Prework

These requirements must be completed before you can get hands-on with Data Cloud:

• Set up your Salesforce core platform instance. As part of the setup, you’ll need a user account created for you with a Salesforce license and an Administrator profile associated with that user account. If you’re working with a Salesforce-provided developer org created for Data Cloud training purposes, this will already be done. Otherwise, if you’re working in a production environment, you’ll need to have an administrator create the user account for you.
• Your organization must have obtained the necessary SKUs for access to the Salesforce Data Cloud platform. As a reminder, there is one Data Cloud SKU, and there are several options for add-ons such as for Marketing Cloud licenses, Loyalty Management Cloud licenses, and Tableau licenses.
• If your Salesforce org does not have the Data Cloud Admin permission set, you’ll need to first add Data Cloud to your Salesforce account by clicking Setup → Your Account → Browse & Buy. Scroll through until you find the product labeled Data Cloud Provisioning. Add it to your cart and then check out. If you are not able to successfully provision your Data Cloud org, you’ll need to email myaccount@Salesforce.com to express your interest in Data Cloud. Make sure you include your org ID in the communication.

What You Should Know

This chapter will explore some of the permission sets associated with Salesforce Data Cloud, and instructions for the examples will be detailed enough that you can complete the process; however, you’d benefit greatly from having at least a basic understanding of how object access works in the Salesforce core platform. Salesforce Data Cloud platform access works similarly in many respects, so it is recommended that you complete some learning modules on Salesforce Trailhead to fill any gaps in your knowledge of org-wide defaults (OWDs) and object-level access, profiles, and permission sets.

As you’ll learn later in the chapter, sharing rules for Salesforce Data Cloud operate differently from the sharing rules within the Salesforce core platform. Therefore, it’s not an absolute necessity that you have an understanding of how sharing rules work on the core platform. Having a thorough understanding of Salesforce object access through the use of profiles and permission sets is, however, strongly recommended for working as an administrator in Salesforce Data Cloud. It is also helpful if you have experience setting up new Salesforce users.

Data Cloud Admin and Data Cloud User

Data Cloud Admins can access all functionality within Data Cloud and are responsible for executing the day-to-day configuration, support, maintenance, and improvement of the Salesforce Data Cloud system. As such, they are also responsible for the first-time setup of the Data Cloud application. In addition, the Data Cloud Admin is responsible for user provisioning and assigning permission sets beyond the initial setup.

Tasks associated with the first-time Data Cloud platform setup and access management are specific to the administrator persona, so the upcoming chapter sections will be most relevant for the administrator persona.

You can view the complete object settings for this permission set by accessing Permission Sets from the Setup option of the gear icon and clicking on the Data Cloud Admin permission set. Be sure to click on Object Settings within the Apps section.

The Data Cloud User permission set can be assigned to any user who doesn’t fit within one of the other Data Cloud personas. The User permission set gives users the ability to Read, Create, Edit, Delete, View All, and Modify All for the data lake source key qualifiers object. For all other objects, the ability to Read and View is granted.

Data Cloud Marketing Admins

Data Cloud Marketing Admins have the same privileges and permissions as Data Cloud Admins. These admins are granted full access to all navigation components in Data Cloud, which means they can manage day-to-day configuration needs like support, maintenance, and enhancements tasks. The Marketing Admin permission set is one of four standard permission sets that come with the Data Cloud for Marketing license.

Data Cloud Marketing Managers

Data Cloud Marketing Managers are responsible for the overall segmentation strategy and identifying target campaigns. This permission set grants full access to segments, activations, and activation targets. However, no access is granted to Data Explorer and Profile Explorer. View-only access is available for all other navigation components.

Data Cloud Marketing Specialists

Data Cloud Marketing Specialists are responsible for creating, managing, and publishing segments of the messaging campaigns identified by the Marketing Manager. This permission set grants full access to segments, but no access is allowed to Data Explorer and Profile Explorer. View-only access is available for all other navigation components.

Data Cloud Marketing Data Aware Specialists

The Data Cloud Marketing Data Aware Specialist persona is specific to Salesforce Data Cloud. Data Aware Specialists are responsible for creating and managing data streams, mapping data, and building the CIs that can be used in segmentation within Data Cloud for Marketing. The Data Aware Specialist manages the logical, marketer-friendly data model defined by the Marketing Manager and Marketing Specialist.

The Data Aware Specialist also works with other team members; for example, the Data Aware Specialist works with the website developer when there is a requirement for activities like setting up the Salesforce Interactions SDK in Data Cloud.

To summarize, there are two permission sets that always exist: Data Cloud Admin and Data Cloud User. There are four more permission sets that exist when you have the Data Cloud for Marketing license (Table 4-1). All of these are standard permission sets that come ready to go OOTB. You just need to assign them to users.

You can view the complete object settings for each of the permission sets by accessing Permission Sets from the Setup option of the gear icon and clicking on the specific permission set you want to view. Be sure to click on Object Settings within the Apps section.

Data Cloud for Marketing is an add-on license for the Data Cloud platform that gives users the ability to create segments and send them to activation targets. The Ad Audiences portion of the Data Cloud for Marketing license is what gives users the ability to activate segments to advertising platforms like Google Ads and Meta Ads.

As we later explore the Data Cloud menu options, you’ll learn what is possible within the Data Cloud platform and start to see how the standard persona-based permission sets allow you to accomplish specific tasks within the platform. Then, we’ll discuss in more detail permission sets and sharing rules. We’ll also discuss options for creating new custom permission sets when the standard persona-based permission sets don’t meet your organization’s needs.

Configuring the Admin User

A new Data Cloud platform can be provisioned for either an existing or a new Salesforce org. In either case, a new or existing Salesforce Administrator internal to your organization will need to assign themselves the Data Cloud Administrator permission set as a first step in setting up the platform. If you are the Salesforce Administrator designated to also be the Data Cloud Admin, you can assign yourself the Data Cloud Admin permission set by following these steps:

1. Click on the gear icon at the top right of the screen and then click on Setup. Search for Users in the Quick Find window.
2. Select your username from the list.

3. Click the Edit Assignments button under the Permission Set Assignments section on the user page (Figure 4-2).

   

   Figure 4-2. Edit assignments to add a new permission set to a Salesforce user account

4. Select the Data Cloud Admin permission set, then click the Add arrow icon. You should now see the Data Cloud Admin permission set in the Enabled Permission Sets box (Figure 4-3).

   

   Figure 4-3. Assigning a new permission set for the Data Cloud Admin

5. Be sure to click the Save button.

Figure 4-4. Data Cloud Setup accessed from the gear icon

Provisioning the Data Cloud Platform

The configuration setup of the Data Cloud platform will need to be done by a Data Cloud Administrator.

If you’ve successfully assigned yourself the Data Cloud Platform Admin permission set as described in “Configuring the Admin User”, you’re now ready to provision the new Data Cloud platform.

1. Click on the gear icon at the top right of the screen and select Data Cloud Setup. A welcome screen will appear.
2. Click the Get Started button on the bottom right of the screen (Figure 4-5). If you don’t see the button, try refreshing the page or logging out and back in again.

Figure 4-5. Welcome screen for Data Cloud initial setup

Figure 4-6. Completed Data Cloud setup screen

At this point in the process, you’re the only Data Cloud user able to access the platform. If you want others to access your Data Cloud instance, you’ll need to assign standard permission sets to existing Salesforce users. In addition, you’ll likely need to create some profiles and configure additional users next. We’ll discover how to create new profiles in the next session, but first, let’s install the standard starter data bundles we plan to use.

Navigate to Data Cloud Setup → Salesforce CRM, where you can confirm that your Salesforce CRM connection was established and has an active status. You can rename the connection, if desired, by clicking on the pencil icon. You’ll need to install each of the starter data bundles by clicking on the arrow to the right of each bundle and clicking the Install button. When prompted, choose the Install for Admin Only option and then click the Install button. Repeat the process for each data bundle you want to install.

Connecting to Relevant Salesforce Clouds

Chapter 2 discussed the topology of the various Salesforce Clouds that can be connected to the CDP. Now, we’ll take an in-depth look how to use Data Cloud connectors to enable the connections between Data Cloud and the various Salesforce Clouds to which a connection can be made. Our discussion will include information about refresh schedules for these Salesforce Cloud connectors. Salesforce is continually improving refresh times, so you should review the Salesforce documentation for the data stream schedule for the most up-to-date information.

Currently, there are six native Salesforce Cloud connectors: CRM, Marketing Cloud, B2C Commerce, Marketing Cloud Account Engagement (formerly Pardot), Marketing Cloud Personalization (formerly Interaction Studio), and Omnichannel Inventory. The Salesforce CRM Connector is needed to access the data within your Salesforce core platform. It’s also the connector you’d use for ingesting Loyalty Management Cloud data using starter data bundles.

Marketing Cloud connection

Connecting your Data Cloud platform to Salesforce Marketing Cloud requires that you have admin access to Marketing Cloud. Data Cloud supports only Marketing Cloud Enterprise 2.0 account connections. Another requirement is that your Marketing Cloud account should default to the Enterprise ID (EID), the topmost parent business unit, so that each of the child business units to be used in activation can be accessed. It’s also important to note that you’re limited to connecting only one Salesforce Marketing Cloud to your Salesforce Data Cloud.

The Marketing Cloud Connector can help enrich customer profile data in many ways. Here are some examples of use cases achievable with the Marketing Cloud Connector:

• Ingesting email open and click data that can be used to identify top engagers for segmentation
• Ingesting Einstein scores that can be used for AI-based segmentation
• Surfacing Salesforce Marketing Insights data to CRM objects

Ingestion Lookback Limited to 90 Days for Marketing Cloud Connector

When creating Marketing Cloud data streams, only 90 days worth of data is ingested into Salesforce Data Cloud.

When you’re ready to connect your Salesforce Marketing Cloud account to the Data Cloud platform, you can follow the same steps you used before to set up the Salesforce CRM Connector. This time, you’ll just select Marketing Cloud under the Configuration option, instead of Salesforce CRM. You’ll then be prompted to enter your credentials (Figure 4-12).

Figure 4-12. Connecting Salesforce Marketing Cloud to Data Cloud

It’s best practice to use a dedicated Marketing Cloud API user account for integration with Data Cloud to prevent disruptions resulting from expired passwords. A Marketing Cloud API user’s password doesn’t expire.

At this time, the Marketing Cloud Connector has a latency of hourly to 24 hours, and the data can be refreshed with an Upsert or a full refresh.

When setting up ingestion, it’s possible to use data bundles for Marketing Cloud, including the Email Studio, MobileConnect, MobilePush, and WhatsApp bundles. When it’s time for mapping in Chapter 9, there will be certain required mappings for the Affiliation DMO that will need to be completed for Marketing Cloud ingested data.

Salesforce B2C Commerce Cloud connection

You’ll need access to the B2C Commerce Business Manager in order to create the B2C Commerce Cloud connection to Data Cloud. Additionally, there is a requirement that Commerce Cloud Einstein must be activated before the B2C Commerce Cloud Connector can access the customer profile and transaction data from the B2C Commerce Cloud.

Importantly, Data Cloud can connect only to a B2C Commerce Cloud production instance. No B2C Commerce sandboxes can be connected to your Data Cloud platform.

Case Insensitivity

Within Salesforce Commerce Cloud, it’s possible to create different custom attributes with the same name but different case sensitivities. Salesforce Data Cloud converts all field labels to lowercase, so to avoid any data conflicts, you may need to first modify the field names in your B2C Commerce platform.

You can follow the same steps as before, but this time, select the B2C Commerce configuration. You’ll then be prompted to sync with your Commerce Cloud instance by providing the B2C Commerce Business Manager URL (Figure 4-13).

Figure 4-13. Connecting the Salesforce B2C Commerce Cloud to Data Cloud

Using the B2C Commerce Cloud Connectors allows you to ingest Commerce Cloud order data and related customer and catalog data. Sales order and sales order customer data have an hourly latency; all others have a daily latency. Sales order data can be refreshed with an Upsert; all others require a full refresh.

The B2C Commerce Order Bundle deploys mapping to Contact Point‒type DMOs that are used in identity resolution. When it’s time to perform data mapping, you’ll need to ensure that these specific DMO fields are mapped to the individual DMO fields (Table 4-2).

Table 4-2. B2C DMO Mappings

DSO entity	DSO field	DMO entity	CustomerId
Sales order customer	customerId	Individual	CustomerId
Sales order customer	customerListId	Individual	CustomerListId
Sales order customer	customerNo	Individual	CustomerNo
Sales order customer	usId	Individual	UsId

The ingestion lookback period for the B2C Commerce Connector is 30 days, as of the date the connection is established. Going forward, the B2C Commerce Connector will continue to ingest all the data.

Data Residency Requirements

The General Data Protection Regulation (GDPR) has strict residency requirements for the personal data storage of European Union (EU) citizens. The GDPR disallows the transfer and storage of this data outside of the EU, but there are exceptions when countries can receive and store data if the European Commission has determined that such countries have adequate data and privacy protections. The other exception occurs when a person gives consent for their data to be transferred outside of the European Union.

There are no technical restrictions preventing the connection of any B2C Commerce production org to a Salesforce Data Cloud platform, regardless of hosting location. Thus, your organization will need to ensure compliance with all residency requirements, including GDPR restrictions, before connecting your B2C Commerce org to Data Cloud. Salesforce can assist with providing technical information about the platform that will inform data residency decisions, but it is the data owner’s responsibility to ensure data residency requirements are met.

Creating Data Cloud Custom Permission Sets

Sometimes, you may find yourself needing to give certain accesses to a person who doesn’t align with any of the default Data Cloud persona-based permission sets. The six default Salesforce Data Cloud permission sets are not editable, so if you want to make changes by increasing or decreasing what can be done with a specific permission set, you’ll need to create a new custom permission set. The easiest way to create a new permission set is to start by cloning an existing permission set.

Let’s take a look at the recommended steps to create a new Data Cloud custom permission set:

1. Click on the gear icon at the top right of the screen and select Setup. In the Quick Find box, type users and then permission sets.
2. Select the permission set you want to clone.

   Selection of the Default Permission Set

   If this is the first custom permission set you are creating, it is recommended that you select whichever default permission set is most like the custom permission set you want to create. That way, you’ll have to make the fewest changes.

3. Click the Clone button, give the new custom permission set a relevant name, and click the Save button (Figure 4-14).

   

   Figure 4-14. Creating a new permission set by cloning an existing permission set

4. Click on the link for the new permission set you just created. Click on the Object Settings link, scroll through the object settings for each object, and review the associated object permissions (Figure 4-15). Click on the name of any object for which you want to change the object settings.

   

   Figure 4-15. Object settings permissions to be edited

5. Check or uncheck the box beside the specific permission name you want to change on the permission set (Figure 4-16). When the box is checked, the permission is enabled for the particular object.

   

   Figure 4-16. Object permissions to be enabled or disabled

   View All and Modify All Special Considerations

   For objects such as Segments and Activation Targets, you’ll likely want to deselect the View All and Modify All object permissions for your customer permission sets (Figure 4-16), especially if you intend to take advantage of sharing rules. It is important to note that removing the View All and Modify All permissions from a permission set assigned to a user does not take away that permission from the user if the user has been assigned a profile where View All and Modified All privileges are granted.

6. Click the Save button when you’ve made all the changes to the permission set that you need.
7. Assign the new custom permission set to a user. The steps to accomplish this are described in “Configuring the Admin User”.

Leveraging Data Cloud Sharing Rules

As we’ve seen thus far, permission sets give users the ability to access features and undertake certain activities within the Data Cloud platform. Permission sets, profiles, and sharing rules work much the same in Salesforce Data Cloud as they do in the Salesforce core platform. Within Salesforce, the OWD settings determine the overall most restrictive access, and permission sets are not the only way to open up access beyond the OWD settings. Based on defined criteria, sharing rules can also allow particular users greater access to records than is otherwise granted through OWDs.

There are many reasons you might consider using sharing rules for your Data Cloud org. For example, you may want to restrict marketers from being able to see segments created by others outside of their team or regional area. In that case, you’d restrict visibility into segments by removing the View All/Modify All privileges in profiles and permission sets. After that, you’d open up the segments in each region to all those on the same team or in the same region by using sharing rules.

Another use case for sharing rules often occurs when one organization has multiple brands that should be marketed to distinct audiences. Managing activation targets through sharing rules can reduce the risk of activating to a brand audience in error.

Before setting up sharing rules, you’ll need to have first created in the org any groups and roles that you’ll be needing. Also, make sure that you’ve created all the profiles and permission sets that you need to enable sharing. Most likely, your profiles and permission sets will have the View All/Modify All privileges removed for all objects for which you want to create sharing rules. When you’ve prepared your groups, roles, profiles, and permission sets, you’re ready to update your sharing settings with the following steps:

1. Click on the gear icon at the top right of the screen and select Setup. In the Quick Find box, type sharing settings.

2. Search for the object for which you want to manage the sharing settings using the drop-down menu beside the “Manage sharing settings for:” option. In our example, we’ll select the Data Share Target object (Figure 4-17).

   

   Figure 4-17. Sharing settings for an object

3. Under the Sharing Rules section, click the New button.

4. Define the rule name, select the records to be shared and with whom to share them, and identify the access level (Figure 4-18).

   

   Figure 4-18. Salesforce Data Cloud sharing rule for an object

5. Click the Save button.
6. Repeat these steps to create any new sharing rules for other Data Cloud objects.

Now that you’ve taken care of the platform first-time setup, you and the other Data Cloud users will be able to access the Data Cloud application within Salesforce. The next chapter will focus on briefly exploring each of the menu options within Salesforce Data Cloud.