Professional Documents
Culture Documents
7. Sharing and Security (1)
7. Sharing and Security (1)
• A Salesforce profile is a set of settings and permissions provided to specific Salesforce user.
• A profile in Salesforce determines the way in which users can access objects and data to perform specific
business processes.
• Profile is mandatory to assigned to every user whenever a user.
• A profile can be assigned to many users, but user can be assigned single profile at atime.
• A profile controls “Object permissions, Field permissions, User permissions, Tab settings, App settings, Apex
class access, Visualforce page access, Page layouts, Record Types, Login hours & Login IP ranges.
• You can define profiles by user’s job function. For example System Administrator, Developer, Sales
Representative.
1. Field Level Security – Here, the users are restricted to create, read, edit, and delete fields according to specific
requirements.
2. Page Layouts – This restricts the page layouts a Salesforce user is permitted to see.
3. Custom Apps – This restricts all the custom and standard apps that can be viewed and accessed by a Salesforce
user.
4. Record Types – This restricts the record types available to specific Salesforce users.
5. Login – This restricts the login hours of Salesforce users onto the platform based on specific requirements.
6. Tabs – This restricts the tabs that can be accessed and viewed by the Salesforce users.
Note:
• One User has one Profile but One profile can be assigned to any number of users.
• Profile is Mandatory.
A B c
G
E
D
H
Types of Profile
1. Standard Profile :
A standard profile is a profile that is provided to the users by Salesforce by default. Users cannot delete these
profiles and need to adhere to the default Salesforce permission sets assigned to them.
2. Custom Profile
Crete the clone copy of standard profile
Note: We can not create a new profile if we want to create the profile just clone the standard profile and update
the changes as per our requirement and assign it to the user
Role
• A role is a record-level access in Salesforce that defines the visibility access
of a user.
• Roles can be used to specify the levels of access a user can have to data in
your Salesforce organization.
• In simple words, it defines what a user can see in the Salesforce
organization.
A profile is a group/collection of settings and permissions that define what a user can do in salesforce.
It is the set of permission that control the accessibility of the salesforce org data
Object Permission
Field Level Security
User Permission
Custom App Setting
Apex class
Visualforce page
Page Layouts
Record Types
Login IP range
Login hore
Tabs
Object Level Security in Salesforce
• You can control object level permission by for Standard and custom object as
well
• You can set permission set for a particular object
• You can give CERD permission to the object.
• Create
• Edit
• Read
• Delete
• You can control object level permission by using permission set and profile
Field Level Security in Salesforce
• You can restrict access to certain fields in Field level security , if user have access to object level
• Security administrator can controls whether a user can se and edit particular field on an object.
• Visible (you can visible fields and hide from user)
• Edit (Provide Read and edit permission for field to user)
• Field level Security in Salesforce are very helpful to assign page layouts to users with out creating
new page layout.
• You can control field level permission by using permission set and profile
Note: Users are able to edit fields which are 'Read Only' as per Field Level Security or on the Page
layout. This behavior is seen if the Profile associated with the User has 'Edit Read Only Fields' selected.
Permission set in Salesforce
• A permission set is a collection of settings and permissions that give users access to various
tools and functions.
• Permission sets extend users’ functional access without changing their profiles it means we can
give additional access to user.
• Users can have only one profile but, depending on the Salesforce edition, they can have multiple
permission sets. You can assign permission sets to various types of users, regardless of their
profiles.
• Create permission sets to grant access among logical groupings of users, regardless of their primary
job function.
• If a permission isn’t enabled in a profile but is enabled in a permission set, users with that profile and
permission set have the permission.
• With permission sets, you’ll be able to add and remove permissions to a small set of users at any
time.
• You can add multiple permission sets to a given user.
• Use permission sets only when a set of users would like further permissions.
• If tons of individuals in a profile need that permission, then create a custom profile and add
permission directly to that profile.
Permission Vs Profile
It is the set of permission that control the accessibility of Permission Sets in Salesforce extends user’s functional
the salesforce org data access without changing their profile
• The permission on a record always evaluated according a combination of object level, field level. and record
level permission
• OWD provides the baseline level access that the most restrictive user should have.
• We use OWD to lockdown our data and then we can use other record level security and security rule.
• Organization Wide Default settings provides most restrictive settings which can be opened up by Role Hierarchy and
Role hierarchy can be opened by Sharing rules. And all these decide record level visibility in Salesforce
• OWD has separate sharing and setting for standard and custom objects
• Note: – You can only access records if you have access to Object at-least Read Object.
•Private : Only the record owner, and users above that role in the hierarchy, can view,
edit, and report on those records.
•Public Read/Only : All users can view and report on records, but only the owner, and
users above that role in the hierarchy, can edit them.
•Public Read/Write : All users can view, edit, and report on all records(Given that
they have object level permission).
•Controlled by Parent: For suppose ,If "ContactA" is associated with "AccountA" , on AccountA
user having edit permission , then user can able to edit "ContactA"
3. If the custom object is on the detail side of MD relationship with standard object then the
OWD is “Controlled by parent” and can not be changed
Open up Access
(Flexible Access)
Open up Access
(Lateral Access)
Open up Access
(Vertical Access)
What is Role Hierarchy
• Data visibility can be increased by building role hierarchy
• It is not mandatory the user should have role we need to assigned role to user
• Role hierarchy refers to a set of roles in the organization and the relationship between different role
• Role allow user to sitting up the higher level of access of the record own by the user who having role in
the lower level
Grant access using hierarchy checkbox
If it is checked :
When grant access using hierarchy checked for the custom object is checked. the owner
of the record can access the records and the user that are granted access by OWD can access the records.
If it is not checked :
When grant access using hierarchy not checked for the custom object is checked. Even if the OWD is
private for the record the higher role user and the owner of the record can access the records
Note : we can not unchecked the grant access using hierarchy checkbox for the standred object
Sharing Rule
• Using sharing rule we can share the record horizontal hierarchy.
• We can share the records to Role, Role and there subordinates and User
• If the OWD is private or public read then we can open access to the user using sharing rule
We can provide which user records to whom and provide the access to what level like read only or read/write
Criteria based sharing rule:
An Criteria based sharing rule determines with whom to share records based on fields value
If we want to share the records to the specified groups or role then we can use Criteria based sharing rule
We can not used apex to create and test the criteria based sharing rule
We can use 300 sharing rule on each object including 50 criteria based sharing rule per object
Public Group:
Groups are sets of users.
They can contain individual users, other groups, the users in a particular role, all of the users below that role and
user in the hierarchy.
Personal Groups— Each user can crea te groups for their personal use.
Points to be remember in sharing rule:
• We can use sharing rule to grant wider access to data. we can not restrict the access below our OWD level.
• Sharing rule can apply for both active and deactivate users
• If the multiple sharing rule gives a user different level of access to a record the user gets most Permissive access
level.
• Once the sharing rule saved we can not change shared with field setting when we edit the sharing rule
• Sharing rule apply to all new and existing records that meets the definition of source dataset
• When we delete the sharing rule the sharing access created by the rule is automatically removed
•
• When we transfer the records from one user to the other the sharing rule are Re-Evaluate to add or remove the
access
Manual Sharing Rule
• We can grant “View all” and “Modify All” permission for a object using profile and permission set
• It is the object level permission that is found in profile and allow user to access all records on the
object.
• View all grants Read Access to the object and read only access to all records associated with a
given object across the organization
• “View all” and “Modify All” permission ignore “Sharing and setting rule”
View all data and Modify all data
• “View all data” and “Modify All data” permission allow access to user to all objects and all
records in the org
• “View all data” and “Modify All data” permission ignore “Sharing and setting rule”