In Salesforce, when we have to grant access to a specific record within the object, then it is done with the help of Record level security. It also Specifies which individual record user can access and view it. It is done within permission granted to in their profiles. The permissions granted on the specific record are always assigned according to the combination of all three that is, object-level, field-level, and record-level permissions. It is also seen that when there is a conflict between object-level, and record-level, the most restrictive settings win.
For this it can be achieved by these four levels of security:-
- Organization-wide Default (OWD).
- Role Hierarchy
- Sharing Rules
- Manual Sharing
All the four levels defined above based on the concept of ownership. Ownership means, the record on which the permission is granted belongs to which specific user, which means the actual owner of that record. The owner has the authority to perform any action on the record without any security permissions if the owner has the permission of doing so, as his/her profile got these permissions. Well when we are talking about security at a record level, we actually mean that, if any user does not have any record, so does he/she have the access to the record or not.
Organization-wide Default (OWD)
In record level security, Organization-wide Default is the default level of access, given to the users on record. It is the baseline level of access and also the topmost layer of access to a specific record. Org wide is the broadest level of access given to users for a record. It is also the highest level and the topmost level of restriction to the user. Once the record is restricted in OWDs, we cannot do more than that. Once it is defined in OWDs, it cannot be changed. In OWDs, we started defining the least level of access that all users have. Then we extend it, the extension of access is done by user roles and by the sharing rule. To perform any action on OWDs, mostly edit and view, it is done by the following steps:-
- Go to setup.
- Open Quick find box
- Search Sharing Settings
- Find Default Internal Access in it
- DO whatever we want to do in that, there are various options in them.
Don't forget to check out: Encrypt Sensitive Data in Salesforce and Comply with Security Regulations
Private: As per its name only some specific user can access it and perform any action on it, these specific users are the owner itself and the user above that role in that hierarchy, only can view and perform edit and report.
Public Read Only: In this, all the user has the access to read-only. Only the owner and higher level of user in the role hierarchy can edit it.
Public Read/Write: In this, every user has the access to perform read and write both.
Controlled by Parent: It is based on master-detail relationship, if you want to perform any action on record, so we can only do so if you can perform the same action on the parent record that belongs to that specific record.
It is required when any user with a higher role than the user who owns it wants to get access, or the actual user has to share it with a higher rank or role user, so we have to define a role hierarchy for this. At the time of the creation of every new user, we have a choice to assign the role to that user. It can be done by following steps:-
- Go to setup
- Search Role in Quick find box.
- Select Role
- Roles can be defined as per requirements
In record level security, Sharing Rules can be performed in two ways based on certain rules and they are:-
- Based on certain criteria:- As per its name, it is performed only when the record meets all the certain criteria.
- Based on the owner:- It is done based on who is the owner and who owns it.
These sharing rules option is in Sharing Setting.
Each Sharing rules has main types:-
- Which record to be shared?
- To whom the record to be shared?
- And what kind of access to that specific user?
Now, which record to be shared, is done with the help of criteria-based sharing.
Depend on who is the owner and with whom to be shared.
It is one of the most important aspects with which users record to be shared. It can be defined by a group of users by role, by territory, or by defining the group type like a public group. Public groups can be of any kind like :-
- Individual users
- Roles and subordinates
- Territories and subordinates
- Other public groups
Well, after all these the last one is access type, it is also to be determined which type of access to be defined, like read/write.
Check out an amazing Salesforce video tutorial here: Salesforce Security Review | Tutorial Video
The last level of security in Record-level security is Manual Sharing. If we want to share records with the users without any restriction or criteria, so it can be done by manual sharing. It is performed by the owner of the record by clicking on the share button on the record page.