- 2 ways to set object permission - Profile & Permission Set.
- Big picture of Profile:
- Record Level Security
- Sharing settings = Org wide default (OWD)
- Question:
- https://trailhead.salesforce.com/data_security/data_security_records
- “When object- versus record-level permissions conflict, the most restrictive settings win.”
- If object-level is more restrictive than record-level, who win?
- Conflict with “If the organization-wide defaults are anything less than Public Read/Write, you can open access back up to certain roles using the role hierarchy.”
- Organization-wide defaults can never grant users more access than they have through their object permission
- Private - Only the record owner, and users above that role in the hierarchy, can view, edit, and report on those records.
- Public Read Only - All users can view and report on records but not edit them. Only the owner, and users above that role in the hierarchy, can edit those records.
- Public Read/Write - All users can view, edit, and report on all records.
- Controlled by Parent - A user can perform an action (such as view, edit, or delete) on a contact based on whether he or she can perform that same action on the record associated with it.
- Role Hierarchy
Sharing Rules
- Share an object to other roles, if the Org wide default of the object is less then Public Read/Write (or is set to Private).
