General permission guidance
When working with permissions, keep in mind that permission sets can only grant additional permissions, not take them away. For details on Salesforce user permissions and access, please refer to the Salesforce Security Guide
General permissions for FinDock
For FinDock to function correctly, users need to have access to certain standard Salesforce objects. Some of these may be part of existing permission sets in your org, but please make sure the user profiles for FinDock have at least the following permissions:
- All FinDock users: read access for Contact, Account and Campaign
- FinDock integration user: CRU access for Contact and Account
- FinDock administration users: View Setup and Configuration permission
If you are using Salesforce NPSP, include the following permissions:
- Full access for FinDock users to Opportunity (and NPSP fields added to Opportunity)
- Full access for FinDock users to Opportunity Payment (
npe01__OppPayment__c
)
If you are using Salesforce Fundraising, include the following permissions:
- Fundraising permissions for FinDock users, including integration user
Sharing settings
An important aspect of permissions is Salesforce sharing settings. These settings determine what records can be seen by whom.
To ensure correct operation of FinDock, make sure at least FinDock integration and payment operations users share settings on all objects used for payments management, including standard objects like Contact and Account, industry or feature-specific objects like Recurring Donation (NPSP), Gift Transaction and Gift Commitment (Fundraising), and naturally all FinDock objects.
Administrators and service agents may not need the same level of sharing and can have more restricted sharing settings.
Permission set groups and classic permission sets
With the September '23 release, we introduced a new way to manage FinDock permissions using permission set groups. These are the basis for managing permissions moving forward. Our "classic" permission sets remain supported and available, but we recommend using the new permission framework whenever possible.
Common user types for FinDock
Most organizations need at least three user types or "personas" to work with FinDock and manage payments on Salesforce. These personas, along with the Salesforce concepts of "design time" (feature setup phase) and "run time" (feature use phase) guide how FinDock permission sets and groups are designed.
Administrator
The FinDock administrator needs access to all aspects of the FinDock setup and feature-specific configurations. While the focus of the administrator persona is primarily on design time activities, permission need to include run-time tasks to allow the administrator to test and troubleshoot.
Payment operations
In general, operations users work with FinDock payment-related objects, such as Installment, Payment Profile and Mandate, as wells as any source-specific objects, such as the Fundraising Gift Transaction objects.
Payment operations users are also typically involved in payment collection activities, so running payment and mandate schedules, as well as reconciliation, such as uploading bank statement files and using Guided Matching.
Service agent
Service agents are users who can create and modify payer data in specific scenarios. A common scenario is MOTO (mail-order-telephone-order) payments, where, for example, the service agent enters the payer information and credit card details into a dedicated component.
Integration user
The integration user is a special persona that is a non-person user of Salesforce. Rather, it handles integrations between systems and services. FinDock uses connections to Heroku apps like ProcessingHub and WebHub, as well as integration with external payment service providers (PSPs).
With the Salesforce Spring '23 release, orgs have a new free Salesforce Integration user license. Please refer to our FAQ for information about using this license.
If you use the Salesforce Minimum Access Profile for your integration user, you need to check API Enabled under Salesforce Setup > Manage Users > Profiles > Administrative Permissions.
Experience Cloud integration
We have a special permission set for Experience Cloud integrations. The FinDock Experience Cloud permission set should be assigned to the Guest User for Experience Cloud public pages using the Payment API v2.
FinDock Additional Setup
With the January '21 release, we added two new tabs to the FinDock app - one for Installments and one for Inbound Reports. These new tabs come in handy in many different workflows, including Guided Matching debugging and configuration.
The tabs are implemented through a permission set and package called FinDock Additional Setup. This package is mandatory in the FinDock Installer. However, it is an unmanaged component, so organizations can modify the associated settings if needed.
These tabs are handled in a separate package to avoid potential conflicts with orgs that may already have tabs for Installments or Inbound Reports.
Once installed, users who are assigned the FinDock Additional Setup permission set automatically get to see and use the Installment and Inbound Report tabs.
Gift Aid manual permission assignments
In addition to the specific permission set for Gift Aid, there are permissions that need to be assigned manually. For further instructions, please see Gift Aid for admins.