Permissions

You can fine tune permissions for FinDock users using a combination of Salesforce profiles and permission sets. To learn more about how these work together, watch Who Sees What on the Salesforce YouTube channel. It is important to always keep in mind that permission sets can only grant additional permissions, not take them away. A good practice in maintaining security is to limit the access users have to objects, fields and records.

In this article we outline the permissions required for users in your Salesforce org to perform certain payment management tasks. Please note that this article only covers FinDock and not the permissions required for Salesforce in general or other Salesforce apps.

Basic object permissions

In general, users who work with payment processing records, such as source records that lead to installments, payment profiles and mandates, require at least read/write/edit access to these objects:

  • cpm__Installment__c
  • cpm__Payment_Profile__c
  • cpm__Mandate__c
  • cpm__Log__c

Finance operations

Users who perform finance and collection related activities such as uploading bank statement files, reconciling and performing bulk collections, require additional permissions. These permissions are grouped into two permission sets:

  • PaymentHub Operations
  • ProcessingHub Operations

Administrators

System administrators need access to a wide range of objects and fields. FinDock includes a special permission set for administrators, PaymentHub All FLS. This permission set allows administrators to access all FinDock objects and fields. However, this is not a substitute for the other permission sets. We recommend assigning administrators all the FinDock permission sets to ensure full access.

System integrations

System integrations need user accounts, aka “Integration Users,” that allow communication and data transfer between systems. Here we focus on three in particular: the integration of FinDock ProcessingHub to Salesforce, API calls to the FinDock Payment API, and the Site Guest user or FinDock WebHub for online donation callbacks. The user account for the ProcessingHub integration to Salesforce should have the following permission sets:

  • PaymentHub Integration Base
  • PaymentHub Operations
  • ProcessingHub Operations

In addition, the ProcessingHub account needs permissions for accessing and modifying all source objects, etc. The user account for the Payment API requires the following permissions:

  • PaymentHub Integration Base
  • PaymentHub Operations
  • ProcessingHub Operations
  • All permission sets provided by the Payment Extension package such as "Stripe Integration User" or "Mollie Integration User"

When using Classic Online Payment Experience (with API v1) the Site Guest user which controls the permissions for the callback site requires the following permission sets:

  • FinDock Site Guest User
  • All permission sets provided by the Payment Extension package such as "Stripe Integration User" or "Mollie Integration User"

When using Enhanced Online Payment Experience (with API v2), the same permissions should be assigned to the user you have connected WebHub with.

Please note that the process for assigning permission sets to site guest users is different from that of regular users. For further information, see Configuring a Salesforce Site.

Sharing settings

The final piece of the puzzle when it comes to permissions is sharing settings. These settings determine what records can be seen by whom. To ensure correct operation of FinDock, make sure to allow the various integration users full sharing of all the contacts and accounts involved.