When creating custom objects, you also need to understand how agents and customers (also called end users) can access the object and its records. On Enterprise plans, this is defined on the Roles page in Admin Center. On all other plans, access is pre-defined for each system role except customer.
About object permissions
- Object permissions determine access to that object's records.
- Object permissions are enforced in lookup relationship fields in the Agent Workspace. Lookup relationship fields will appear blank to agents without permission to view the target custom object.
- Object permissions aren't checked or enforced by placeholders. Agents with permissions to manage macros and triggers may inadvertently access information about custom objects this way.
- Object permissions aren't captured in reporting.
- Don't make a custom object's records visible to customers if its records contains sensitive data. While filtering can help limit visibility of a custom object's records to only those pertaining to the current user, no such filtering and restricted visibility exists for API requests. It is possible that an end user could access custom object records unrelated to themselves using the Custom Objects API.
Configuring object list and search permissions for agents
In addition to defining role-based access to to a custom object's records, you can also control the visibility of individual custom objects and their records to agents within the Custom object records page in the Agent Workspace. The object list and search permission doesn't affect the accessibility of the custom object records within lookup relationship fields; rather, it only determines the content within the Custom object records page. The default value is All agents and admins.
- In Admin Center, click Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the permissions, then click the Permissions tab.
- Under Object list and search, select either All agents and admins or Only admins.
- Click Save.
Reviewing system role permissions for agents
View | Edit | Add | Delete | |
---|---|---|---|---|
Admin | Yes | Yes | Yes | Yes |
Agent | Yes | Yes | Yes | Yes |
Light Agent | Yes | No | No | No |
Contributor | Yes | No | No | No |
Defining Enterprise custom role permissions for agents
On Enterprise plans, access to each custom object is managed like any other custom role-based permissions. However, the permissions can be managed directly from the object as well as on the Roles page.
When a new custom object is created, agents don't have access to it until permissions are added by an admin or agent in a custom role with permission to manage roles.
Custom object permissions are predefined for system roles and can't be changed. For example, light agent and contributor roles have view-only permissions for all custom objects on all plans.
- In Admin Center, click Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the permissions, then click the Permissions tab.
- Click the name of the custom role you want to grant access to your objects.
- In the panel on the right, select the permissions you want the role to have for the custom object you're editing. You can choose from: View, Edit, Add, and Delete.
- Click Save.
-
In Admin Center, click
People in the sidebar, then select Team > Roles.
Alternatively, from within a custom object's Permission tab, you can click Manage roles to open the Roles page.
- Click the name of the role for which you want to manage access to your objects.
- Under Custom objects, select the permissions you want the role to have for each object: View, Edit, Add, and Delete.
- Click Save.
Defining end-user permissions for custom objects
Customer permissions to view and interact with custom object records are configured at the object level.
You can further restrict access to records related to the end user with filters in the user interface. However, these filters don't restrict access to records through the Custom Objects API. Use caution when granting end users permission to view custom object records.
- In Admin Center, click Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the permissions, then click the Permissions tab.
- In the table, click Customer.
- In the panel on the right, select the permissions you want the role to have for the custom object you're editing. You can choose from: View, Edit, Add, and Delete.
- Click Save.
Viewing a custom object's permissions
When viewing a custom object, you can see a summary of the permissions by role on the Permissions tab.
- In Admin Center, click Objects and rules in the sidebar, then select Custom objects > Objects.
- Click the name of the custom object for which you want to view the permissions, then click the Permissions tab.