Deployment guide for Borobadur

This document provides an Administrator with the information required to either install the Borobudur package into a new org or upgrade an existing version of the package.

Salesforce Security Review

To achieve Salesforce’s Security accreditation for the Borobudur package, a full review of the security in the package was performed. Several security best practices have been implemented to stay up to speed with Salesforce’s security model. Several improvements have been made in actions performed by the Force.com read-only site user.

Changes made include:

Enforcing sharing fully in the package’s APEX code using the latest best practices
Enforcing full CRUD and FLS checks in SOQL calls made by the package’s APEX code using the latest best practices.
Enforcing full CRUD and FLS checks in DML calls made by the package’s APEX code using the latest best practices.

In addition, a new security model has been introduced to allow users to perform privileged actions based on the custom permissions assigned to them.

Details of the new security model can be found in the document below.

Borobudur Security Extensions

Security Recommendations

Salesforce’s recommendation is that customers deprecate their use of profiles and use permission sets to grant the access needed by their users. Kaptio understand that is potentially a large undertaking, but Salesforce provide tools to perform the conversion from a profile to a permission set.

There are currently some access rights that cannot be granted by permission sets, they are documented here Converting Profiles to Permission Sets.

The profile to permission set conversion is User Access & Permissions Assistant package. The package is free and can be downloaded here(.

To prevent having to assign multiple permission sets to users, Kaptio recommend that customers use permission set groups. A single group containing multiple permission sets may be assigned to a user. Click here for information on permission set groups.

Permissions set groups were used by Kaptio during the testing of Borobudur. A permission set group was created for a sales assistant, and all the permission sets required for this role were added to the permission set group. This group was assigned to the sales users used during testing.

Pre-Install Actions

The following section(s) must be reviewed prior to deploying the Borobudur package.

New Custom Fields in Borobudur

This section is only applicable if you are upgrading an existing package.

Borobudur includes many new custom fields. There is a possibility that some of the fields you have added have API Names which are the same as the API Names we have chosen for the new fields in Borobudur. Despite your custom field being in your own namespace and our custom field being in the KaptioTravel namespace, Salesforce considers your field to be a shadow field of ours. In this scenario, in the SOQL queries made from the package, Salesforce will never return your field. The only solution for this issue is for you to change the API Name of any duplicate field to something that doesn’t clash with our API Names used in the custom object.

Please contact Kaptio Travel support if you have any questions or concerns about this requirement.

Here is a list of the custom objects and new fields in Borobudur that we think you may have already created fields of the same API Name for.

| Kaptio Custom Object | Field API Name | | --- | --- | | AllotmentDayc | Release1DayDatec | | Itemc | ActiveMappingsCountc | | ItineraryMasterBreakdownGroupc | CalculatedFinalPricec | | ItineraryMasterBreakdownGroupc | CalculatedTotalPricec | | ItinerarySubBreakdownGroupc | CalculatedFinalPricec | | ItinerarySubBreakdownGroupc | CalculatedTotalPricec | | Itinerary_Itemc | CalculatedTotalPricec | | Itinerary_Itemc | FlightStatusc | | Itineraryc | TotalBalancePaidc | | Itineraryc | TotalDepositPaidc | | Packagec | PackageCodec | | Passengerc | CountryOfBirthc | | Passengerc | CountryOfResidencec | | Passengerc | Phonec | | PaymentSchedulec | ItineraryGroupc | | TrainStationLocationc | GatewayLocationCodec |

Installation

Install the Borobudur package from the package link provided by Kaptio Travel.

It is recommended that when installing the package you choose the I*nstall For Specific Profiles* option and set all profiles to No Access.

Post-Install Actions

The following sections detail the actions to be taken after installing the package.

Elastic Search Event Feed

Borobudur has new functionality allowing events to be published to Elastic Search recording the performance of your org. These events will be used by Kaptio to diagnose problems when encountered and also to gather information about your org’s performance. The information will be used to tune your org.

Whether events are produced and at what logging level can be set at the org, profile or user level. The configuration of this is under Kaptio’s control. On installation of Borobudur, all events are disabled.

To allow for a user to produce events, when enabled, the (Kaptio) Log Events permission set must be assigned to that user. Kaptio recommended that you assign this permission set to all users.

Itinerary Builder And Costings

The security in both components was increased as part of the Salesforce security review. Using profiles or permission sets alone for a user working with itineraries will require the assignment of system privileges. This in itself may pose a security threat.

To address this issue, the (Kaptio) Build Trips & Itineraries custom permission can be used. Assigning this custom permission to a user will grant access to the user to perform the actions that required system privileges. The custom permission only grants the privileged access in Kaptio’s APEX code, it does not grant the user additional Salesforce access.

Kaptio recommend that you create a permission set with this custom permission in it and assign it to your sales users or if you already have a sales permission set, add this custom permission to it.

Force.com Read-Only User Permission Sets

Setting up the read only user for your Force.com read-only user can be a difficult task. In addition to setting the sharing up, profiles or permission sets must be assigned to the read-only user to grant the access required to perform actions such as allowing a customer to view a proposal document.

Furthermore, the read-only user actions in the package were identified as security threats during the review undertaken by Kaptio for the Salesforce security review. The issues identified have been resolved in Borobudur.

Permissions sets have been created for the read-only user for the actions the user can perform. This table shows the permission set names and their purpose. These permission sets are intended for assignment to the read-only user, they should not be assigned to any other user.

Permission Set	Purpose
(Kaptio) View Proposals	Grants access to a read only user to view a Proposal.
(Kaptio) Itinerary Comments	Grants access to a read only user to make a comment or ask a question about a Proposal.
(Kaptio) Customer Payment	Grants access to a read only user to process a payment for a customer.
(Kaptio) Supplier Actions	Grants access to a read only user to allow a supplier to confirm or reject bookings.

Permission Set

Purpose

(Kaptio) View Proposals

Grants access to a read only user to view a Proposal.

(Kaptio) Itinerary Comments

Grants access to a read only user to make a comment or ask a question about a Proposal.

(Kaptio) Customer Payment

Grants access to a read only user to process a payment for a customer.

(Kaptio) Supplier Actions

Grants access to a read only user to allow a supplier to confirm or reject bookings.

Due to restrictions in Salesforce, these permission sets could not be packaged. They can be downloaded here and installed into your org using https://workbench.developerforce.com/.

ReadOnlyUserPermissionSets.zip

Once Workbench has loaded, from the pulldown menu at the top, select Migration > Deploy.

Use the Choose File button to select the zip file you downloaded. Do not tick any of the checkboxes. Click Next.

On the following page, click Deploy.

The success or failure of the import will be shown on the following screen.

If any errors are reported or you have any questions regarding the deployment of the permission sets, please contact Kaptio support.

To add the permission set, you’ll need to navigate to the read-only user:

Navigate to Setup and search for Sites.
Locate your Site (for example, Online Application or Events) and click the Site Label.
Select Public Access Settings.
Click the Assigned Users button.
Click on the Full Name of your Site Guest User.
Navigate to the ‘Permission Set Assignments’ section.
Select Edit Assignments.
Click the permission sets required from the Available Permission Sets list and select Add**.
Save your changes.

Post Install Script

The post install script for Borobudur will add two scheduled jobs. When added though, the jobs are scheduled as the package install user. The package install user has very limited access to objects outside of the KaptioTravel namespace. This results in neither of the scheduled jobs being able to run when they reach their scheduled time.

To correct this issue, you can use Developer Console. As the Administrator, run the following anonymous APEX. This will re-schedule the jobs as the Administrator and will allow them to run as configured.

Map<String, Integer> fromVersion = new Map<String, Integer> {
		'major' => 15,
		'minor' => 10
};

Map<String, Integer> toVersion = new Map<String, Integer> {
		'major' => 16,
		'minor' => 0
};

KaptioTravel.ServiceCall.execute(
		'PostInstallClass.doInstall',
		new Map<String, Object> {
				'fromVersion' => fromVersion,
				'toVersion' => toVersion,
				'notificationTo' => new List<String> { 'devops@kaptio.com' }
		}
);

We are working on a solution to this in a future release.

To confirm that the jobs have been scheduled correctly, go to Setup > Scheduled Jobs. Confirm the Session Cleaner and Midnight Inventory Management Job are both Submitted By the administrative user the Anonymous Apex was run as.

Itinerary Documents

A number of scripts required update within the Kaptio Travel core which results in any custom code referencing the following scripts directly from Kaptio Travel will need to be updated as follows:

Script	New URL
Jquery	{!URLFOR($Resource.KaptioTravel__assets6, '/libs/jquery/3.6.0/jquery.min.js')}
Bootstrap JS (replaced with two files)	{!URLFOR($Resource.KaptioTravelassets, '/libs/bootstrap/3.2.2/js/modal.js')} {!URLFOR($Resource.KaptioTravelassets, '/libs/bootstrap/3.2.2/js/tab.js')}
Bootstrap CSS	{!URLFOR($Resource.KaptioTravel__assets, '/libs/bootstrap/3.2.2/css/bootstrap_ns.css')}
MomentJS	{!URLFOR($Resource.KaptioTravel__assets7, '/libs/momentjs/2.29.4/moment.min.js')}
froogaloop2	{!URLFOR($Resource.KaptioTravel__assets5, '/libs/froogaloop2/froogaloop2.min.js')}

Script

New URL

Jquery

{!URLFOR($Resource.KaptioTravel__assets6, '/libs/jquery/3.6.0/jquery.min.js')}

Bootstrap JS (replaced with two files)

{!URLFOR($Resource.KaptioTravelassets, '/libs/bootstrap/3.2.2/js/modal.js')} {!URLFOR($Resource.KaptioTravelassets, '/libs/bootstrap/3.2.2/js/tab.js')}

Bootstrap CSS

{!URLFOR($Resource.KaptioTravel__assets, '/libs/bootstrap/3.2.2/css/bootstrap_ns.css')}

MomentJS

{!URLFOR($Resource.KaptioTravel__assets7, '/libs/momentjs/2.29.4/moment.min.js')}

froogaloop2

{!URLFOR($Resource.KaptioTravel__assets5, '/libs/froogaloop2/froogaloop2.min.js')}

Manual Steps:

Please add the class “ns-bootstrap” to your body tag, or the outermost container in your documents. This is to make sure that the Bootstrap CSS will apply to your content. Please note that this may already have been the case before this update.