What Is Profile?

• A Salesforce profile is a set of settings and permissions provided to specific Salesforce user.
• A profile in Salesforce determines the way in which users can access objects and data to perform specific
business processes.
• Profile is mandatory to assigned to every user whenever a user.
• A profile can be assigned to many users, but user can be assigned single profile at atime.
• A profile controls “Object permissions, Field permissions, User permissions, Tab settings, App settings, Apex
class access, Visualforce page access, Page layouts, Record Types, Login hours & Login IP ranges.
• You can define profiles by user’s job function. For example System Administrator, Developer, Sales
Representative.

A Salesforce profile controls the following key aspects pertaining to Salesforce:

1. Field Level Security – Here, the users are restricted to create, read, edit, and delete fields according to specific
requirements.
2. Page Layouts – This restricts the page layouts a Salesforce user is permitted to see.
3. Custom Apps – This restricts all the custom and standard apps that can be viewed and accessed by a Salesforce
user.
4. Record Types – This restricts the record types available to specific Salesforce users.
5. Login – This restricts the login hours of Salesforce users onto the platform based on specific requirements.
6. Tabs – This restricts the tabs that can be accessed and viewed by the Salesforce users.
Note:
• One User has one Profile but One profile can be assigned to any number of users.
• Profile is Mandatory.

A B c
G

E
D
H
Types of Profile

1. Standard Profile :
A standard profile is a profile that is provided to the users by Salesforce by default. Users cannot delete these
profiles and need to adhere to the default Salesforce permission sets assigned to them.

Example :System Administrator

2. Custom Profile
Crete the clone copy of standard profile

Note: We can not create a new profile if we want to create the profile just clone the standard profile and update
the changes as per our requirement and assign it to the user
Role
• A role is a record-level access in Salesforce that defines the visibility access
of a user.
• Roles can be used to specify the levels of access a user can have to data in
your Salesforce organization.
• In simple words, it defines what a user can see in the Salesforce
organization.

Example: ECO, Manager

Sharing and Security in Salesforce

• Organization level Security

• Object level Security

• Field Level Security

• Record level Security

Levels of Data Access
• Organization level Security :
Authorized users login,
set password policies
limit logins access to certain hours and IP ranges.

• Object level Security

Access to object-level data is the simplest thing to control.
By setting permissions on a particular type of object,
you can prevent a group of users from creating, viewing, editing, or deleting
any records of that object.

• Field Level Security

You can restrict access to certain fields, even if a user has access to the object.

• Record level Security

You can allow particular users to view an object, but then restrict the individual object records
they're allowed to see.
• Organization-wide defaults
• Role hierarchies
• Sharing rule
• Manual sharing
Organization level Security
Profile Level Security

A profile is a group/collection of settings and permissions that define what a user can do in salesforce.
It is the set of permission that control the accessibility of the salesforce org data

A Salesforce profile controls the following key aspects pertaining to Salesforce:

Object Permission
Field Level Security
User Permission
Custom App Setting
Apex class
Visualforce page
Page Layouts
Record Types
Login IP range
Login hore
Tabs
Object Level Security in Salesforce

• You can control object level permission by for Standard and custom object as
well
• You can set permission set for a particular object
• You can give CERD permission to the object.
• Create
• Edit
• Read
• Delete
• You can control object level permission by using permission set and profile
Field Level Security in Salesforce
• You can restrict access to certain fields in Field level security , if user have access to object level

• Security administrator can controls whether a user can se and edit particular field on an object.
• Visible (you can visible fields and hide from user)
• Edit (Provide Read and edit permission for field to user)

• Field level Security in Salesforce are very helpful to assign page layouts to users with out creating
new page layout.

• You can control field level permission by using permission set and profile

Note: Users are able to edit fields which are 'Read Only' as per Field Level Security or on the Page
layout. This behavior is seen if the Profile associated with the User has 'Edit Read Only Fields' selected.
Permission set in Salesforce

• A permission set is a collection of settings and permissions that give users access to various
tools and functions.
• Permission sets extend users’ functional access without changing their profiles it means we can
give additional access to user.
• Users can have only one profile but, depending on the Salesforce edition, they can have multiple
permission sets. You can assign permission sets to various types of users, regardless of their
profiles.
• Create permission sets to grant access among logical groupings of users, regardless of their primary
job function.
• If a permission isn’t enabled in a profile but is enabled in a permission set, users with that profile and
permission set have the permission.

• With permission sets, you’ll be able to add and remove permissions to a small set of users at any
time.
• You can add multiple permission sets to a given user.

• Use permission sets only when a set of users would like further permissions.

• If tons of individuals in a profile need that permission, then create a custom profile and add
permission directly to that profile.
Permission Vs Profile

Profile Permission set

It is the set of permission that control the accessibility of Permission Sets in Salesforce extends user’s functional
the salesforce org data access without changing their profile

One profile assigned to user Multiple Permission Sets assigned to user

Restrict the Access Provide Additional access

It is mandatory to user Not mandatory to user

Record Level Security
• Record access determines which individual records user can view and edit in each object they have access to in
there profile.

• The permission on a record always evaluated according a combination of object level, field level. and record
level permission

Four different mechanism controls the record level security

• Organisation wide default (OWD)

• Role Hierarchy
• Sharing Rule
• Manual sharing
What is OWD
• OWD is the default level of access to Salesforce records once you have permission to object at profile level. and specify which
records can be accessed by which user and in which mode.

• OWD provides the baseline level access that the most restrictive user should have.

• We use OWD to lockdown our data and then we can use other record level security and security rule.

• Organization Wide Default settings provides most restrictive settings which can be opened up by Role Hierarchy and
Role hierarchy can be opened by Sharing rules. And all these decide record level visibility in Salesforce

• OWD has separate sharing and setting for standard and custom objects

• The OWD for the objects are:

• Private
• Public Read Only
• Public Read/Write
• Public Read/Write/Transfer
• Controlled by Parent

• Note: – You can only access records if you have access to Object at-least Read Object.
•Private : Only the record owner, and users above that role in the hierarchy, can view,
edit, and report on those records.

•Public Read/Only : All users can view and report on records, but only the owner, and
users above that role in the hierarchy, can edit them.

•Public Read/Write : All users can view, edit, and report on all records(Given that
they have object level permission).

•Controlled by Parent: For suppose ,If "ContactA" is associated with "AccountA" , on AccountA
user having edit permission , then user can able to edit "ContactA"

•Public Read/Write/Transfer (only available of Leads and Cases)

Record Level Security
Points to remember:
1. If we are change the OWD in increasing default access
Example Public read only to public read/write then it will effect immediately

2. If we are change the OWD in decreasing default access

Example Public read/read only to public read then it will take time to recalculate the user
access.

3. If the custom object is on the detail side of MD relationship with standard object then the
OWD is “Controlled by parent” and can not be changed
 Open up Access
(Flexible Access)

Open up Access
(Lateral Access)

Open up Access
(Vertical Access)
What is Role Hierarchy
• Data visibility can be increased by building role hierarchy

• It is not mandatory the user should have role we need to assigned role to user

• Role hierarchy refers to a set of roles in the organization and the relationship between different role

• Role Hierarchy open up the vertical access to record

• Role allow user to sitting up the higher level of access of the record own by the user who having role in
the lower level
Grant access using hierarchy checkbox

If it is checked :
When grant access using hierarchy checked for the custom object is checked. the owner
of the record can access the records and the user that are granted access by OWD can access the records.

If it is not checked :
When grant access using hierarchy not checked for the custom object is checked. Even if the OWD is
private for the record the higher role user and the owner of the record can access the records

Note : we can not unchecked the grant access using hierarchy checkbox for the standred object
Sharing Rule
• Using sharing rule we can share the record horizontal hierarchy.
• We can share the records to Role, Role and there subordinates and User
• If the OWD is private or public read then we can open access to the user using sharing rule

Types of Sharing Rule

• Owner based sharing rule

• Criteria based sharing rule
Owner based sharing rule:
An owner based sharing rule open the access to records owned by certain user,

We can provide which user records to whom and provide the access to what level like read only or read/write
Criteria based sharing rule:
An Criteria based sharing rule determines with whom to share records based on fields value

If we want to share the records to the specified groups or role then we can use Criteria based sharing rule

It used objects fields.

We can not used apex to create and test the criteria based sharing rule

We can use 300 sharing rule on each object including 50 criteria based sharing rule per object
Public Group:
Groups are sets of users.
They can contain individual users, other groups, the users in a particular role, all of the users below that role and
user in the hierarchy.

There are two types of groups:

Public Groups— Only administrators can create public groups.

They can be used by everyone in the organization.
The purpose of having public groups is to assign things or resources to it which are meant to be seen or used by
everyone in the organization. Making a data or resource to everybody in an organization may be cumbersome and
time consuming but by assigning it to a public group it can be done with 1 click.

Personal Groups— Each user can crea te groups for their personal use.
Points to be remember in sharing rule:
• We can use sharing rule to grant wider access to data. we can not restrict the access below our OWD level.

• To Create sharing rule OWD is Private or Public Read only

• User can access related records automatically with sharing rule

• Sharing rule can apply for both active and deactivate users

• If the multiple sharing rule gives a user different level of access to a record the user gets most Permissive access
level.

• Once the sharing rule saved we can not change shared with field setting when we edit the sharing rule

• Sharing rule apply to all new and existing records that meets the definition of source dataset

• When we delete the sharing rule the sharing access created by the rule is automatically removed
•
• When we transfer the records from one user to the other the sharing rule are Re-Evaluate to add or remove the
access
Manual Sharing Rule

• User can share records to other user by clicking on “Sharing Button”

• Manual sharing provide an additional access than OWD and Sharing Rule
• Only those User can share the records using Manual sharing
• Owner of the record
• User above the owner in role hierarchy
• System Administrator user
• User which having full Access

• To Create sharing rule OWD is Private or Public Read only

View all and Modify all

• We can grant “View all” and “Modify All” permission for a object using profile and permission set

• It is the object level permission that is found in profile and allow user to access all records on the
object.

• View all grants Read Access to the object and read only access to all records associated with a
given object across the organization

• “View all” and “Modify All” permission ignore “Sharing and setting rule”
View all data and Modify all data

• “View all data” and “Modify All data” permission allow access to user to all objects and all
records in the org

• It is only available in salesforce licence profile not in all profile.

• “View all data” and “Modify All data” permission ignore “Sharing and setting rule”