Data Security

Org, Object, Record, Field, Folder Security

• https://certifiedondemand.com/overview-of-salesforce-security-model

Profile

• A profile is a collection of permissions and settings that is instrumental in determining a user’s functional access (apps, tabs, object-level permissions), how information is displayed to the user (page layouts, record types, field-level security), and a wide range of other permissions. 
• Each user must be assigned one profile.
• Standard profile – limited changes can be made. Can’t be deleted.
• Custom profile – fully customizable. Can be deleted.
• It’s best to assign all users to custom profile.

Permission Sets

• https://certifiedondemand.com/salesforce-permission-sets-overview

Roles

• https://certifiedondemand.com/security-model/roles/
• You need both object and record level security to perform an action.
• Profile grants object level access
• OWD, record ownership, and role hierarchy grant record level access

Groups

• https://certifiedondemand.com/security-model/groups/
• Group is comprised of users, roles and/or other groups.
• Public Groups – created & maintained by admin, can be referenced in orq-wide configuration (e.g. sharing rules).
• Personal Groups – created & maintained by users, can only be referenced in selected configurations (e.g. Outlook contact sync).
• Common user cases:
• Sharing access to records or folders with named users (this requires a public group) – User is not an option.
• Sharing access to resources (folders, etc) to same collection of users within specified roles. e.g. sharing 3 folders with 2 roles.
• Important:
• There is no way to monitor where groups are referenced (e.g. you have to view each individual report folder, sharing rules, etc.).  For this reason, make sure to have a clear documentation and usage strategy for groups (or at a minimum, a very clear naming convention).
• When groups are referenced in sharing rules, “Grant Access Using Hierarchies” can be extended to group access.

Manual Record Sharing & Auditing

• https://certifiedondemand.com/how-to-verify-salesforce-record-access/
• In general, if OWD of an object = Private or Public Read Only ==> sharing button will be displayed (if added to page layout).
• Exception: Some objects (account) may have sharing button exposed, depending on the sharing setting.
• Manual record sharing -  can share record with groups, roles, users.
• Must have ‘Full Access’ to the record to do manual sharing.

Ref:

https://certifiedondemand.com/overview-of-salesforce-security-model