Salesforce provides a layered security model to ensure that the right people have the right access to data while maintaining data privacy and confidentiality.
This security model is broadly divided into 2 major categories:
1. Object Level Security: in Salesforce controls access to specific objects for users. It defines what actions a user can perform on an object like Create, Read, Edit, and Delete (CRUD). If users don’t have access to an object, they cannot see its records in the system at all.
Components under Object Level Security:
Profiles — Basic level access to objects and tabs. Controls CRUD permissions for objects.
Permission Sets — Provide additional object-level access without changing the user’s profile.
Permission Set Groups — Combine multiple permission sets for easy management.
Field Level Security — Controls access to individual fields within an object. You can hide sensitive fields from users even if they have access to the object.
2. Record Level Security (What records within an object a user can access):
Record Level Security controls a user's ability to access specific records within an object. Even if a user has access to an object, record-level security determines which individual records they can view, edit, transfer, or delete.
Components under Record Level Security:
Organization-Wide Defaults (OWD) — Set the baseline level of record access for all users in the org (Private, Public Read Only, Public Read/Write).
Role Hierarchy — Allows users higher in the role hierarchy to access records owned by users below them.
Sharing Rules — Automatically grant additional record access based on criteria or ownership.
Manual Sharing — Record owners or admins can share individual records with specific users or groups.
Apex Sharing — Programmatically share records using custom code based on business logic.
How To Setup These In Salesforce CRM
1. User Profiles
Profiles define what users can do in Salesforce, including object permissions, field-level security, page layouts, apps, and more.
Steps to Set Up User Profiles:
1. Navigate to Setup → Users → Profiles.
2. Clone a standard profile or create a new profile.
3. Configure:
- Object permissions (CRUD)
- Field-level security
- Tab visibility
- Record Types
- Page Layout assignments
4. Assign the profile to users while creating or editing a user record.
2. Permission Sets
Permission Sets provide additional access to users without changing their profile. They are additive.
Steps to Set Up Permission Sets:
1. Navigate to Setup → Users → Permission Sets.
2. Click 'New' and define the label and description.
3. Configure:
- Object settings
- Field permissions
- System permissions
- App permissions
4. Assign the Permission Set to users by selecting Manage Assignments → Add Assignments.
3. Organization-Wide Defaults (OWD)
OWD controls the baseline level of access to records for all users in the org.
Steps to Configure OWD:
1. Navigate to Setup → Security Controls → Sharing Settings.
2. For each object, choose the default access level:
- Private
- Public Read Only
- Public Read/Write
3. Save your settings.
4. Role Hierarchy
Role Hierarchy in Salesforce allows higher-level users to access the records owned by lower-level users in the hierarchy.
Steps to Configure Role Hierarchy:
1. Navigate to Setup → Users → Roles.
2. Define roles based on your organization's structure.
3. Assign users to the appropriate roles.
4. Higher roles automatically inherit access to records owned by users in lower roles.
5. Sharing Rules
Sharing Rules extend access to users based on record ownership or criteria.
Steps to Create Sharing Rules:
1. Navigate to Setup → Security Controls → Sharing Settings.
2. Select the object for which you want to create sharing rules.
3. Click 'New' under the appropriate section.
4. Define the criteria or owner-based rule.
5. Select users, roles, or public groups to share with.
6. Define access levels (Read Only / Read/Write).
7. Save the rule.
6. Apex Sharing
Apex Sharing allows developers to programmatically share records based on complex business logic using Apex code.
Steps to Implement Apex Sharing:
1. Set the Organization-Wide Default (OWD) for the object to Private or Public Read Only.
2. Navigate to Setup → Object Manager → Select the desired object (Standard or Custom).
3. Confirm "Grant Access Using Hierarchies" is enabled if applicable.
4. Identify the Share Object for your target object (Example: AccountShare for Account, CustomObject__Share for Custom Object).
5. Write an Apex class or trigger to create sharing records.
6. In the code, create a new instance of the Share Object.
7. Set the following fields:
- ParentId → ID of the record to be shared.
- UserOrGroupId → ID of the User, Role, or Group to share with.
- AccessLevel → Define as 'Read' or 'Edit'.
- RowCause → Define reason for sharing (Manual, Owner, etc.).
8. Insert the Share Object record using DML statement.
9. Deploy the Apex class or trigger.