In Salesforce, data is stored in three key constructions: objects, fields, and records. Objects are similar to tables in databases. Fields are similar to columns of the table. Records are similar to rows of data inside the table. Salesforce uses object-level, field-level, and record-level security to secure access to object, field, and individual records.
ScenarioJohn is an experienced leader who has recently joined ABC Corp as a sales executive. She also has a marketing background and reports directly to the CEO. She needs access to various objects and apps in Salesforce.
Layer 1: Object-level-securityObject-level access can be managed through two configurations, profiles and permission sets.
2 Permission sets
Since John has a marketing background, let’s say she wants to access the Campaigns object to help with marketing. The admin wants to give permission to access
Campaigns just to John. This is where permission sets come in. Permission sets are used to provide additional (usually special) permissions to users who are already in a profile. In our case,
an admin needs to create a permission set that provides access to the Campaigns object and assign that permission set to Maria.
Notes about permission sets:
- With permission sets, you can add and remove permissions to a small subset of users at any time.
- You can add multiple permission sets to a given user.
- Use permission sets only when a subset of users need additional permissions.
- If a lot of people in a profile need that permission, then create a custom profile and add permission directly to that profile.
Layer 2: Field-level-security
Even if John has access to objects, she still needs access to individual fields of each object. In Salesforce, profiles also control field-level access.
An admin can provide read and write permissions for individual fields. An admin can also set a field to hidden, completely hiding the field to that user.
Layer 3: Record-level security
Types of record-level security (also known as record sharing rules)
3.1 Record-level-security: organization-wide sharing defaults
Organization-wide defaults (OWD) control the default behavior of how every record of a given object (for example, Accounts) is accessed by users who do not own the record. For example:
- If OWD for Accounts is Private, it means Maria can only see records she is a owner of.
- If OWD for Accounts is Read/Write, it means anyone can read and update (but not delete) the record
3.2 Record -level-security: role hierarchies
Record-level security lets you give users access to some object records, but not others. The owner has full access to the record. In a hierarchy, users higher in the hierarchy always have the same access to users below them in the hierarchy.
In our case, the admin needs to add Maria to the appropriate role within Maria’s user
3.3 Record-level-security: sharing rules
Sharing Rules for particular sets of users, to give them access to records they don’t own or can’t normally see.
if John wants to share records with her peers in the service executive teams She can use sharing rules
3.4 Record-level-security: Apex managed sharing
If sharing rules and manual sharing don’t give you the control you need, you can use Apex managed sharing. Apex managed sharing allows developers to programmatically share custom objects. When you use Apex managed sharing to share a custom object, only users with the “Modify All Data” permission can add or change the sharing on the custom object’s record, and the sharing access is maintained across record owner changes