Custom Permissions
Custom Permissions
This guide documents all custom permissions in the Suger Salesforce App. Custom permissions control feature access and UI visibility for offers, referrals, and administrative functions.
Overview
Suger uses Salesforce Custom Permissions to control granular access to specific features within the app. These permissions are assigned to users through Permission Sets (see Permission Sets).
Custom permissions differ from Permission Sets in that they:
- Control specific features and actions (not object access)
- Enable/disable UI elements like buttons and menu items
- Follow a hierarchical logic where generic permissions override platform-specific ones
Permission Hierarchy
The Suger permission model uses a hierarchical structure where generic permissions override platform-specific permissions:
GENERIC (applies to all platforms)
ββ Create_Offer βββββββββΊ Can create offers for ANY platform
ββ Read_Offer βββββββββββΊ Can read offers from ANY platform
ββ Create_Referral ββββββΊ Can create referrals for ANY platform
ββ Read_Referral ββββββββΊ Can read referrals from ANY platform
PLATFORM-SPECIFIC (limited to one platform)
ββ AWS
β ββ Write_AWS_Offer
β ββ Read_AWS_Offer
β ββ Write_AWS_Referral
β ββ Read_AWS_Referral
ββ Azure
β ββ Write_Azure_Offer
β ββ Read_Azure_Offer
β ββ Write_Azure_Referral
β ββ Read_Azure_Referral
ββ GCP
β ββ Write_GCP_Offer
β ββ Read_GCP_Offer
β ββ Write_GCP_Referral
β ββ Read_GCP_Referral
ββ Snowflake
ββ Write_SNOWFLAKE_Offer
ββ Read_SNOWFLAKE_OfferOffer Permissions
Generic Offer Permissions
| Permission | API Name | Description | UI Effect |
|---|---|---|---|
| Create Offer | Create_Offer | Create offers for any marketplace | Shows βNew Offerβ button, enables offer creation flows |
| Read Offer | Read_Offer | View offers from any marketplace | Shows offer records and list views for all platforms |
Platform-Specific Write Permissions
These permissions allow creating and modifying offers for a specific cloud platform only.
| Permission | API Name | Description |
|---|---|---|
| Write AWS Offer | Write_AWS_Offer | Create/modify AWS marketplace offers |
| Write Azure Offer | Write_Azure_Offer | Create/modify Azure marketplace offers |
| Write GCP Offer | Write_GCP_Offer | Create/modify GCP marketplace offers |
| Write Snowflake Offer | Write_SNOWFLAKE_Offer | Create/modify Snowflake marketplace offers |
Platform-Specific Read Permissions
These permissions allow viewing offers for a specific cloud platform only.
| Permission | API Name | Description |
|---|---|---|
| Read AWS Offer | Read_AWS_Offer | View AWS marketplace offers |
| Read Azure Offer | Read_Azure_Offer | View Azure marketplace offers |
| Read GCP Offer | Read_GCP_Offer | View GCP marketplace offers |
| Read Snowflake Offer | Read_SNOWFLAKE_Offer | View Snowflake marketplace offers |
Referral (Co-Sell) Permissions
Generic Referral Permissions
| Permission | API Name | Description | UI Effect |
|---|---|---|---|
| Create Referral | Create_Referral | Create referrals for any cloud partner | Shows referral creation buttons for all platforms |
| Read Referral | Read_Referral | View referrals from any cloud partner | Shows referral records and list views for all platforms |
Platform-Specific Write Permissions
| Permission | API Name | Description |
|---|---|---|
| Write AWS Referral | Write_AWS_Referral | Create/modify AWS co-sell referrals |
| Write Azure Referral | Write_Azure_Referral | Create/modify Azure co-sell referrals |
| Write GCP Referral | Write_GCP_Referral | Create/modify GCP co-sell referrals |
Platform-Specific Read Permissions
| Permission | API Name | Description |
|---|---|---|
| Read AWS Referral | Read_AWS_Referral | View AWS co-sell referrals |
| Read Azure Referral | Read_Azure_Referral | View Azure co-sell referrals |
| Read GCP Referral | Read_GCP_Referral | View GCP co-sell referrals |
Approval Permissions
These permissions control access to approval workflows for offers and co-sell referrals.
| Permission | API Name | Description | UI Effect |
|---|---|---|---|
| Approve Offer | Approve_Offer | Approve/reject offers in approval workflow | Shows approval section and actions on offer records |
| Approve Cosell | Approve_Cosell | Approve/reject co-sell referrals | Shows approval actions on referral records |
Contact Management Permissions
These permissions control the ability to manage contacts on offer records.
| Permission | API Name | Description | UI Effect |
|---|---|---|---|
| Modify Offer Contacts | Modify_Offer_Contacts | Add/remove contacts from offers | Shows βAdd Contactβ button on offer records |
| Notify Offer Contacts | Notify_Offer_Contacts | Send notifications to offer contacts | Shows βNotify Contactsβ button on offer records |
Administrative Permissions
| Permission | API Name | Description | UI Effect |
|---|---|---|---|
| Modify Settings | Modify_Settings | Access and modify Suger settings | Shows Settings tab and allows configuration changes |
Permission Checking Logic
The Suger app uses the following logic to determine user access:
For Offer Creation
- Check if user has
Create_Offerβ Grant access to all platforms - If not, check platform-specific permission (e.g.,
Write_AWS_Offer) - If neither, access is denied
For Offer Reading
- Check if user has
Create_Offerβ Writers can read (grant access) - If not, check if user has
Read_Offerβ Grant access to all platforms - If not, check platform-specific permission (e.g.,
Read_AWS_Offer) - If none, access is denied
For Product Filtering
When creating offers, the product list is filtered based on the userβs write permissions:
- If user has
Create_Offerβ Show products for all platforms - If user has only
Write_AWS_Offerβ Show only AWS products - Multiple platform permissions combine (e.g.,
Write_AWS_Offer+Write_GCP_Offershows both)
UI Elements Controlled by Permissions
Tab Visibility
| Tab | Required Permission(s) |
|---|---|
| Products | Any marketplace offer permission |
| Offers | Any marketplace offer permission |
| Entitlements | Any marketplace offer permission |
| Buyers | Any marketplace offer permission |
| Referrals | Any co-sell referral permission |
| Settings | Modify_Settings or System Administrator |
Action Buttons
| Button/Action | Required Permission(s) |
|---|---|
| Create Offer | Create_Offer OR any Write_*_Offer |
| Edit Offer | Platform-specific write permission for the offerβs partner |
| Approve/Reject Offer | Approve_Offer |
| Add Contact | Modify_Offer_Contacts OR Create_Offer |
| Notify Contacts | Notify_Offer_Contacts OR Create_Offer |
| Create Referral | Create_Referral OR any Write_*_Referral |
| Edit Referral | Platform-specific write permission for the referralβs partner |
| Approve/Reject Referral | Approve_Cosell |
| Delete Referral | Uses native Salesforce object permissions (isDeletable()) |
Permission Set Assignments
The following table shows which custom permissions are included in each permission set:
Suger User (Full Access)
The Suger User permission set grants access to ALL custom permissions across all platforms:
| Permission Category | Permissions Included |
|---|---|
| Generic Offer | Create_Offer, Read_Offer |
| AWS Offer | Write_AWS_Offer, Read_AWS_Offer |
| Azure Offer | Write_Azure_Offer, Read_Azure_Offer |
| GCP Offer | Write_GCP_Offer, Read_GCP_Offer |
| Snowflake Offer | Write_SNOWFLAKE_Offer, Read_SNOWFLAKE_Offer |
| Generic Referral | Create_Referral, Read_Referral |
| AWS Referral | Write_AWS_Referral, Read_AWS_Referral |
| Azure Referral | Write_Azure_Referral, Read_Azure_Referral |
| GCP Referral | Write_GCP_Referral, Read_GCP_Referral |
| Contact Management | Modify_Offer_Contacts, Notify_Offer_Contacts |
Marketplace Permission Sets
| Permission | Marketplace Read Only | Marketplace AWS | Marketplace Azure | Marketplace GCP | Marketplace Snowflake |
|---|---|---|---|---|---|
| Read_Offer | β | ||||
| Write_AWS_Offer | β | ||||
| Read_AWS_Offer | β | ||||
| Write_Azure_Offer | β | ||||
| Read_Azure_Offer | β | ||||
| Write_GCP_Offer | β | ||||
| Read_GCP_Offer | β | ||||
| Write_SNOWFLAKE_Offer | β | ||||
| Read_SNOWFLAKE_Offer | β | ||||
| Modify_Offer_Contacts | β | β | β | ||
| Notify_Offer_Contacts | β | β | β |
Co-Sell Permission Sets
| Permission | Cosell | Cosell AWS | Cosell Azure | Cosell GCP | Cosell Read Only |
|---|---|---|---|---|---|
| Create_Referral | β | ||||
| Read_Referral | β | β | |||
| Write_AWS_Referral | β | β | |||
| Read_AWS_Referral | β | β | β | ||
| Write_Azure_Referral | β | β | |||
| Read_Azure_Referral | β | β | β | ||
| Write_GCP_Referral | β | β | |||
| Read_GCP_Referral | β | β | β |
Administrative Permission Sets
| Permission | Suger Integrator | Suger Approver |
|---|---|---|
| All Offer Permissions | β | |
| All Referral Permissions | β | |
| Approve_Offer | β | β |
| Approve_Cosell | β | β |
| Modify_Settings | β | |
| Modify_Offer_Contacts | β | |
| Notify_Offer_Contacts | β |
Best Practices
Principle of Least Privilege
Assign the most restrictive permission set that meets the userβs needs:
- For human users who need full access to the Suger app, use
Suger_User - For users who only work with one cloud platform, use platform-specific permission sets
- Reserve
Suger_Integratorfor integration/API users only (not human users)
Permission Set Groups
Consider creating Permission Set Groups to combine multiple permissions:
- AWS Power User:
Suger_User_Marketplace_AWS+Suger_User_Cosell_AWS - Multi-Cloud Viewer:
Suger_User_Marketplace_Read+Suger_User_Cosell_Read
Testing Permissions
Before deploying permission changes to production:
- Create a test user with the target permission set
- Verify tab visibility matches expectations
- Confirm action buttons appear/hide correctly
- Test actual CRUD operations to verify object-level access