Fen\u002Fcreating-datasets\u002Fgrain-lookups-and-joins","en\u002F3.creating-datasets\u002F4.grain-lookups-and-joins",{"title":110,"path":111,"stem":112},"Dataset Builder","\u002Fen\u002Fcreating-datasets\u002Fbuild-with-dataset-builder","en\u002F3.creating-datasets\u002F5.build-with-dataset-builder",{"title":114,"path":115,"stem":116},"Run the Dataflow","\u002Fen\u002Fcreating-datasets\u002Frun-and-troubleshoot-the-dataflow","en\u002F3.creating-datasets\u002F6.run-and-troubleshoot-the-dataflow",{"title":118,"path":119,"stem":120},"Build with a Recipe","\u002Fen\u002Fcreating-datasets\u002Fbuild-the-same-dataset-with-a-recipe","en\u002F3.creating-datasets\u002F7.build-the-same-dataset-with-a-recipe",{"title":122,"path":123,"stem":124},"Combine Datasets","\u002Fen\u002Fcreating-datasets\u002Fcombine-datasets","en\u002F3.creating-datasets\u002F8.combine-datasets",{"title":49,"path":126,"stem":127},"\u002Fen\u002Fcreating-datasets\u002Finterview-questions","en\u002F3.creating-datasets\u002F9.interview-questions","i-lucide-database",false,{"id":131,"title":132,"access":133,"body":134,"description":321,"extension":322,"interview":133,"links":133,"meta":323,"navigation":324,"passScore":133,"path":70,"quiz":133,"seo":325,"stem":71,"video":326,"__hash__":330},"docs\u002Fen\u002F2.setup\u002F4.the-security-user.md","The Security User & Row-Level Security in CRM Analytics",null,{"type":135,"value":136,"toc":311},"minimark",[137,142,154,159,162,167,170,180,184,210,221,228,232,247,251,279,293,297,304],[138,139,141],"h1",{"id":140},"the-security-user-row-level-security","The Security User & Row-Level Security",[143,144,145,146,149,150,153],"p",{},"Alongside the Integration User, CRM Analytics ships a second special account: the ",[147,148,69],"strong",{},". It has a narrow but important job, and — like the Integration User — you must never delete it. This lesson explains its two roles and uses them to introduce one of the platform's most powerful ideas: ",[147,151,152],{},"row-level security",".",[155,156,158],"h2",{"id":157},"the-security-users-two-jobs","The Security User's two jobs",[143,160,161],{},"The Security User exists to do exactly two things:",[163,164],"lesson-cards",{":columns":165,":items":166},"2","[{\"title\":\"Preview data in recipes\",\"icon\":\"i-lucide-eye\",\"description\":\"Powers the \\\"view as\\\" data preview while you build datasets in Data Prep recipes, so you can see sample rows as you transform data.\"},{\"title\":\"Read User-object fields for predicates\",\"icon\":\"i-lucide-users\",\"description\":\"Reads fields on the User object at query time so security predicates can decide which rows each running user is allowed to see.\"}]",[143,168,169],{},"The second job is the one worth understanding deeply, because it is what makes row-level security work.",[171,172,174],"note",{"icon":173},"i-lucide-shield-alert",[143,175,176,179],{},[147,177,178],{},"Do not delete or deactivate the Security User"," either. If it loses access to the User fields your predicates rely on, row-level security can silently break and users may see too many rows — or none at all.",[155,181,183],{"id":182},"what-row-level-security-actually-is","What row-level security actually is",[143,185,186,187,190,191,194,195,190,198,201,202,206,207,209],{},"Imagine two people open the exact same dashboard at the same moment. ",[147,188,189],{},"I"," run it and see ",[147,192,193],{},"1,000 rows","; ",[147,196,197],{},"you",[147,199,200],{},"2,000 rows",". Nothing about the dashboard changed — what changed is ",[203,204,205],"em",{},"who"," is running it. That is ",[147,208,152],{},": the platform filters the rows of a dataset per user, based on who they are.",[143,211,212,213,216,217,220],{},"The mechanism behind it is a ",[147,214,215],{},"security predicate"," — a filter rule attached to a dataset that is evaluated ",[147,218,219],{},"at query time"," against the running user. A predicate can say things like \"show only rows where the record's owner equals the running user\" or \"show only rows for the running user's region.\" Because it runs at query time, the same dataset serves different slices to different people automatically.",[222,223,225],"tip",{"icon":224},"i-lucide-filter",[143,226,227],{},"A security predicate is evaluated fresh on every query, for whoever is running it. That is why one dataset can safely serve a rep who should see only their accounts and a VP who should see the whole region — without building separate datasets.",[155,229,231],{"id":230},"where-the-security-user-comes-in","Where the Security User comes in",[143,233,234,235,238,239,242,243,246],{},"To evaluate a predicate, CRM Analytics has to read attributes about the ",[147,236,237],{},"running user"," — their user id, role, region, team, or any other field on the ",[147,240,241],{},"User object",". It reads those fields ",[147,244,245],{},"as the Security User",". That is precisely why the Security User needs access to the User object: it is the account that looks up \"who is this person and what are their attributes?\" so the predicate can filter accordingly.",[155,248,250],{"id":249},"the-custom-user-field-gotcha","The custom User field gotcha",[143,252,253,254,257,258,262,263,266,267,270,271,274,275,278],{},"You can build a predicate on ",[147,255,256],{},"any field on the User object"," — standard fields like ",[259,260,261],"code",{},"UserId"," and ",[259,264,265],{},"Role",", or your own ",[147,268,269],{},"custom User fields"," (say, a custom ",[259,272,273],{},"Region__c"," or ",[259,276,277],{},"Team__c","). But there is a catch that mirrors the Integration User's:",[171,280,282],{"icon":281},"i-lucide-triangle-alert",[143,283,284,285,288,289,292],{},"If your predicate references a ",[147,286,287],{},"custom field on the User object",", the ",[147,290,291],{},"Security User must have read access"," to that field. Miss this and the predicate cannot read the value, and row-level security will not filter correctly.",[155,294,296],{"id":295},"two-special-users-one-pattern","Two special users, one pattern",[143,298,299,300,303],{},"Notice the symmetry across this lesson and the last. Both the Integration User and the Security User are system accounts you must keep alive, and both share the same custom-field gotcha: ",[147,301,302],{},"standard fields work automatically, but custom fields need explicit read access."," Internalize that pattern and two whole categories of setup bugs disappear.",[143,305,306,307,310],{},"Next we look at the org-level ",[147,308,309],{},"Analytics settings"," that switch features on and off — and how to get a free org to practice in.",{"title":312,"searchDepth":313,"depth":314,"links":315},"",1,2,[316,317,318,319,320],{"id":157,"depth":314,"text":158},{"id":182,"depth":314,"text":183},{"id":230,"depth":314,"text":231},{"id":249,"depth":314,"text":250},{"id":295,"depth":314,"text":296},"Learn what the CRM Analytics Security User does: previewing data in recipes and reading User-object fields for security predicates that drive row-level security.","md",{},{"title":69},{"title":132,"description":321},{"id":327,"start":328,"end":329},"0UrasqsdHXU",233,315,"kk54oMn3p5avaZF5mP8ZBlZtUHK2qhKh4hMbCJc5BQg",[332,334],{"title":65,"path":66,"stem":67,"description":333,"children":-1},"Meet the Analytics Integration User: how it reads Salesforce data into datasets, why custom objects need explicit access, and how its locale sets the language of data values.",{"title":73,"path":74,"stem":75,"description":335,"children":-1},"Tour the CRM Analytics settings page and its feature toggles, learn why to test new features in a sandbox first, and get a free Developer org to practice in.",[],1783475168378]