This topic is intended for users with Ironclad Managed Package Version 3.0 or higher. The content may not be accurate for lower version numbers. Refer to Salesforce Permissions (Version 2.30 and below) instead.
The Ironclad Managed Package includes two default permission sets that include all of the permissions needed for Standard Users and Admin Users, respectively. In Salesforce, assign the corresponding permission set to each user who will need access to the Ironclad features. If you are using the included permission sets, no additional action is required. Simply assign the permission sets to your desired users (you do not need to clone them unless you want to modify the permission set).
The package permissions are specific to the Salesforce Managed Package and do not have the power to restrict access to features on the Ironclad CLM. Use Ironclad’s permissions tools to remove or modify access to Ironclad features. The Salesforce Managed Package will respect those access rules, in addition to any Salesforce-specific access rules you have configured using either our managed package, or Salesforce’s other tooling (e.g. component visibility filters).
Custom Permissions in the Managed Package
With version 3.0 and above of the Ironclad Managed Package, there are custom permissions in Salesforce associated with different components of the managed package. If you are not using the standard permission sets, you must assign these custom permissions to each user who needs access to the component. You can also follow Salesforce’s guidance to enable a custom permission for a profile type.
You can see the list of custom permissions by navigating to Salesforce Setup > Custom Code > Custom Permissions.
The included custom permissions are (LWC = Salesforce Lightning Web Component):
Name | What is that permission used for? |
Ironclad Workflow Comments |
The Ironclad_Workflow_Comments permission is used to control access to the Ironclad Messages LWC, specifically the ‘Chat’ tab. This feature is used to view and post comments in the Ironclad activity feed. This includes @mentioning Ironclad users and adding new workflow participants/approvers without leaving Salesforce. |
Ironclad Workflow Communications |
The Ironclad_Workflow_Communications permission is used to control overall access to the Ironclad Messages LWC. This LWC contains both the ‘Chat’ and ‘Email’ tabs. |
Ironclad Workflow Documents |
The Ironclad_Workflow_Documents permission is used to control access to the Ironclad Documents LWC. This feature is used to view (and if the permission is given in Ironclad, download) the workflow documents within Salesforce, including compare document versions. You can also upload new file versions during contract review and upload signed signature packets. |
Ironclad Workflow Emails |
The Ironclad_Workflow_Emails permission is used to control access to the Ironclad Messages LWC, specifically the ‘Emails’ tab. This feature is used to send new emails, read emails, and download documents emailed to the workflow (e.g. from a counterparty). It is also used to upload email document attachments directly to the workflow without leaving Salesforce. This custom permission does NOT control access to the ‘email documents to counterparty’ feature that is available within the ‘Ironclad Documents’ LWC. |
Ironclad Workflow Permissions | The Ironclad_Workflow_Permissions permission is used to control access to the embedded workflow launch forms and the general Ironclad Workflow Object in Salesforce. It must be assigned to all users as a first step, and then the other permissions listed here can be granted to enable access to individual features. |
Review Managed Package Version
The Download AppExchange Package permission is needed in order to show the managed package version number in Ironclad. This is only needed for the service account. You can safely disable it, but if you do you will not be able to see in Ironclad what version of the managed package you are using (it is still possible to check the version within Salesforce).
Add Permissions to Existing Permission Sets
If you prefer not to use the managed package’s permission sets, it is standard to clone a managed permission set and add to it when needed. With this in mind, you should add permission to the newly created lookup fields to a cloned permission set.
You can also incorporate the required permissions into existing permission sets. To do this, add the permissions found in the tables below:
In order to configure the Authorization Token in the Ironclad Setup module, a user will need the Ironclad Admin User permission set. If you are not using the default permission sets, the user will need to be a Salesforce Sys Admin or have been granted the View All Custom Settings permission in Salesforce. Ironclad recommends using our standard permission set for setting the API token. If you have any questions, contact your Salesforce support representative.
For more information, refer to Add an Ironclad Authorization Token to Salesforce.
Object Name | Object Permissions | Tab Settings | Field Settings |
---|---|---|---|
Ironclad Approvals | Read | -- | Read on: Approval Name Approval Role Approval Status |
Ironclad Contracts | Read | Available, Visible | Read on: Account Name Agreement Date Contract Type Counterparty Signed By |
Ironclad Signatures | Read | -- | Read on: Signature Name Signer Name Signer Status Signer Email |
Ironclad Workflow Configurations | - | - | - |
Ironclad Workflows | Read, Create, Edit | Available, Visible | Read/Edit on: Workflow Link Workflow Name Workflow Status Workflow Type |
Ironclad Workflow Launch Group Options | - | - | - |
Ironclad Workflow Launch Groups | - | - | - |
Launch Ironclad Workflow | -- | Available, Visible | |
Error Logs | Read, Create, Write, Delete | — | |
For each object that has a lookup field for Ironclad Workflows
|
Read, Write |
Object Name | Object Permissions | Tab Settings | Field Settings |
---|---|---|---|
Ironclad Approvals | Create, Edit, Delete | -- | Read/Edit on: Approval Name Approval Role Approval Status |
Ironclad Contracts | Read, Create, Edit, Delete | Available, Visible | Read/Edit on: Account Name Agreement Date Contract Type Counterparty Signed By |
Ironclad Signatures | Create, Edit, Delete | -- | Read/Edit on: Signature Name Signer Name Signer Status Signer Email |
Ironclad Workflow Configurations | Read, Create, Edit, Delete | Available, Visible | Read/Edit on: Source Object Url |
Ironclad Workflows | Read, Create, Edit, Delete | Available, Visible | Read/Edit on: Workflow Link Workflow Name Workflow Status Workflow Type |
Ironclad Workflow Launch Group Options | Read, Create, Edit, Delete | Available, Visible | |
Ironclad Workflow Launch Groups | Read, Create, Edit, Delete | Available, Visible | Read/Edit on: Source Object |
Launch Ironclad Workflow | -- | Available, Visible | |
For each object that has a lookup field for Ironclad Workflows
|
Read, Write |
Clone the Standard Package Permission Set
In this example, we will clone the Ironclad Standard User permission set. If you plan to assign Ironclad Admin permissions to non-admin Salesforce users, it’s best for you to clone the Ironclad Admin permission set.
Clone Packaged Standard Permission Set
- In the top right corner, click the Setup icon indicated by a blue gear.
- Click the App Launcher icon indicated by a square grid in the top left corner. Search for Users. Click Permission Sets located under Users.
- Locate the Ironclad Standard User permission set and click Clone.
- Enter new values for the Label and API Name. Click Save.
Add Lookup Object Access to Cloned Permission Set
After you clone the permission set, you must add access in your cloned Permission Sets to the object that you created a lookup field for. In this example, we will add access to the Contact object because we previously created a lookup field for contacts on the Ironclad Workflow object.
You should repeat this process for each object type that you added a lookup field for, as well as for the Ironclad Admin User Clone permission set (if you created one).
- In the top right corner, click the Setup icon indicated by a blue gear.
- Click the App Launcher icon indicated by a square grid in the top left corner. Search for Users. Click Permission Sets located under Users.
- Select the Ironclad Standard User Clone permission set.
- Under the Apps section, click Object Settings.
- Select the Object you want to edit. In this example, select Contacts. Notice that the permissions are currently set to ‘No Access’.
- Click Edit.
- Under Object Permissions, check the boxes to enable Read and Write permissions. Click Save.
- Repeat the steps above for each object you added a lookup field for.
- If you cloned the Ironclad Admin User permission set, repeat these steps to add all the object-level permissions for that permission set as well.
Assign Permission Sets
Once you’ve cloned and updated your permission sets, you must assign them to the appropriate users. This section will walk you through assigning the Ironclad Standard User Clone permission set, but if needed, you may use the same steps to assign the Ironclad Admin Clone permission set as well.
- In the top right corner, click the Setup icon indicated by a blue gear.
- Click the App Launcher icon indicated by a square grid in the top left corner. Search for Users. Click Permission Sets located under Users.
- Select the Ironclad Standard User Clone permission set.
- Click Manage Assignments located near the top of the permission set.
- Click Add Assignments.
- Select the users you want to assign and click Assign.
Next, you must add access in your cloned permission sets to the object that you created a lookup field for. In this example, we will add access to the Contact object because we previously created a lookup field for contacts on the Ironclad Workflow object.
You should repeat this process for each object type that you added a lookup field for, as well as for the Ironclad Admin User Clone permission set (if you created one).
- In the top right corner, click the Setup icon indicated by a blue gear.
- Click the App Launcher icon indicated by a square grid in the top left corner. Search for Users. Click Permission Sets located under Users.
- Select the Ironclad Standard User Clone permission set.
- Under the Apps section, click Object Settings.
- Select the Object you want to edit. In this example, select Contacts. Notice that the permissions are currently set to ‘No Access’.
- Click Edit.
- Under Object Permissions, check the boxes to enable Read and Write permissions. Click Save.
- Repeat the steps above for each object you added a lookup field for.
- If you cloned the Ironclad Standard User permission set, repeat these steps to add all the object-level permissions for that permission set as well.
Add Salesforce Component Visibility Filters
To manage which of the packaged lightning components users can see, there are a couple of features to leverage:
- We provide a set of custom permissions (described above), which can be used to manage user access to any of the primary packaged components. Users will be able to see the component if they have Object Permissions to view them, however the actual interactions with those components will be blocked without the associated custom permission.
If you would like to prevent a subset of users from seeing individual components, we recommend Salesforce Admins to follow the guidelines detailed in the Salesforce Help Center for Component Visibility Filtering.