Object Level Security In Salesforce
Salesforce Object Level Security provides the simplest way to control data access. It prevents a user or group of users from creating, viewing, editing, or deleting any records of an object by setting permissions on that object.
There are two ways of setting object permissions:
1. Profiles: It determines the objects a user can access and the permissions a user has on any object record.
2. Permission Sets: It provides additional permissions and access settings to users. In Permission Sets, we can only give additional permissions to users but we can’t restrict the permissions which are already given to users at their profile level and they can only be assigned to users, not to profiles.
About Profiles In Salesforce
A profile is a collection of settings and permissions that determine which data and features in the platform users have access to.
It is like a template, it means whenever we want to create a new profile we have to choose a profile that is already given by Salesforce and then we can customize them according to our requirements.
We must have to choose a profile while creating a new profile so we don’t have to set all the permissions and settings from the scratch.
Settings determine what users can see for example apps, tabs, fields, and record types whereas Permission determines what users can do for example create or edit records of a certain type, run reports, and customize the app.
1. Profiles Control
- Object Permission
- Field Permission
- User Permission
- Tab Settings
- App Settings
- Apex class access
- Visualforce page access
- Page Layouts
- Record Types
- Login Hours
- Login IP Ranges
Profiles are typically defined by a user’s job function but anything that makes sense in an organization can be created as a profile. The platform includes a set of standard profiles. Each of the standard profiles includes a default set of permissions for all of the standard objects available on the platform.
2. Standard User
Standard User profile has Read, Edit, and Delete permissions to most standard objects
3. Read Only
The Read-only users had permissions exactly similar to the standard user but limited access to read-only.
4. Marketing User
Permissions of Standard User + Additional Permissions.
5. Contract Manager
Permissions of Standard User + Additional Permissions.
6. Solution Manager
Permissions of Standard User + Additional Permissions.
7. System Administrator
The System Administrator profile has the widest access to data and the greatest ability to configure and customize Salesforce. The System Administrator profile also includes two special permissions namely “View All Data” and “Modify All Data”.
When a custom object is created most profiles except those with modify all data permission do not give access to that custom object.
Note:
1. Object permissions on the Standard profile cannot be edited.
- So to overcome this, it is good to make a new profile by copying/cloning standard profiles and then customize the copies to fit the needs of the organization.
- The profile functionality in an organization depends on the user license type.
2. Every profile should have at least one visible app.
3. If an app is visible, its tab won’t show up unless a profile has permission to view the associated objects.
4. A profile can be assigned to many users but the user can be assigned to only one profile at a time.