Salesforce provides different kinds of security levels like objects, field records, etc. Data is Stored in Objects, Fields, and Records in Salesforce. Salesforce uses object-level security to secure access to objects. Objects in Salesforce are Database Tables. Salesforce uses field-level security to secure access to fields. Fields can be similar to columns of data inside the table.
Salesforce uses Record level Security to provide access to records. Salesforce records are similar to rows of data-tables.
Steps of Data Security Model In Salesforce.
- Organization Level Security OR System-level Security Objects Level SecurityFields Level SecurityRecords Level SecurityOrganization Level Security OR System-level Security. In Salesforce Data is Secured From Unauthorized Users is very important. To secure data we have to implement a Security Model for all users within or outside the organization.
- Salesforce Control level: access at the organization level is By this, we mean what type of access we can provide in Salesforce at the organization level. We can customize many settings via organization level like network settings, trusted IP settings, login and password policies, business hours, fiscal year and many more.
- Objects Level Security: This means what type of object access can a user has as per the assigned profile. We can perform CRED operations on any object by changing access from a particular profile.
Profiles tell us what objects, fields, tabs, applications access a user can have. We can also define the access of visualforce pages, apex classes, session settings, page layouts or we can also define login IP ranges for a particular profile to restrict login access from external IP.
In simple language, a profile can be defined as a collection of settings and permissions which determine what data and features a user can have access to in the Salesforce platform.
Note: A user must have a profile assigned to him in Salesforce and a user can only have one profile at a time.
Types of profiles in Salesforce
Standard Profiles: Standard profiles are those profiles that come with a predefined set of settings and functionalities provided or defined by Salesforce itself. Some of the standard profiles are:
Standard user read-only: Marketing user, contract manager, solution manager system Administrator View all data modify all data custom Profiles: These are the profiles which we create as per our requirement by cloning a standard profile.
Every profile is based totally on consumer license kind which determines the function of salesforce users on that profile could have access to.
Permission sets in Salesforce:
Permission sets are used to grant additional access to a particular user. We can only grant additional permissions via permission sets. We cannot revoke access using the same and permission set are assigned to particular access to grant additional access.
The permission set includes the same settings a profile has:
Example: Suppose there are 10 users having the same profile and the same access but don’t have delete access for a particular object assigned to that profile. We want two of the users to have delete permission as well so, instead of creating a new profile for this we can create a permission set having the required permissions and assigned the same to those two users.
Note: A user can have multiple permission sets regardless of the profile assigned.
Important Points to Remember:
Every profile should have as a minimum one visible app. If an app is visible its tabs won’t show up unless the profile has permission to view the associated objects. A profile can be assigned to multiple users at a time but one user can have only one profile at a time. To view object permission=> View setup and configure. To edit object permission=> Manage profiles and permission sets and customize an application.
Field-Level Security in Salesforce:
Field level security in Salesforce controls the access of fields in salesforce. It Controls the actions of users performed in Fields in a particular object. Basically it controls all the actions like Create, Read, Edit, Delete of fields.
We can set field-level security through:
- Profile and Permission set(Under Users section Field Accessibility(Under Security section) Object ManagerPage Layout.
- Record-level security lets you give users access to some object records, but not others. Every record in salesforce is owned by a particular user and System admin has all the access of all the records in Salesforce.
There are the following ways we can share records between users:
1. OWD (Organization-Wide Defaults)
2. Role Hierarchy
3. Sharing settings
4. Manual Sharing
1. OWD(Organization-Wide Default)
- OWD is the very first step in record-level security. This determines record settings for each object. OWD is the baseline of record-level security and these settings must always be in a very restrictive manner and to grant additional access we have to use other record level settings to selectively give access to other users.
- Role Hierarchy defines the level of access to record according to the profile of the user. One of the very tops has wider access and one below the hierarchy has the minimum access.
- Role-Hierarchy works in Vertical order like higher the Role have higher access to records. The user on the higher role can see the records of users below it.
- But users at the lower level can not see the records of the users above it.until the user has extra access by sharing rule or Manual sharing.
3. Sharing Rules
- To give horizontal access to users or to give access to users who are at the same level, we use sharing rules. We can define sharing rules for every standard and custom objects.
- By using Sharing Rule we can give Access to a group of users and subgroups
- Sharing rules come under the sharing setting in the security section. Below the OWD section, there is a sharing rule section where we can create sharing rules for every object as per our choice.
4. Manual Sharing
- Manual sharing is used to share a particular record to a particular user. By Clicking on the button Share on the Record Detail Page we can share the records. and this button is enabled from sharing settings.
- Manual sharing worked only when Organization wide default settings are private or Public Read-only.