General permission guidance

You can fine tune permissions for FinDock users using a combination of Salesforce permission set groups and permission sets. When working with permissions, keep in mind that permission sets can only grant additional permissions, not take them away.

General permissions

For FinDock to function correctly, users need to have access to certain standard Salesforce objects. Some of these may be part of existing permission sets in your org, but please make sure the user profiles for FinDock have at least the following permissions:

All FinDock user profiles: read access for Contact, Account and Campaign
For the FinDock integration user: CRU access for Contact and Account
For users who need access to FinDock Setup: view Setup and Configuration permission

When Salesforce NPSP is used, also include the following permissions:

Full access for FinDock user profiles to Opportunity (and NPSP fields added to Opportunity)
Full access for FinDock user profiles to Opportunity Payment (npe01__OppPayment__c)

When Salesforce Fundraising is used, also include the following permissions:

Fundraising permissions for FinDock users, including the integration user

An important aspect of permissions is Salesforce sharing settings. These settings determine what records can be seen by whom.

To ensure correct operation of FinDock, make sure your FinDock user profiles share settings on all objects used for payments management, including standard objects like Contact and Account, industry or feature-specific objects like Recurring Donation (NPSP), Gift Transaction, (Fundraising), and naturally all FinDock objects.

Permission set groups and classic permission sets

With the September '23 release, we introduced a new way to manage FinDock permissions using permission set groups. These will be the basis of permissions managing moving forward, but currently only support the integration user.

For other user profiles, please assign "classic" permission sets.

Common user types for FinDock

Most organizations need three types of users to work with FinDock. Further user type granularity can be implemented, but this simple approach is the most common:

FinDock administrator: administration with full access to all FinDock features and functions
Operations user: Salesforce users from Finance or other departments who need to use certain FinDock features
Service agent: Salesforce users who enter and modify payer data for specific channels, such as MOTO payments
Integration user: Salesforce Integration User reserved for system integration authentications

FinDock administrator

FinDock includes a special permission set for administrators, PaymentHub All FLS. This permission set allows administrators to access all FinDock objects and fields. However, we recommend assigning FinDock administrators all the FinDock permission sets.

Operations user

In general, operations users work with payment processing records, such as source records that lead to installments, payment profiles and mandates. They perform payment collection activities such as uploading bank statement files and reconciling through Guided Matching.

Service agent

Service agents are users who can create and modify payer data in specific scenarios. A common scenario is MOTO (mail-order-telephone-order) payments, where, for example, the service agent enters the payer information and credit card details into a dedicated component.

Integration user

System integrations need user accounts, aka “Integration Users,” that allow data transfer and operations between systems. FinDock uses connections to Heroku apps like ProcessingHub and WebHub, as well as connections to integrate with external service providers such as PSPs.

Please refer to the table below for details on which permission sets are needed for integration user(s). In addition to those permission sets, you need to also add the View Setup and Configuration permission to the integration user. This permission is typically only for system administrators, but FinDock integrations also require it.

With the Salesforce Spring '23 release, orgs have a new free Salesforce Integration user license. Please refer to our FAQ for information about using this license.

note

If you use the Salesforce Minimum Access Profile for your integration user, you need to check API Enabled under Salesforce Setup > Manage Users > Profiles > Administrative Permissions.

Further info

FinDock Additional Setup

With the January '21 release, we added two new tabs to the FinDock app - one for Installments and one for Inbound Reports. These new tabs come in handy in many different workflows, including Guided Matching debugging and configuration.

The tabs are implemented through a permission set and package called ‘FinDock Additional Setup'. This package is mandatory in the FinDock Installer. However, it is an unmanaged component, so organizations can modify the associated settings if needed.

These tabs are handled in a separate package to avoid potential conflicts with orgs that may already have tabs for Installments or Inbound Reports.

Once installed, users who are assigned the ‘FinDock Additional Setup’ permission set automatically get to see and use the Installment and Inbound Report tabs.

Gift Aid manual permission assignments

In addition to the specific permission set for Gift Aid, there are permissions that need to be assigned manually. For further instructions, please see Gift Aid for admins.

General permissions​

Sharing settings​

Permission set groups and classic permission sets​

Common user types for FinDock​

FinDock administrator​

Operations user​

Service agent​

Integration user​

Further info​

FinDock Additional Setup​

Gift Aid manual permission assignments​