When creating custom objects, you also need to understand how agents and customers (also called end users) can access the object and its records. On Enterprise plans, this is defined on the Roles page in Admin Center. On all other plans, access is pre-defined for each system role except customer.
About object permissions
- Object permissions determine access to that object's records.
- Object permissions are enforced in lookup relationship fields in the Agent Workspace. Lookup relationship fields will appear blank to agents without permission to view the target custom object.
- Object permissions aren't checked or enforced by placeholders. Agents with permissions to manage macros and triggers may inadvertently access information about custom objects this way.
- Object permissions aren't captured in reporting.
- Don't make a custom object's records visible to customers if its records contains sensitive data. While filtering can help limit visibility of a custom object's records to only those pertaining to the current user, no such filtering and restricted visibility exists for API requests. It is possible that an end user could access custom object records unrelated to themselves using the Custom Objects API.
Configuring object list and search permissions for agents
In addition to defining role-based access to to a custom object's records, you can also control the visibility of individual custom objects and their records to agents within the Custom object records page in the Agent Workspace. The object list and search permission doesn't affect the accessibility of the custom object records within lookup relationship fields; rather, it only determines the content within the Custom object records page. The default value is All agents and admins.
- In Admin Center, click
Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the permissions, then click the Permissions tab.
- Under Object list and search, select either All agents and
admins or Only admins.
- Click Save.
Reviewing system role permissions for agents
View | Edit | Add | Delete | |
---|---|---|---|---|
Admin | Yes | Yes | Yes | Yes |
Agent | Yes | Yes | Yes | Yes |
Light Agent | Yes | No | No | No |
Contributor | Yes | No | No | No |
Defining Enterprise custom role permissions for agents
On Enterprise plans, access to each custom object is managed like any other custom role-based permissions. However, the permissions can be managed directly from the object as well as on the Roles page.
When a new custom object is created, agents don't have access to it until permissions are added by an admin or agent in a custom role with permission to manage roles.
Custom object permissions are predefined for system roles and can't be changed. For example, light agent and contributor roles have view-only permissions for all custom objects on all plans.
- In Admin Center, click
Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the permissions, then click the Permissions tab.
- Click the name of the custom role you want to grant access to your objects.
- In the panel on the right, select the permissions you want the role to have
for the custom object you're editing. You can choose from: View,
Edit, Add, and Delete.
- Click Save.
-
In Admin Center, click
People in the sidebar, then select Team > Roles.
Alternatively, from within a custom object's Permission tab, you can click Manage roles to open the Roles page.
- Click the name of the role for which you want to manage access to your objects.
- Under Custom objects, select the permissions you want the role to have
for each object: View, Edit, Add, and
Delete.
- Click Save.
Defining end-user permissions for custom objects
Customer permissions to view and interact with custom object records are configured at the object level.
You can further restrict access to records related to the end user with filters in the user interface. However, these filters don't restrict access to records through the Custom Objects API. Use caution when granting end users permission to view custom object records.
- In Admin Center, click
Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the permissions, then click the Permissions tab.
- In the table, click Customer.
- In the panel on the right, select the permissions you want the role to have for the custom object you're editing. You can choose from: View, Edit, Add, and Delete.
- Click Save.
Viewing a custom object's permissions
When viewing a custom object, you can see a summary of the permissions by role on the Permissions tab.
- In Admin Center, click
Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the
permissions, then click the Permissions tab.
8 comments
taku
Is there no ability to manage end-user permissions in the new custom objects?
Also, am I correct in assuming that the ability for end users to access custom objects has been removed?
The functionality existed in legacy custom objects.
https://support.zendesk.com/hc/en-us/articles/4408834725402-Legacy-custom-objects-guide-for-admins#topic_fk5_wyl_pyb
0
Dane
0
taku
Thanks for the reply. Is end-user permissions part of your future development roadmap?
0
mfg
I hope that the end goal becomes something more like macros and views - where the permissions are granted on a role/group basis. We have multiple lines of business and different groups would need access to different custom objects, and we would not want other groups to have access to some of them.
0
Ivica Nedeljkovic
I set permissions for staff(agents) to be able to view/edit custom objects, however, when I try to list/search or view records from this object type as agent(via zendesk support app), I get error code 403 forbidden with message: "You do not have access to this page. Please contact the account owner of this help desk for further help."
I also tested via API and get exactly same error.
I am sure that I set permissions correctly, and I can see correct permissions both on role page and also on custom object permissions page.
If I login as admin user, I can access these custom objects.
Do I need to set anything else? How long it take to propagate these permissions? And can you confirm that Agents can access custom objects at all(via API) after permissions are set correctly.
Update: This issue is resolved, the problem was that permissions propagation took more than 4 hours even in UI shows new permissions.
0
Destiny
I will go ahead and open a support ticket for you so that we can delve into and resolve the issue you're experiencing with the agent access to the custom object records feature.
0
Jacquelyn Brewer
taku and Dane End user permissions for accessing custom object records are now available.
0
Mehboob Ali
Jacquelyn Brewer Is there an API to update custom object permissions?
0