You can fine tune permissions for FinDock users using a combination of Salesforce permission set groups and permission sets. When working with permissions, keep in mind that permission sets can only grant additional permissions, not take them away.
For FinDock to function correctly all user types used with FinDock need to have access to certain standard Salesforce objects. Some of these may be part of existing permission sets of your org, but please make sure the user types for FinDock have at least the following permissions:
- Read access for Contact, Account and Campaign
- If Salesforce NPSP is used:
- Full access to Opportunity (and NPSP fields added to Opportunity)
- Full access to Opportunity Payment (
- CRU access for Contact and Account (for integration users only)
- View Setup and Configuration permission (for users who access FinDock Setup)
Permission set groups vs. "classic" permissions
With the September '23 release, FinDock introduced a new permissions framework that uses permission set groups and new, modular permission sets. The new permission sets are automatically assigned to default groups as needed when packages are installed and activated using the new FinDock Setup experience.
The old "classic" permission sets remain fully functional. However, whenever a FinDock permission set group is available for a particular user type, we recommend using the group assignments.
Permission set groups
When you install FinDock, default permission set groups are added for the most common user types. These groups come with specific permission sets that are added to the groups on the fly when packages are installed and activated.
These groups need to be added to the relevant users. Once added, the groups are updated as needed by FinDock through permission set changes and assignments.
FinDock permission set groups are currently under development. As new groups become available, they will be documented here.
FinDock Integration User Group
The new permission set group and permission sets are currently in beta and available to all FinDock customers for testing.
The FinDock Integration User permission set group is intended for integration use cases only. This includes connections to external services, such as ProcessingHub, WebHub and PSPs, as well as FinDock features that use those connections, like payment schedule processing.
The integration user group automatically has four FinDock Core permission sets. FinDock packages with integration permission requirements have their own permission set. These package-specific sets are added to the FinDock Integration User automatically when the given package is installed and activated through the new FinDock Setup.
All permission sets added by FinDock to the FinDock Integration User group support the free Salesforce integration user license.
If you add custom permission sets to the this group, be sure to check the Status of the group afterwards. Failed indicates you need to check that the custom permissions adhere to the integration user license (and Salesforce API Only System Integrations profile) limitations.
FinDock integration permission sets
Existing FinDock installations that use classic permission sets can reassign the integration user to use the FinDock Integration User Group. However, the new FinDock integration permission sets for payment extensions need to be added to the group manually.
The permission sets for integration use cases (added to the FinDock Integration User Group through the new FinDock Setup) are outlined in the following table.
|FinDock Adyen Integration||Permissions for payment set up and notification handling||Adyen|
|FinDock Axerve Integration||Permissions for payment set up and notification handling||Axerve|
|FinDock Bacs Integration||Bacs Direct Debit collection and reconciliation through Bacs Manual and SmartDebit||BACS|
|FinDock Buckaroo Integration||Permissions for payment set up and notification handling||Buckaroo|
|FinDock Checkout Integration||Permissions for payment set up and notification handling||Checkout.com|
|FinDock Core File-based Payments||Permissions for parsing and matching bank files||Core|
|FinDock Core Mandate Schedule||Permissions for creating and running mandate schedules||Core|
|FinDock Core Online Payments||Payment collection and reconciliation through WebHub, Notification Gateway and FinDock Payment API||Core|
|FinDock Core Payment Schedule||Permissions for creating and running payment schedules||Core|
|FinDock Gift Aid Integration||Permissions for Gift Aid claim processing through HMRC||Gift Aid|
|FinDock GoCardless Integration||Permissions for payment set up and notification handling||GoCardless|
|FinDock Mollie Integration||Permissions for payment set up and notification handling||Mollie|
|FinDock Nordic Integration||Permissions for payment set up and report handling||Nordic Payments|
|FinDock NPSP Integration||Permissions for custom handling of NPSP Opportunity and Recurring Donation||NPSP|
|FinDock PayPal Integration||Permissions for payment set up and notification handling||PayPal|
|FinDock ProcessingHub Integration||Permissions for ProcessingHub connection||ProcessingHub|
|FinDock SEPA Integration||SEPA and SEDA payment collection, disbursement and reconciliation||SEPA|
|FinDock SIX Saferpay Integration||Permissions for payment set up and notification handling||SIX Saferpay|
|FinDock Stripe Integration||Permissions for payment set up and notification handling||Stripe|
|FinDock Tikkie Integration||Permissions for payment set up and notification handling||Tikkie|
|FinDock Vipps Integration||Permissions for payment set up and notification handling||Vipps|
|FinDock Worldpay Integration||Permissions for payment set up and notification handling||WorldPayCorporate|
The following sections describe how FinDock works with permission sets prior to the September '23 release.
Most organizations need three types of users to work with FinDock. Further user type granularity can be implemented, but this simple approach is the most common:
- FinDock administrator: administration with full access to all FinDock features and functions
- Operations user: Salesforce users from Finance or other departments who need to use certain FinDock features
- Integration user: Salesforce Integration User reserved for system integration authentications
In general, operations users work with payment processing records, such as source records that lead to installments, payment profiles and mandates. They perform payment collection activities such as uploading bank statement files and reconciling through Guided Matching.
FinDock includes a special permission set for administrators, PaymentHub All FLS. This permission set allows administrators to access all FinDock objects and fields. However, we recommend assigning FinDock administrators all the FinDock permission sets.
System integrations need user accounts, aka “Integration Users,” that allow data transfer and operations between systems. FinDock uses connections to Heroku apps like ProcessingHub and WebHub, as well as connections to integrate with external service providers such as PSPs.
Please refer to the table below for details on which permission sets are needed for integration user(s). In addition to those permission sets, you need to also add the View Setup and Configuration permission to the integration user. This permission is typically only for system administrators, but FinDock integrations also require it.
With the Salesforce Spring '23 release, orgs have a new free Salesforce Integration user license. Please refer to our FAQ for information about using this license.
If you use the Salesforce Minimum Access Profile for your integration user, you need to check API Enabled under Salesforce Setup > Manage Users > Profiles > Administrative Permissions.
An important aspect of permissions is Salesforce sharing settings. These settings determine what records can be seen by whom. To ensure correct operation of FinDock, make sure to allow the integration user(s) full sharing of all the contacts and accounts involved.
FinDock classic permission sets
The following table provides a complete overview of all FinDock permission sets. Please note the sets are only available if the respective package has been installed.
FinDock classic permission sets can be added to Permission Set Groups on their own and with custom sets assigned to the same group(s).
|Adyen Integration||Integration for Payment API and PSP notifications||Integration||Adyen|
|Axerve Integration User||Integration for Payment API and PSP notifications||Integration||Axerve|
|BACS FLS||Permissions for Bacs processes and Payment API integration||Administrator, Operations, Integration||Bacs|
|Buckaroo Integration User||Integration for Payment API and PSP notifications||Integration||Buckaroo|
|Checkout.com All FLS||Permissions for Checkout.com features||Administrator, Operations||Checkout.com|
|Checkout.com Integration User||Integration for Payment API and PSP notifications||Integration||Checkout.com|
|FinDock Additional Setup||Deployed by Installer; access to tabs Installments and Inbound Reports (see below)||Administrator, Operations||Core|
|FinDock Experience Cloud||For Experience Cloud public pages (API v2 only)||Guest User||Core|
|FinDock Site Guest User||Site Guest User (API v1 only)||Site Guest User||Core|
|GiftAid FLS||Permissions for Gift Aid features||Integration, Operations||Gift Aid|
|GoCardless||Integration for Payment API and PSP notifications||Integration||GoCardless|
|Mollie Integration User||Integration for Payment API and PSP notifications||Integration||Mollie|
|Nordic Payments All FLS||Permissions for AvtaleGiro, etc.||Administrator, Integration||Nordic Payments|
|NPSP4PaymentHub All FLS||Permissions for FinDock for NPSP features||Administrator, Operations||NPSP|
|Pages||User(s) creating and configuring Giving Pages||Administrator, Operations||Core|
|PaymentHub ALL FLS||Admin user for full access to all FinDock objects||Administrator||Core|
|PaymentHub Integration Base||Integration for ProcessingHub connection||Integration||Core|
|PaymentHub Operations||General FinDock permissions||Operations||ProcessingHub|
|PayPal FLS||Integration for Payment API and PSP notifications||Integration||PayPal|
|ProcessingHub Operations||Integration for ProcessingHub connection and permissions for ProcessingHub Manager||Integration, Operations||ProcessingHub|
|SEPA Operations||Permissions for SEPA, SEDA and Swiss (CH-DD, LSV+) processes and Payment API integration||Operations, Integration||SEPA|
|Six Saferpay Integration User||Integration for Payment API and PSP notifications||Integration||SIX Saferpay|
|Stripe ALL FLS||Permissions for Stripe features||Administrator, Operations||Stripe|
|Stripe Integration User||Integration for Payment API and PSP notifications||Integration||Stripe|
|Tikkie Integration||Integration for Payment API and PSP notifications||Integration||Tikkie|
|Vipps All FLS||Permission for Vipps features, Payment API and PSP notifications||Admin, Integration||Vipps|
|Worldpay Integration User||Integration for Payment API, ProcessingHub and PSP notifications||Integration||Worldpay|
FinDock Additional Setup
With the January '21 release, we added two new tabs to the FinDock app - one for Installments and one for Inbound Reports. These new tabs come in handy in many different workflows, including Guided Matching debugging and configuration.
The tabs are implemented through a permission set and package called ‘FinDock Additional Setup'. This package is mandatory in the FinDock Installer. However, it is an unmanaged component, so organizations can modify the associated settings if needed.
These tabs are handled in a separate package to avoid potential conflicts with orgs that may already have tabs for Installments or Inbound Reports.
Once installed, users who are assigned the ‘FinDock Additional Setup’ permission set automatically get to see and use the Installment and Inbound Report tabs.
Gift Aid manual permission assignments
In addition to the specific permission set for Gift Aid, there are permissions that need to be assigned manually. For further instructions, please see Gift Aid for admins.