Salesforce Advance Administrator Notes (Sharing Security)
Every user in Salesforce has a profile Standard profile OR Custom profile. A user’s profiles determines access to objects, and fields in objects.
|Standard profiles –||Profiles control-|
|The objects the user can accessThe fields of the object the user can accessThe tabs the user can accessThe apps the user can accessThe page layout that is assigned to the user
The record types available to the user
Standard profiles cannot be deleted. Access permissions to objects (and their fields) of standard profiles cannot be edited. Standard profiles have access to all standard objects. Read-only profile have read-only access to objects. However access to tabs and applications can be configured for standard profiles. Access permissions of Custom profiles can be edited. Custom Profiles are created by developers by cloning from a standard profile.
Security in Salesforce is defined at multiple levels. These levels are –
Object level security:
It is given to profile level. Object level security is set up via Manage Users–>Profile section. Access for Read, Create, Edit & Delete can be set at standard and custom objects.
It is applied at profile level. The field-level security is available via the “Set Field-level security” button in the field definition page. At field level, for each profile valid settings are Visible and Read-only. When a user logs in the list of objects that are displayed to her is determined by object level security, and list of fields that are displayed to the user is determined by field level security settings of that profile.
Record level Security:
There are 3 tiers of record-level permissions:
- Read Only
- Full Access
“Read Only” and “Read/Write” access can be granted through a variety of means (Org-wide defaults, Role Hierarchy, Sharing Rules, Manual Sharing.). Users with the object-level permission “View All” (pictured unchecked above) are granted “Read Only” record-level permissions to all records of that object.
“Full Access” is granted to:
- The record owner.
- Users higher in the role hierarchy than the record owner (when “Grant Access Using Hierarchies” is enabled).
- Users with “Modify All” object-level permission (this includes system administrators).
- Members of a queue to all records owned by the queue.
- Organization wide defaults. This setting is defined at object level. OWD defined the default record level sharing for objects. All profiles get at least the privileges defined in OWD. OWD takes three different values –
- Private (Cant view and edit)
- Public Read only (Can view)
- Public Read-Write (Can view and edit)
Key concepts about Organization wide default
- To find out what should be set as OWD for an object, first find out which user requires least access to an object. OWD is set based upon this users access requirement.
- Most restrictive record access is defined using OWD. Access to additional records is made available through Role hierarchy, Sharing rules, Manual sharing.
- We can set OWD settings for both Standard and Custom Objects.
- Changing OWD settings can delete Manual Sharing if that sharing is no longer needed.
- Public Read/Write is default OWD settings.
- Role Hierarchy allows additional users access to records. A hierarchy of roles is defined based upon access requirements at record level. Each user belongs to a unique role. If a role has access to some record, than its parent and ancestors will also have access to this record. Roles can be created using the Manager Users menu. Roles are used to control record access, where as profiles are used to specify access at object and field level.Public group used in a sharing rule. It is used to give access to folders. It consists of users, roles or “roles and subordinates”. The default Public Group is “Entire Organization”. We cannot assign Public Groups to profiles.Another related concept that Salesforce defines is Public group. Public group consists of users, roles or “roles and subordinates”.
- Sharing rule is defined using public groups. Record that match certain condition can be assigned to users in public groups using Sharing Rules. Sharing rules functionality is available via the menu Sharing Settings.
- Manual Sharing is used to grant one-off access. Manual sharing can be granted by record owner, any one above the owner in role hierarchy and System Administrator. Manual sharing is used to handle exception cases where access to a particular record needs to be given to a specific user. There is a Sharing button on the records page. This is used to provide manual sharing. The Ownership of the record can be transferred to any user who has at least Read permission on the record.