User Permission sets for Overcast

Overcast for Salesforce provides permission sets to assign to both users who need to manage the integration design-time steps, like creating scenarios, and to the users accessing the integration scenarios. These permission sets are also valuable to users accessing data synchronization scenarios, as well.

1. Overcast Design-time User
2. Overcast Run-time User
3. Permission Sets for each Data Synchronization Scenario
4. Overcast Integration License User Permission Set
5. Overcast Integration API User Permission Set

Overcast Design-time User Permission Set

Assign the Overcast Design-time User permission set to all users who will create and maintain Overcast integration scenarios and configuration. It is expected that these users are already Salesforce administrators because Overcast operations require admin permissions, like deploying Apex code.

For users who do not have an admin profile/permissions, it is recommended to create a unique profile/permission set for them and add the permissions in Required System Permissions for Design-time Operations.

Required System Permissions for Design-time Operations

• API Enabled
• Run Flows
• Author Apex
• Customize Application
• Create and Customize List Views
• Manage Public List Views
• Manage Custom Permissions
• Manage Profiles and Permission Sets
• Manage Translation
• Modify Metadata Through Metadata API Functions
• View Roles and Role Hierarchy
• View Setup and Configuration
• View Reports in Public Folders (For Overcast Home dashboard)
• View Dashboard in Public Folders (For Overcast Home dashboard)

(These additional permissions are system permissions and, as such, cannot be added to an Overcast packaged permission set.)
 

Overcast Run-time User Permission Set

The Overcast Run-time User permission set can be applied directly to users who will use Overcast integrations. This includes users who open record pages with Overcast Lightning Components, custom Lightning Components that call an integration scenario, or custom applications/pages that call integration scenarios.
This permission set contains the Overcast Runtime User custom permission. This can be used to set a Lightning Page visibility filter for Overcast Components so that users without an Overcast license do not see Overcast Components.
 

Data Synchronization Scenario Specific Permission Sets

When a data synchronization scenario is activated, integration objects (custom objects that mirror the backend system API) are deployed with an accompanying permission set. Apply this permission set to any user that will be interacting with the integration objects. This interaction would typically be through a custom application or a trigger event that creates records to run a scenario.

Each permission set is labeled "Overcast Scenario <scenario name>".

Adding additional permissions to this permission set is safe. When the scenario is re-activated, the additional permissions will be retained. 

Overcast Integration License User Permission Set

The Overcast Integration License User permission set is used only when the Overcast Technical User (the user used in the Salesforce Job Connection String) has the Salesforce Integration User license applied to it. 

The Salesforce Integration User license is a restrictive data-operations license, so we need to add additional system permissions for metadata operations permissions so that Overcast can activate Integration Scenarios.

Configure the following.
Permission Set

• Name: Overcast Integration System Permissions
• License: none
• Contained Permissions
  • Required System Permissions 
  • For all necessary application objects (Account, Contact, etc.) that are needed for Data Synchronization Object Mapping.

Permission Set Group

• Name: Overcast Integration User
• Contained Permission Sets
  • Overcast Integration System Permissions
  • Overcast Integration License User
  • All Data Sync Scenario-specific Permission Sets. (These are generated by Overcast) 

User

• User License: Salesforce Integration
• Profile: Salesforce API Only System Integrations
• Permission Set License: Salesforce API Integration
• Directly Assigned Permission Sets: None
• Assigned Permission Set Groups: Overcast Integration User

Overcast Integration API User Permission Set

The Overcast Integration API User permission set is used with the Overcast API Management feature (API Explorer tab). A user who needs to call an Integration Scenario from outside of Salesforce should be assigned this permission set.  

Automated Process User

Overcast uses Platform Events for signaling events, such as, when an Integration Scenario completes. Platform Events are executed in the Automated Process User context. This occurs most commonly when the Scenario runs after being in the Zz Waiting (status code 0) state. Therefore, we need to assign appropriate permissions to the user so Integration Scenarios can be successfully executed.

Assign the Overcast Integration License User permission set to the Automated Process User. This can be done via the Developer Console.

insert new PermissionSetAssignment(
    AssigneeId = [SELECT Id FROM User WHERE alias = 'autoproc'].Id,
    PermissionSetId = [SELECT Id FROM PermissionSet WHERE Name = 'Overcast_Integration_License_User' AND NamespacePrefix = 'overcast'].Id
);

Understanding the ‘Automated Process User’ & the ‘Default Workflow User’ – UnofficialSF

Troubleshooting

• sObject type 'XXX' is not supported. If you are attempting to use a custom object, be sure to append the '__c' after the entity name. Please reference your WSDL or the describe call for the appropriate names.

• DMLException. This user does not have permission to XXX YYY.

Add the Overcast Design-time permission set to the user and, if the user is not an admin, add the above system permissions.