Free Salesforce Admin Tutorial >

Chapter 7 - Data Security >

Object Level Security in Salesforce (Profile Level)

Object Level Security in Salesforce (Profile Level)

Object Level Security in Salesforce

Salesforce Object Level Security provides the simplest way to control data access. It prevents a user or group of users from creating, viewing, editing, or deleting any records of an object by setting permissions on that object.

There are two ways of setting object permissions:

1. Profiles: 

It determines the objects a user can access and the permissions a user has on any object record.

2. Permission Sets:

 It provides additional permissions and access settings to users.


A profile is a collection of settings and permissions that determine which data and features in the platform users have access to.

Settings determine what users can see for example apps, tabs, fields, and record types whereas Permission determines what users can do for example create or edit records of a certain type, run reports and customize the app.

Profiles Control:

  • Object Permission
  • Field Permission
  • User Permission
  • Tab Settings
  • App Settings
  • Apex class access
  • Visualforce page access
  • Page Layouts
  • Record Types
  • Login Hours
  • Login IP Ranges

Profiles are typically defined by a user’s job function but anything that makes sense in an organization can be created as a profile. The platform includes a set of standard profiles. Each of the standard profiles includes a default set of permissions for all of the standard objects available on the platform.

Some of them are:

1. Standard User:

Standard User profile has Read, Edit, and Delete permissions to most standard objects.

2. Read Only: 

Read-only user had permissions exactly similar to the standard user but limits access to read-only.

3. Marketing User: 

Permissions of Standard User+ Additional Permissions.

4. Contract Manager:

Permissions of Standard User + Additional Permissions.

5. Solution Manager:

Permissions of Standard User + Additional Permissions.

6. System Administrator:

The System Administrator profile has the widest access to data and the greatest ability to configure and customize Salesforce. The System Administrator profile also includes two special permissions namely “View All Data” and “Modify All Data”.

When a custom object is created most profiles except those with modify all data permission do not give access to that custom object.


  1. Object permissions on the Standard profile cannot be edited.
    -So to overcome through this it is good to make copies/clones of standard profiles and then customize the copies to fit the needs of the organization.
    -The profile functionality in an organization depends on the user license type.
  2. Every profile should have at least one visible app.
  3.  If an app is visible, its tab won’t show up unless a profile has permission to view the associated objects.
  4.  A profile can be assigned to many users but the user can be assigned to only one profile at a time

Permission Sets

A permission set is also a collection of settings and permissions that determine the user’s access to various tools and functions on the platform.

Settings and permissions available in permission sets are also found in profiles but permission sets extend the functionality of users without changing their profiles.

Use permission sets to grant additional access to specific users on top of their existing profile permissions, without having to modify existing profiles, create new profiles or grant an administrator profile where it’s not necessary.

Permission Sets Control:

  • Object Permission
  • Field Permission
  • User Permission
  • Tab Settings
  • Flow Access
  • App Settings

There are a couple of ways to use permission sets:

  1. To grant access to custom objects or entire apps.
  2. To grant permissions-temporarily or long term-to specific fields

Permissions are additive which means we can’t remove a user’s existing permissions by assigning a permission set we can only add permissions. 

To limit access for a user or group of users, ensure that their base profile as well as any of their permission sets limits this type of access.

The license type cannot be changed once assigned. And it is not mandatory while creating permission sets.

Permission Sets Expiration

Set assignment expiration dates and assign permissions that expire to users via permission sets

You can specify the expiration date with 1 day, 7 days, 30 days, 60 days, and a custom date from the permission set assignment.


Permission Sets

Profiles have the most restrictive settings and permission a user assigned to this profile should have.

Permission Sets extend the access settings and permissions provided by the profile.

A user can have only one profile assigned.

Users can have more than one permission set.

Profiles are restrictive.

Permission sets are additive.

Every user must be assigned to a profile.

It is not necessary for every user to have a permission set.

Next up is Field Level Security

Download Study Material

Get access to exclusive study material for Salesforce Certification and ace your exams!

Our Salesforce Certification Courses

Hey there! Glad you made it through our Salesforce Admin Training for beginners. But wait! We've got some high-in-demand Salesforce courses for you to take your Salesforce skills to the next level, making you a desired professional in the Salesforce job market.

Post a Comment

Your email address will not be published. Required fields are marked *