Org, Object, Record, Field, Folder Security
Profile
- A profile is a collection of permissions and settings that is instrumental in determining a user’s functional access (apps, tabs, object-level permissions), how information is displayed to the user (page layouts, record types, field-level security), and a wide range of other permissions.
- Each user must be assigned one profile.
- Standard profile – limited changes can be made. Can’t be deleted.
- Custom profile – fully customizable. Can be deleted.
- It’s best to assign all users to custom profile.
Permission Sets
Roles
- https://certifiedondemand.com/security-model/roles/
- You need both object and record level security to perform an action.
- Profile grants object level access
- OWD, record ownership, and role hierarchy grant record level access
Groups
- https://certifiedondemand.com/security-model/groups/
- Group is comprised of users, roles and/or other groups.
- Public Groups – created & maintained by admin, can be referenced in orq-wide configuration (e.g. sharing rules).
- Personal Groups – created & maintained by users, can only be referenced in selected configurations (e.g. Outlook contact sync).
- Common user cases:
- Sharing access to records or folders with named users (this requires a public group) – User is not an option.
- Sharing access to resources (folders, etc) to same collection of users within specified roles. e.g. sharing 3 folders with 2 roles.
- Important:
- There is no way to monitor where groups are referenced (e.g. you have to view each individual report folder, sharing rules, etc.). For this reason, make sure to have a clear documentation and usage strategy for groups (or at a minimum, a very clear naming convention).
- When groups are referenced in sharing rules, “Grant Access Using Hierarchies” can be extended to group access.
Manual Record Sharing & Auditing
- https://certifiedondemand.com/how-to-verify-salesforce-record-access/
- In general, if OWD of an object = Private or Public Read Only ==> sharing button will be displayed (if added to page layout).
- Exception: Some objects (account) may have sharing button exposed, depending on the sharing setting.
- Manual record sharing - can share record with groups, roles, users.
- Must have ‘Full Access’ to the record to do manual sharing.
Ref:
https://certifiedondemand.com/overview-of-salesforce-security-model
