Security in Veeva CRM
The salesforce.com platform includes an extensive set of security controls. These controls are documented in the salesforce.com User Guide which you can reference online from the application.
These controls include the following:
- Device and Data Security
- Object level security
- Field level security
- Sharing rules
- Permission Sets
- Security Best Practices for Profiles
- Third-party Keyboards
- FTP
Every customer will implement security in a slightly different way. This topic explains the most common ways to use salesforce.com security controls to configure the Veeva CRM application.
Device and Data Security
An MDM system must be able to get information from the device (iPad) and safeguard sensitive data in the event it is lost or stolen. Consumers can activate the Find My iPad feature for free through MobileMe©. This service allows a user to locate their iPad on a map, enable a passcode lock, or erase all data from the device remotely using any web browser. Many MDM solutions offer similar capabilities to centrally clear passcodes, or remotely wipe or lock devices.
Object Level Security
Object security controls which profile for a user (Specialty Sales or MSL for example) can create, read, update or delete (CRUD) objects of a certain type. For example, a profile of a user that does not have the Delete permission on Accounts cannot delete any accounts.
In many ways, Object Security is the most simple security control. It operates on the entire object and all fields and rows of data in that object. For example, to configure that only administrators have delete access to Accounts, you would use Object security.
Field Level Security
Field level security controls which profile a user (Specialty Sales or MSL for example) can see and which fields users can edit on objects. Use this to completely hide a field for a group of users or make the field read only for a group of users.
Field Level Security is the next most simple security control. It operates on an entire field of an object. For example, to configure accounts so that only administrators can update the primary specialty on Account or to prevent primary reps from viewing fields used by MSLs, you would use field level security.
Data Sharing Rules
Data sharing rules can be applied to increase visibility to records that are Private or Public Read-Only and controlled by the Role Hierarchy or Territory Management. For example, you may apply these rules to give a certain group write access to the product catalog, or access to accounts that for some reason do not fall in their territory.
Read-only sharing rules are not supported on Veeva generated pages, or offline platforms.
Permission Sets
We are able to support Permission Sets that became available in API version 22.
Configuration
Configuration for supporting Permission Sets requires the VeevaUserPermissions Apex class to be installed, configured for Salesforce API v25+, and enabled for all profiles. When adding new profiles, be sure to enable access to the Apex class for them as well.
To configure Permission Sets:
- Navigate to the Apex Class VeevaUserPermissions. (Setup>App Setup>Develop>Apex Class.
- Enable profile access to the Apex Class VeevaUserPermissions.
- Click Security.
- Select all profiles under Available Profiles . It is important to select all profiles, regardless of whether they have Permission Sets defined, in order to avoid future configuration inconsistencies.
- Click Add to move them to Enabled Profiles.
- Click Save.
Users must have VeevaUserPermissions Apex Class Access allocated at the profile level rather than through a permission set.
Security Best Practices for Profiles
You should become familiar with salesforce.com security administration by taking a class from salesforce.com or contracting with a qualified consultant. After you have this level of knowledge, refer to the sample profiles that are delivered with the Veeva CRM application. We recommend that you keep these profiles as a reference point and that you make copies of them to implement your own profiles.
Security rules for object and record access can then be configured within the Veeva CRM application to meet your business needs.
Third-Party Keyboards
Veeva CRM does not prevent the use of third-party keyboards. Third-party keyboards have the potential to capture, leak, and misuse the keystroke data they process. Customers should rely on their own mobile device management to manage this.
FTP Connections
Veeva CRM requires TLS 1.2 for all FTP connections.
Users who manually upload files using an FTP client should follow the instructions provided by the FTP client to configure it to use explicit TLS.
For example, customers using Filezilla as their client should select Required explicit FTP over TLSfrom the Encryption dropdown list.
The ftpes:// prefix can also be added to the host location. For example, ftpes://vf13.vod309.com.
Ensure TLS 1.2 encryption protocols are enabled in any integrations using FTP.