The Sunshine team are pleased to announce new role-based permissions for Sunshine custom objects. This new functionality provides the following three significant changes to custom objects permissions.
- Expanded permissions for agents. Before this, agents had all access to all records under all objects and relationships. Now, admins can set any combination of create, read, update, and delete permissions by object or relationship.
- Expanded permissions for end users. Before this, end users could either read or not read records under an object or relationship based on the
end_user_can_read
flag. Now, admins can set any combination of create, read, update, and delete permissions by object or relationship. - Migrated the
end_user_can_read
flag functionality over to role-based permissions, and deprecated the flag. Any customers who have enabled this flag on any of their objects and relationships will be automatically migrated to include read as true on their object or relationship permissions policies.
Custom objects policies
You can define role-based, access control (RBAC) policies to limit access to object records and relationship records under each object and relationship.
An RBAC policy defines create, read, update, delete (CRUD) permissions for the roles agent and end-user separately, for all records under a given object type or relationship type.
The default policy for all objects and relationships remains the same:
- Admins get all access to records
- Agents get all access to records
- End users get no access to anything
For more information about how to use this feature, check out the API documentation on permissions in our developer docs.
2 comments
Gizelle Butler
The API documentation reference here advises not to use in production environment? What is recommened for role-based access controls for production?
0
Christopher Kennedy
I just want to clarify that the disclaimer in the documentation is only referring to relationship-based access control (ReBAC), not role-based access control (RBAC). We break down the difference between RBAC and ReBAC policies in that doc for more details.
0