1 Reply Latest reply on Mar 1, 2015 8:39 AM by Mark Budzyn (Prod)

    Issues getting Marketo to honor lead record type visibilty/ sharing rules in SFDC

      I'm having issues in trying to create some seperation between Marketo and SFDC for certain lead records. I've used both different lead record types and sharing rules to restrict visibility however, Marketo doesn't appear to be honoring these rules.

      I put my Marketo Sync user on its own SFDC profile and restricted that profiles ability to access a specific record type, yet Marketo can still sync with and see that record type that according to SF it should have no visiblity to see. No matter if the lead is created in Marketo first and changed in SFDC. Or, created in SFDC. Additionally, I set up a public group that contains only my Marketo sync user to limit read/write access with sharing rules that Marketo. Which should be most certainly keeping it from doing so. However it's still syncing with a lead record type it shouldn't have the visibility to see! 

      When I log into SFDC with the credentials of my admin user it certainly doesn't see the leads of the record types we've restricted access to.  There is nothing else in SFDC we can use to restrict access so it has to be something coming from Marketo's API that is overriding the visibility and permissions granted to the SFDC user. Thoughts? Similar situations or solutions?

      I'm at a loss and Marketo support doesn't appear to have a grasp on this. They keep referring me to the Marketo SFDC sync options in the admin which has no controls or bearing on this setup. So I'm hoping ya'll might have some advice or have dealt with this before... 

        • Re: Issues getting Marketo to honor lead record type visibilty/ sharing rules in SFDC
          Mark Budzyn (Prod)
          Hi Amanda,

          The Record Type selection on the SFDC profile only controls what kind of record type that the assigned user can create; it does not restrict visibility of those records. From SFDC's documentation:
          Users can view records assigned to any record type. As a result, a page layout is assigned to every record type on a user's profile. A record type assignment on a user’s profile or permission set doesn’t determine whether a user can view a record with that record type. The record type assignment simply specifies that the user can use that record type when creating or editing a record.

          As a result the Marketo Sync user can see all the records. SFDC's security model is pretty good and it's very unlikely that Marketo can even ignore it.

          There's certainly a way to do what you are looking to do through using a combination of role hierarchies/organization-wide default settings and criteria-based sharing.

          Here's one possible approach you can try. Keep in mind that I know nothing about your instance and with changing sharing/access in SFDC may have unforseen impact other processes, functionality. If you have a sandbox, I would suggest testing in that environment.

          1. Make sure the lead object is not visibile to the Marketo Sync user by looking at the Sharing Settings; if you have 'Grant Access through Hierarchies' turned on for leads, then it is likley the Marketo Sync user's role is in the hierarchy is high enough to see all lead records and may need to move into a different part of the hierarchy where it cannot see the leads; on the other hand, if you do no have 'Grant Access though Hierarchies' turned on for the lead object; you may need to evaluate those settings (is it public read/write?) to remove access for the Marketo Sync user. Essentially you want to 'hide' all leads from the Marketo Sync user as part of this step.
          2. Next step would be to create Sharing Setting rules that would create a sharing exception that allows the Marketo Sync user to see the specific targeted lead records. This would require create Sharing Setting rules using the rule type of 'Based on Criteria' (Note that these rules can only be applied to roles or public groups, so you may need to create a public group for your Marketo Sync user). You can then set up a rule that specifies what record type would be visible to the Marketo Sync user.

          I hope this helps. Sorry if this was bit log winded.