- Security Model in Salesforce
-
- In Salesforce, data is stored in three key constructions: objects, fields, and records. ScenarioJohn is an experienced leader who has recently joined ABC Corp as a sales executive.She also has a marketing background and reports directly to the CEO. She needs access to various objects and apps in Salesforce.
-
- Layer 1: Object-level-securityObject-level access can be managed through two configurations, profiles and permission sets.
Profiles
In Salesforce, profiles control access to object-level and field-level security among other things like apps, tabs, and so on. Since Maria is a new employee, an admin needs to add John to the appropriate profile that has access to sales apps and related objects to begin giving her access to salesforce data.
Permission Set
Since John has a marketing background, let’s say she wants to access the Campaigns object to help with marketing. The admin wants to give permission to access Campaigns just to John. This is where permission sets come in. Permission sets are used to provide additional (usually special) permissions to users who are already in a profile. In our case,
Steps:An admin needs to create a permission set that provides access to the Campaigns object and assign that permission set to Maria.
Notes about permission sets:•
With permission sets, you can add and remove permissions to a small subset of users at any time.
• You can multiple permission sets to a given user.
• Use permission sets only when a subset of users need additional permissions.
• If a lot of people in a profile need that permission, then create a custom profile and add permission directly to that profile.
Layer 2: Field-level-security
• Even if John has access to objects, she still needs access to individual fields of each object. In Salesforce, profiles also control field-level access.
• An admin can provide read and write permissions for individual fields. An admin can also set a field to hidden, completely hiding the field to that user.Layer 3: Record-level security• This is where record-level security comes in. Salesforce provides five ways to share records with others and access others’ records.
Types of record-level security (also known as record sharing rules)1 – Record-level-security: organization-wide sharing defaults.Organization-wide defaults (OWD) control the default behaviour of how every record of a given object (for example, Accounts) is accessed by users who do not own the record. For example:
1.1 – If OWD for Accounts is Private, it means Maria can only see records she is a owner of.
1.2 – If OWD for Accounts is Read/Write, it means anyone can read and update (but not delete) the record.
2 – Record -level-security: role hierarchies
• Record-level security lets you give users access to some object records, but not others. The owner has full access to the record. In a hierarchy, users higher in the hierarchy always have the same access to users below them in the hierarchy.
.• In our case, the admin needs to add Maria to the appropriate role within Maria’s user.
3 – Record-level-security: sharing rules• Sharing Rules for particular sets of users, to give them access to records they don’t own or can’t normally see.• if John wants to share records with her peers in the service executive teams, She can use sharing rules.
4 – Record-level-security: Apex managed sharing• If sharing rules and manual sharing don’t give you the control you need,you can use Apex managed sharing. Apex managed sharing allows developers to programmatically share custom objects. When you use Apex managed sharing to share a custom object, only users with the “Modify All Data” permission can add or change the sharing on the custom object’s record, and the sharing access is maintained across record owner changes.
- Layer 1: Object-level-securityObject-level access can be managed through two configurations, profiles and permission sets.
Hi hi hi hi