managing the role hierarchy at enterprise scale
TRANSCRIPT
Managing the Role Hierarchy at
Enterprise Scale Bud Vieira, Salesforce, CCE Technical Enablement
@aavra
Sean Regan, Salesforce, CCE Technical Enablement
@sfdcsregan
Robert Kraynak, Symantec Corporation, Sr. Director Change and Cloud Enablement
Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if
any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-
looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of
product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of
management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments
and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our
service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth,
interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other l itigation, risks associated
with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain,
and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling
non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the
financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This
documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may
not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently
available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Collaborate!
Post questions to session Chatter
Use�any device
We’ll collect the questions for the
Q&A session
Agenda
Role Hierarchy at Enterprise Scale – the Challenge
Role Management Success – Tools and Strategies
Customer Success – Role Management at Symantec
Key Take Aways
Q&A
Bud Vieira
Senior Member of Technical Staff
CCE Technical Enablement
@aavra
Role Hierarchy at Enterprise Scale
Global sales operations 1000s of roles
Cross-functional collaboration Sharing Rules
Portals complexity, 10s of K’s of roles
vs
What is Sharing Maintenance?
Sharing is optimized for end user performance
Access is calculated as configuration changes
Sharing Rules
Role Hierarchy Structure
User Role Changes
Large Data Loads
Big Changes + Big Data *may* = Big Calc
“Under the Hood” of a Role Change
Sharing Rule Recalc
Betty
A2 B2
Hierarchy Inheritance
Access to Child Records
Portal Account Roles
Example: Salesforce.com Realignment ‘11
Basic Stats
~19M Accounts and Related Records
~60K Roles
~700 Sharing Rules on Accounts and Children
Scope of the Changes
New executive role
Child record access settings
1M Accounts changed owners
2000 Users changed roles
Key Take-Aways
Security is calculated in advance to optimize user experience
Changes that seem simple can involve a lot of recalculation
Actively manage complex orgs to optimize performance
Sean Regan
Senior Member of Technical Staff
CCE Technical Enablement
@sfdcsregan
Role Management Success
Managing Role Growth
Role defaults for Portals
Deleting unused Roles via API
Best Practices for Major Sharing Changes
CCE Publications on Sharing
Role Performance Features Rule Defaults for Portals
Set Portal Role Defaults to Minimum Value
Role Performance Features Rule Defaults for Portals
Apex to insert an additional UserRole.
UserRole ur = new UserRole();
ur.PortalAccountId = ‘00130000019hCSo’;
ur.PortalType = ‘Partner’;
INSERT ur;
UserRole is a setup object
Role Performance Features Deleting Unused Roles
Determine what roles to delete
Unused
All inactive users
Last login timeframe
Move users to a different role
Delete the target roles
Deleting Roles – Step 1 Find the Empty Roles
Back Up Your DATA!!!
SOQL Query to extract the Partner roles not assigned to any user.
SELECT
CaseAccessForAccountOwner, ContactAccessForAccountOwner, ForecastUserId, Id,
MayForecastManagerShare, Name, OpportunityAccessForAccountOwner, ParentRoleId, PortalAccountId,
PortalAccountOwnerId, PortalRole, PortalType,RollupDescription
FROM
UserRole
WHERE
PortalType = 'Partner' and PortalRole in (‘Executive’,’Manager’) and Id not in(select UserRoleId from User)
Deleting Roles – Step 2 Check for manual shares that will be deleted
SOQL Query to extract the Manual Object Shares (e.g. AccountShares) created for
RolesAndSubordinates:
SELECT
AccountAccessLevel, AccountId, CaseAccessLevel, ContactAccessLevel, Id, OpportunityAccessLevel, RowCause,
UserOrGroupId
FROM
AccountShare
WHERE
RowCause = 'Manual' and UserOrGroupId in (Select Id from Group where Type = 'RoleAndSubordinates‘ or Type =
‘Role’)
Results from above should be extracted from the partner roles extracted in Step 1.
Deleting Roles – Step 3 Check for Sharing Rules that will be deleted
Analyze Sharing Rules and exclude the Roles that have Sharing Rules defined
SELECT
Id
FROM
Group
WHERE
relatedId in (SELECT Id FROM UserRole WHERE Name in (‘Company 1 Partner Executive', 'Company 2 Partner
Executive', 'Company 3 Partner Executive')) and Type = 'Role’
Results from above should be extracted from the partner roles extracted in Step 1.
Deleting Roles – GO! Execute the Deletion
Prepare to Delete
Test in a full Sandbox!!!
Segment your data (e.g. date, country)
Recommended batch size is 10
Perform deletion
Note: parallel processing role deletions will cause lock exceptions
Best Practices for Major Changes to Sharing
CCE-TE Publications
Search: “Salesforce Architect Core Resources”
Record Level Access: Under the Hood
http://bit.ly/RhzT3H
Designing Record Access for Enterprise Scale
Coming Soon
Managing Ownership Skew For Peak Performance
http://bit.ly/NYJ2gj
Avoid Account Skew For Peak Performance
http://bit.ly/IlYUZV
Key Take-Aways
Only create the portal roles you need
Periodically query and delete unneeded roles
Learn and follow best practices for large scale sharing changes
Contact Support or Services for assistance on any large scale organization
realignments
Robert Kraynak
Sr. Director Cloud Enablement
at a Glance
Approximately 20,500 employees
Founded in 1982
IPO in 1989
Operations in 48 countries
100 percent of Fortune 500 companies are customers
#391 on the 2012 Fortune 500
$6.7 billion revenue in FY 2012;
approximately 52% outside of the U.S.
More than 1500 global patents
Symantec footprint on more than one billion systems
Included on Fortune’s Most Admired
Companies list
Invests 14% of annual revenue in R&D*
* R&D investment is Non-GAAP
Symantec is a global leader in
providing security, storage, and
systems management solutions
to help consumers and
organizations
secure and manage
their information
and identities.
Symantec Is –
Symantec Salesforce.com Org Strategy
SF2SF Business
Org
Internal Org
Consumer Org
Sales Cloud – 7500
Service Cloud – 4500
Channel – 40K
HVPU – 750K
Custom Apps
PMA
Discounts
Business
Chatter – 16K+ chatter users
Blogs – 51 blogs created
Ideas – 4 communities
Social
Custom Apps
IT Apps
Test bed
Internal
Service Cloud - 1500
Ideas
Custom Apps
Consumer
Symantec’s Sharing Model
Role Hierarchy
• For Sales = Organizational Hierarchy
• For Service = Product and/or Region based
Territory Hierarchy = Sales Hierarchy (reporting only)
OWDs = Private
• ~80% visibility controlled by roles & sharing rules (ownership & criteria based)
• Remaining via manual & programmatic shares
Teams also used for setting default teams (not visibility)
Role & Territory Hierarchies modified annually
Before & Why – Role Reduction
~ 20K Standard roles vs. ~130K Portal roles
# of roles = 152,885 of 155K limit – 99% usage
• Approaching role limit
• Still deploying more Business Units
• Reporting cumbersome
• Simplify!
• Supports efficient, scalable, well performing org
How We Did It
• Portal role default = 3
• Analyzed sharing rules for no impacts
• Analyzed portal roles with no users
Considered role creation date
• Via API, removed unnecessary portal roles
• Tested in a full copy sandbox
• Utilized a maintenance window for Prod
… and we’re not done yet …
Before and After
# of roles = 123,071 of 155K limit –
79% usage
•Migrating to HVPU
•Need to review portal role defaults
•Flexible, scalable
# of roles = 152,885 of 155K
limit – 99% usage
•Approaching role limit
•Still deploying business units
•Cumbersome reporting
•Simplify!
Beyond – Periodic Maintenance
Periodic maintenance to review sharing model (roles, sharing rules, TM)
• Data security architecture review currently underway
• Review portal role defaults with business with intent to decrease default
• Revisit each sharing rule – look for efficiencies
• Update sharing model documentation (hierarchy framework; sharing rules
spreadsheet)
Provides a holistic view
Onboarding (internal and consulting)
SFDC enhancements
This is a journey; not a destination
Key Take-Aways
• Have as simple a sharing model as possible
• Continuously look for efficiencies – keep roles trimmed
• Your sharing model is foundational to your platform
• Follow best practices for large scale org changes and sales team
realignments
• Take the time to read and understand the CCE white papers on sharing
Bud Vieira
CCE Technical Enablement
Salesforce
@aavra
Sean Regan
CCE Technical Enablement
Salesforce
@sfdcsregan
Robert Kraynak
Sr. Director
Change and Cloud Enablement
Symantec Corporation