In the Salesforce world, profiles, roles, and permission sets play major role in the security, sharing and visibility context. They control who can do what and see what. Together, they make sure everyone has the right access to Salesforce’s features and data.
Profiles set the basic permissions for a group of users. They decide what users can see and do. Roles create a structure that affects who can share data.
Permission sets let you add extra permissions to what’s in a user’s profile.
Knowing how these three work together helps manage user access. It keeps data safe and makes sure Salesforce fits your business needs. This part will go into each feature’s role in Salesforce’s strong security.
Key Takeaways
- Profiles, roles, and permission sets are the core Salesforce security features that govern user access and data visibility.
- Profiles define the baseline permissions and settings for a group of users, while roles establish a hierarchical structure that impacts data sharing.
- Permission sets provide a flexible way to grant additional permissions beyond the user’s profile, allowing for more granular access control.
- Understanding the interplay between these three components is crucial for effectively managing user access and maintaining data security in Salesforce.
- Implementing these features strategically is essential for aligning Salesforce usage with an organization’s unique business requirements.
Understanding the Basics of Salesforce Security Model
Salesforce’s security model is designed to control who sees and edits data.
It has three main parts:
- Object-level security (Eg. objects Like Account, Contacts, Leads etc)
- Field-level security (Eg. First Name field on Account boject)
- Record-level access control. (OWD access)
Below image shows List view of Account object where we can see account records and in second image we have clicked and opened the account record named
Christiano ROnaldo.
These work together to make sure users can only see what they need to, keeping data safe from unauthorised changes.
Salesforce data security model below:
1.Object-Level Security Overview
Object-level security in Salesforce decides who can see certain objects. This means admins can choose who can view things like Accounts, Contacts, or Opportunities. It helps keep sensitive data safe by only letting those who need it see it.
2.Field-Level Security Components
Field-level security in Salesforce lets admins control specific fields within objects. They can make fields like Social Security numbers or financial details hidden or read-only. This is key for following data privacy rules and keeping sensitive info safe.
3.Record-Level Access Control
Record-level access control in Salesforce decides who can see, edit, or delete specific records. It uses sharing rules, role hierarchies, and manual sharing to control access. This is vital for keeping data private and stopping unauthorised access to sensitive info.
Knowing how to use these three parts of the Salesforce security model helps organizations manage access, protect data, and follow important rules and best practices.
1.Object-Level-Security:
It consists of Profiles level security , permission set and permission set groups level security.
1.1 Profiles in Salesforce:
In the Salesforce world, profiles are the key.
They set the default permissions and settings for users. Profiles control what users can see and do in the platform.
Only one profile can be assigned to a user at a time.
Salesforce has many standard profiles like System Administrator, Sales Manager, Standard Platform User etc. These profiles help manage user permissions. But, the real strength is in creating custom profiles that fit an organization’s needs.
Below image showing ‘System Administrator’ profile being assigned to the user :
Custom profiles let admins adjust user permissions and settings closely. This ensures each team member has what they need to do their job well. This fine control is vital for a safe and efficient Salesforce setup.
Salesforce Profiles | Key Features |
---|---|
Standard Profiles | Pre-defined by Salesforce Offer a starting point for user permissions Suitable for common user roles |
Custom Profiles | Tailored to specific organizational needs Granular control over object, field, and feature access Enables efficient management of user permissions |
1.2 Permission Sets & Permission Sets Groups :
Permission sets are also similar to profiles which is basically a collection of permissions and settings that give user access to various tools inside the salesforce platform.
When we create a group by combining individual permission sets that i called a permission set group.
Recommended way is that we provide minimum base level permissions at the profile level and manage and assign object level and field level permissions at permission set level.
2.Field-Level-Security:
Field level security can be provided both at profile level and at permission set level as well but as discussed above, the recommended security best practise is that we should always configure field level permissions at permission set and permission set group level only.
3.Record-Level-Security :
Record level sharing is often referred to as “Salesforce Sharing Model” as it deals with sharing of records with other users, groups etc.
A thumb rule here is that we first start by granting the base and minimum level of access to users and then we start opening up the access as and when required as shown in the salesforce data model diagram based on some defined criteria’s.
Now here we have 3 ways in which we can open up the access, namely :
- organization-wide sharing defaults
- role hierarchies
- sharing rules
3.1 OWD’s :
In order to set-up owd, we need to navigate to sharing settings as shown below ->
3 major settings we can do in OWD ->
- If OWD for Contact is Private, it means only the record owner can see the record.
- If OWD for Contact is Public Read Only, it means anyone can read (but not update or delete) the record.
- If OWD for Contact is Public Read/Write, it means anyone can read and update (but not delete) the record.
3.2 Role hierarchy:
In salesforce, a user may have or may not have a role, it depends on organizations requirement. And every user can be associated with a single role only.
Typically different job roles have different level of record access requirements where role hierarchy can play an important role to handle record level visibility.
In an organization roles are defined in a hierarchical way and same can be seen in the salesforce platform as shown below:
Here a user with higher role can see those records what users in lower roles can see. For eg. A CEO can see his records as well the records of his reportee’s also who are lying below him in the hierarchy.
3.3 Sharing-Rules :
Note: It is applicable when the OWD is set to “Private”
In this scenario where only the record owner can see his record, we can create sharing rule’s to share records with others based on some defined criteria’s as per organisation’s needs.
Now, sharing rules can be created based on
- Ownership-based sharing rules
- Criteria-based sharing rules
- Guest user sharing rules
3.4 Manual sharing :
We can manually share individual records with specific users by clicking the “Share” button on the record’s details page. This option is only available for records that are set to private or public read-only.
In order to share our “Christiano ROnaldo” account record with some user , we need to navigate to dropdown arrow button -> got sharing -> and you will se this interface as shown below and from where you can search for a user and can share the record:
3.5 Apex managed sharing :
In some cases, we can’t share records using the standard UI or settings.
In these situations, we need to write custom Apex code to achieve the desired sharing behavior.
For instance, if we want to automatically share records with a specific user based on certain criteria (like account type), we can create an Apex trigger to handle this.
check out the official documentation on apex managed sharing -> https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_bulk_sharing_understanding.htm
You can go and check below video as well.
Key Differences Between Profiles and Permission Sets
In Salesforce, knowing the difference between profiles and permission sets is key. Both control user access, but they differ in scope and use.
When to Use Profiles vs. Permission Sets
Profiles set the base permissions for users and those permission are common to all the users who are part of that profile while permission sets are utilised to extend the user permissions without changing the profile.
***A Use Case scenario :
Lets say there is a scenario where we have 10 User’s who are part of a custom Profile called “System Administrators Custom”, all have similar access here.
Now what if out of those 10 admins we want 2 admins to have some additional edit access on the Account object field -> “Channel Program Name”
Currently at profile level admins doesn’t have the edit access to this field as shown below :
Now here, if we provide the edit access here at the profile level then all the 10 admins will get the edit access to “Channel Program Name” field which obviously we dont want.
So to solve this scenarios we have to create a permission set, we have to provide edit access on the permission set and then we need to assign this permission set to those 2 admin users who require edit access. Voila!!
Implementation Best Practices
- Begin with providing minimum access at profile level that matches the orhanisation’s main roles. Consider cloning a standard profile provided by salesforce called -> “Minimum Access – Salesforce“
- Use permission sets for granting extra, specific permissions.
- Keep your profiles and permission sets updated and secure.
Common Use Cases
Profiles are great for:
- Setting basic access for large groups (like Sales or Service)
- Managing access to standard objects and fields
- Controlling what users see and can use
Permission sets are best for:
- Access to custom objects or fields
- Temporary or project-specific access
- Special features for certain users
Summary
Salesforce provides a layered security model to protect your data. Profiles and permission sets control access to objects and fields, with permission set groups offering a more granular approach to defining user roles. Additionally, Salesforce provides five types of record-level security:
- Org-wide defaults: Set basic access levels for all users.
- Role hierarchy sharing: Share records based on the hierarchical relationship between users.
- Sharing rules: Automatically share records based on predefined criteria.
- Manual sharing: Share individual records with specific users.
- Apex-based sharing: Use custom Apex code to implement complex sharing rules.
Check out the official salesforce documentation here -> https://developer.salesforce.com/blogs/developer-relations/2017/04/salesforce-data-security-model-explained-visually
Please do check my article on the salesforce experience cloud here -> https://thetechnologyfiction.com/what-is-experience-cloud-in-salesforce/
FAQ
What are profiles, roles, and permission sets in Salesforce?
Profiles, roles, and permission sets are key in Salesforce for managing user access. Profiles set default permissions and settings for users. Roles control data visibility based on the company’s structure. Permission sets offer detailed access control beyond profiles.
How does the Salesforce security model work?
Salesforce’s security model has three main parts: object-level security, field-level security, and record-level access. Object-level security controls access to entire objects. Field-level security manages field visibility. Record-level access controls which records users can see or edit.
What are the key features and functions of Salesforce profiles?
Salesforce profiles are vital for setting user permissions and settings. They control access to objects, fields, and features. Admins can use standard profiles or create custom ones for specific needs.
How do roles and profiles work together with permission sets in Salesforce?
Roles, profiles, and permission sets work together in Salesforce’s security model. Roles determine data visibility and sharing rules. Profiles set default permissions. Permission sets extend user access, offering detailed control over privileges.
What are the key differences between profiles and permission sets in Salesforce?
Profiles and permission sets have different roles in Salesforce’s access management. Profiles set default permissions and settings. Permission sets grant extra permissions without changing profiles. The choice depends on the security needs and structure of the Salesforce setup.
How does the role hierarchy impact data visibility in Salesforce?
The role hierarchy in Salesforce is key for data visibility. It affects who can see and access records based on their role. A well-designed hierarchy ensures the right data access and security.
What are the best practices for managing profiles and permission sets in Salesforce?
Managing profiles and permission sets well involves regular audits and cleanup. Admins should keep profiles up-to-date and aligned with needs. Permission sets should offer needed access without too much privilege. Following these practices keeps Salesforce secure and organized.
Can you provide some common security implementation scenarios in Salesforce?
Salesforce security features are used in many scenarios. For example, limiting access to financial data, letting sales managers see their team’s records, or giving temporary access to consultants. Knowing these scenarios helps admins implement security effectively for their organization.