Use Your Salesforce Sharing Settings in Wave

Sharing inheritance creates a bridge between your Salesforce security model and Wave. For supported objects, sharing is now an option instead of security predicates.

As a Salesforce admin, you have likely labored over security, setting up sharing rules so that your users have access to data appropriate to their role. Setting up a working security model for your org is no small feat. Your company has invested a lot of time and money to get this right. But what about Wave Analytics?

Wave Analytics has its own row-level security solution—security predicates. They work well, but Wave administrators have to carefully replicate their Salesforce security settings. But who wants to set up security twice?

For support objects, Wave administrators no longer need to use security predicates to replicate row-level security settings in Salesforce. Now you can enable the sharing inheritance feature in Wave and specify which objects use it when creating datasets during the Extract Load and Transform process. Your Salesforce sharing settings are honored in Wave, and you don’t have the overhead of maintaining two distinct security models.

Is Sharing Right for My Wave Org?

As with any new feature, we recommend that you thoroughly test sharing inheritance in a sandbox environment before rolling out to production. Test against your org’s security model, data and use cases. Complex security models in which users have access to a large number of rows can have performance implications. It's important to test your particular use cases to make sure sharing inheritance works for you.

In this first stage of a phased roll out of sharing for Wave, we support five of the most heavily used objects: Accounts, Opportunities, Orders, Cases, and custom objects. Other objects—such as Campaign, Idea, Site, and so on—still need to use security predicates.

Sharing isn't automatically applied to all datasets, and it isn't applied by default to new datasets. You must apply the sharing feature to each dataset manually. If an existing dataset has a security predicate, sharing won't override it. A dataset can use either sharing or a security predicate, but not both. You can inherit sharing settings from only one object, regardless of how many source objects are used in creating a dataset.

Getting Started

To enable sharing in Wave:

  1. From Setup, enter Analytics in the Quick Find box, then select Settings under Analytics.
  2. Select Enable Wave Sharing Inheritance and click Save.

    Page with various config checkboxes, one of which is for enabling Sharing.

  3. For each dataset that you want to inherit sharing, specify the “source” object from which this sharing comes. You can do this in three ways.
    Through the Dataflow (When Creating New Datasets Only)
    Add the "rowLevelSharingSource" parameter to the "sfdcRegister" node parameters for the dataset.

    The rowLevelSharingSource parameter takes a string, which should be the API name for the object from which sharing is inherited. In the following example, the parameter specifies that the Salesforce sharing rules on the Opportunity object should be inherited.

              "label":"Opportunity with Security",
    Through the Dataset Edit Page (For Existing Datasets)
    Edit the dataset, and enter the API name for the object in the Sharing Source field.Enter object name in Sharing Source field on the dataset edit pageSee Edit a Dataset for help with editing a dataset.


    Consider the following when adding a sharing source through the dataset edit page.

    • Sharing inheritance is not supported for datasets created from CSV files. Specifying a sharing source generates an error.
    • Don’t specify both a security predicate and a sharing source. This generates an error.
    • Specifying an incorrect name or an unsupported object generates an error. Account, Opportunity, Order, Case, and custom objects are supported.

    Through the REST API (For Existing Datasets)

    The sharingSource property on the /wave/datasets/${datasetId}/versions/${versionId} endpoint specifies the object from which sharing rules are inherited for that dataset version.