Permissions & Security

Permissions & Security


Very good article on permissions from salesforceBen

Salesforce permissions include : 
  1. Object and record permissions (object level security AND record-level security -sharing-)
  1. Field permissions (field level security)
  1. Application permissions

Permissions are User based.

They can be assigned to each user based on: 

  1.  The User Profile (each user has one profile, accessible from 'Setup' -> 'Users')
  1. A few parameters on the User record ('Setup' -> 'Users')
  1. Permission Set (a user can be assigned to one or many permission sets). Permission extension only.
    Permission sets extend users' access and permissions without changing their profile.
  1. Permission Groups (a user can be assigned to one or many permission groups)

A Permission Set Group is a bundle of Permission Sets based on user job functions, for example.

Role (each User belongs to one Role; Roles are gathered in a hierarchy)

Permission Group is a gathering of Permission Sets.


Object and Record Permission Assignment

Record Ownership

Each record (an instance of an object; ie. an account or a contact) is owned by an Owner (the user that has created the record).

The owner of a record can be changed by the owner of whoever sits above him in the Role hierarchy :

Record Access Permissions / Organisation Wide Permissions

Object Access Permissions are based on an Organisation Wide Default for each object. 

Organisation Wide Default is set under Setup -> Sharing Settings.

Each object can be:

  1. Public Write (all users can modify all records), 
  2.  Public Read (all users can read all records),
  3. Private (the record is only accessible to the owner)

When the Object is set Private, the access to a record of the object is limited to the owner and it is then extended :
  1. to any User who belongs to a Role above the Role of the Record's Owner (please refer to Role Hierarchy)
  2. by Sharing Rules. Sharing Rules will define other Users who may have access to the record based on condition

Object Wide Permissions

Object Wide Permissions are defined at Object level; in the User Profile, or Permission Set (extension).

Object Wide Permissions are applied to all records of the object based on the user. They define what a user can DO in the system.

Permissions can be:

  1. Create (User may create a new record of the object)
  2. Read (User may have access to records of the object)
  3. Edit  (User may modify records of the object which they have access to)
  4. Delete (User may delete records of the object which they have access to)



Field Permissions


Field Permissions define the access level for each field in an object.

The Field Permissions are shared by all records. They cannot be set at record level.
Field Permissions can be restricted to :
  1. Read and Edit (visible)
  2. Read (visible and read only)
  3. Non (non visible)

Field Permissions can be defined field-level security in either of three ways : 

  1. Multiple fields on a singe permission set or profile
  2. Single field on all profiles (from Object setup)
  3. All users from the Record Layout

Multiple Fields on a Single Permission Set or Profile

  1. For multiple fields on a single permission set or profile
Go to Setup ->  Profile -> (select profile) -> Object Settings -> (select object) 

Single Field on all Profiles (from Object setup)

  1. For a single field on all profiles
Go to Setup -> Object -> (select Object) -> Fields & Relationships -> (select field) -> Set Field Level Security

From the Record Page Layout

Setup -> Object -> (select object) -> Page Layouts -> (select layout) -> (select field)

Sharing Rules

Sharing rules are defined under Setup -> Sharing Settings -> (bottom on the screen).
They are applied to all records and used for extending record access based on rules to other users beyond the record owner.
They grant access permissions (Read, Edit) to records of objects that are not Public Read/Write.
The following considerations should be read.

Do not modify sharing rules without notifying your Thynk Customer Success Manager.

Role versus Profile

Profiles are used in order to assign the same type of permissions to similar users (admin, managers, ...).
These permissions can then be extended with Permission Sets and Permission Set Groups. 
These permissions are DO permissions (Create, Edit, Read, Delete any / all records of a specific object).

Roles define how users relate to each other from a Data Access point of view (it may not match with the actual hierarchy).
A user that has been assigned a specific Role will inherit access to all records owned by users with Roles below his role in the Role Hierarchy.
The permissions are SEE / ACCESS permissions.

Two users belonging to the same Role do not share records.
This is why it is required to create Roles for the Head of each team.

Data Access (record access) provided by Role Hierarchy can then be extended with Sharing Rules.
Roles are accessible from Setup / Role .

    • Related Articles

    • How to Create a New User

      Learning Objectives At the end of this lesson you will know how to…. Check how many licenses you have left Create a new user How to handle Salesforce Multi-Factor Authentication Creating New Users With turnover, you, as Admin, will need to create new ...
    • How to Deactivate a User

      Learning Objectives At the end of this lesson you will know …. What the implications are of deactivating users How to deactivate users in Thynk Deactivating Users When a Thynk user leaves your company, you will need to deactivate them in Thynk, ...
    • Assigning Permission Sets to Users

      Assigning Permission Sets When you are creating new users, you will be assigning Permission Sets to grant access to objects outside of profiles. The recommended practice is to assign ‘User’ Permission sets to Users with ‘TH User’ profile and ‘Admin’ ...
    • Manage Permission Sets

      What are Permission Sets?  Permission Sets are useful to understand the structure of our solution. They define functional access for users to different features such as emailing, and the creation of contacts, accounts... Only Admins can manage and ...
    • Edit User Information

      Learning Objectives 1. Learn how to edit your user information in your profile settings. You can change your contact information, profile or even role by editing your user account. Click on your profile photo to 'View Profile'. Click on 'Settings' ...