Principal Object Access Table
POA (principal object
access) table is a table for sharing of records. The shared, assigned and
re-parented or inherited records are added to this table. Basically if you try
to access a record that you do not own the system will check the POA and if the
permission is there then you can access the record.
The POA table is used
to provide access to specific records for CRM users, and each record in the POA
table represents one CRM object that is related to one CRM user. Records
created in the POA table come from one of four ways:
• Share reassigned records with original
owner: CRM System Settings
If this is set to Yes,
then records would be added to the POA table whenever an assign takes place.
These records will have a value in the AccessRightsMask column of the POA
table.
• Direct sharing:
Actions – Sharing
àWhen users explicitly
share a record to another user, a record would be created in the POA table.
These records will have a value in the AccessRightsMask column of the POA
table.
• Reparent Setting:
Relationship Behavior
àEach entity has
relationships with other entities (ex. Account to Case). By default, the
Reparent option is set to Cascade All. With this setting, sub records would be
shared to the owner of the parent record. For example: Let’s say that User1
owns Account1. User2 has access to Account1 and creates a case underneath
Account1. With the out of the box Reparent options, a record would be created
in the POA table that would give User1 access to the newly created case. These
records will have a value in the InheritedAccessRightsMask column of the POA
table.
• Indirect Sharing
àWhen sharing occurs
through a direct share, assignment, or parenting, if the relationship is set up
to cascade the share to child records, additional records will be created in
the POA table in order to give proper permissions to the new user for the
relevant child records. These records will have a value in the
InheritedAccessRightsMask colum of the POA table.
The Reparent setting is what seems to come as a surprise to some customers. Many customers will keep the Reparent setting set to Cascade All. This is a perfectly acceptable setting, but if the majority of your users already have access to the records that are being shared to them through their security role, the records in the POA table may not be providing much of a benefit.
It is possible to change the Reparent setting to Cascade None. In this scenario, records would not be auto-created in the POA table for the owner of the parent record. Building off of the example mentioned above: User1 owns Account1. User2 has access to Account1 and creates a case underneath Account1. With the relationship set to Cascade None, a record would not be created in the POA table for User1.
No comments:
Post a Comment