In Salesforce when we talk about security and especially about data security, so our main focus is to provide more security and try to prevent the data from unauthorized access. Especially in Salesforce, the number of users is very large and we want to secure our data from unauthorized users but also taking in mind that the actual users do not get any issue accessing the data and also provide them with complete access.
For data security, these are the four-level of security:-
- Organizational Level
- Object Level
- Record Level
- Field Level
1. Organization Level
Well, when we want to secure our data at the broadest level then this is done with the help of the Organization level. This is done by assigning the Login access to the right user based on time and place.
In Org level security it is done with the help of Login IP Ranges and Login Hours.
Login IP Ranges:- We can only allow those users which are in the assigned IP ranges and locations by allocating them a specific IP range to their profiles. By this, only the right users can log in and access the data. And others are not able to log in. But if they want to log in they need a verification code to log in.
Login Hour’s:- We can also restrict the login by assigning a specific time range. And within that specific time, the user can login into that org. For this, we have to assign the Login Hours from the Login Hours section in a specific or particular profile.
2. Object Level
When the user successfully login into the Org, then the concept of Object-level comes into action. In this, it is totally based on control data access by assigning permission sets. The permission is set on particular types of Objects (as per its name Object Level). The Admin has the full control to allow which and what object can be viewed, edited, or deleted by the authorized user. It can be performed by assigning a permission set on the profile by the admin.
Well, when a new user account is created in an Org, then a user profile is also given or created. After successfully creating the user, there is a license assigned to that specific profile. This license allows the user to have which type of access. In Salesforce there are some predefined or default Users like Standard users. We cannot change the access levels of ordinary profiles. The creation of custom profiles can be done by simply cloning the standard ones. Therefore when a replacement user is made, we will assign him/her a profile defining level of access for a specific object.
When we have to give some additional permission to some specific user we use Permission Set for that. It is done by assigning the user with the required permission to access or control the data. Well, we can also do this by creating a new profile for those specific users or groups of users but it is not the best way to do so. So Permission set is the best way to provide them with some additional access and control. The most important fact about the permission set is that it only provides additional access, it does not restrict the user to access all other controls and access which they are already accessing.
Don't forget to check out: Encrypt Sensitive Data in Salesforce and Comply with Security Regulations
3. Record level Security
Once the user gets access to the object so we can also control which specific record of that object the only user can access. It is done by record-level security. For this it can be achieved by these four levels of security:-
· Organization-wide Default (OWD)
· Role Hierarchy
· Sharing Rules
· Manual Sharing
All the four levels defined above based on the concept of ownership. Ownership means, the record on which the permission is granted belongs to which specific user, which means the actual owner of that record. The owner has the authority to perform any action on the record without any security permissions if the owner has the permission of doing so, as his/her profile got these permissions. Well when we are talking about security at a record level, we actually mean that, if any user does not have any record, so does he/she have the access to the record or not.
Organization-wide Default (OWD)
In record level security, Organization-wide Default is the default level of access, given to the users on record. It is the baseline level of access and also the topmost layer of access to a specific record. Org wide is the broadest level of access given to users for a record. It is also the highest level and the topmost level of restriction to the user. Once the record is restricted in OWDs, we cannot do more than that. Once it is defined in OWDs, it cannot be changed. In OWDs, we started defining the least level of access that all users have. Then we extend it, the extension of access is done by user roles and by the sharing rule. To perform any action on OWDs, mostly edit and view, it is done by the following steps:-
- Go to setup.
- Open Quick find box
- Search Sharing Settings
- Find Default Internal Access in it
- DO whatever we want to do in that, there are various options in them.
Private: As per its name only some specific user can access it and perform any action on it, these specific users are the owner itself, and the user above that role in that hierarchy, they only can view and perform edit and report.
Public Read Only: In this, all the user has the access to read-only. Only the owner and higher level of user in the role hierarchy can edit it.
Public Read/Write: In this, every user has the access to perform read and write both.
Controlled by Parent:- It is based on master-detail relationship, if you want to perform any action on record, so we can only do so if you can perform the same action on the parent record that belongs to that specific record.
It is required when any user with a higher role than the user who owns it wants to get access, or the actual user has to share it with a higher rank or role user, so we have to define a role hierarchy for this. At the time of the creation of every new user, we have a choice to assign the role to that user. It can be done by following steps:-
- Go to setup
- Search Role in Quick find box.
- Select Role
- Roles can be defined as per requirements
In record level security, Sharing Rules can be performed in two ways based on certain rules and they are:-
- Based on certain criteria:- As per its name, it is performed only when the record meets all the certain criteria.
- Based on the owner:- It is done based on who is the owner and who owns it.
These sharing rules option is in Sharing Setting.
The last level of security in Record-level security is Manual Sharing. IF we want to share records with the users without any restriction or criteria, so it can be done by manual sharing. It is performed by the owner of the record by clicking on the share button on the record page.
4. Field Level Security
It is the last level of security in Data security models. If it is required that any specific user wants to get access to an object but we want to give him access to some limited field only, so it can be done by Field-level security. It has control that how much a user can access and perform tasks on it. This can be done in the following steps:-
- Go to Setup
- Search Profile
- Select Profile. It is based on what you want to change.
- Go to Standard User
- Now click Object Setting
- Select the object which you want to update.
- Click on the Edit
- Now specify the access you want for users with this profile.
- Click on Save.