Data Security is the most crucial part of any organization. Similarly in Salesforce, it is also important to give the right people access to the right data. If not then it may affect the security of your Salesforce organization. In this article on data security in Salesforce, you will learn about the list of four levels at which you can control the data access in Salesforce and what your users can access within Salesforce.
Introduction to Data Security
After setting up users for your organization, you need to check what your users are required and which data they can access. Salesforce provides a flexible and layered shared model to its users to ensure better security and convenience. Further, it also reduces the data being stolen or misused from hackers. The Layered sharing models make it easy to assign different data sets to different sets of users. This model works at the API level.
Further, Salesforce also contains a simple-to-configure security control that helps to assign various accesses to its users. It helps to specify which user can view, edit, and delete the particular field or record within the Salesforce organization. As an Administrator, you can also configure at the level of organization, objects, fields and individual records, etc. Further, to provide the right access to various users without giving permissions for each user individually.
Levels of Data Access
As an administrator, you can control which user can access which type of data within the Salesforce organization. There is four-level of data access as follows:
As an Administrator, you can control and manage the following for your entire Salesforce organization.
- List of authorized users
- Password policies
- Login limit for few hours
- Location, etc.
As an administrator, the simplest thing you will find in an organization is controlling the access to object-level. You can set permissions for a specific type of object so that no user can edit or delete that data. This is called object-level access.
For example, you can set object permission to ensure that the employees can view their payslip, attendance, roster, and profile, etc but they are not entitled to edit and delete those records.
Access to fields can be restricted even if the user has access to the object. That means, some of the objects can be accessed by a user but are invisible for others like the salary field. This is called Field-level access.
As an administrator, you can provide access to users for viewing an object as well as also you can restrict access to specific object records for the same user. That means users can access only particular object records. This is called record-level access.
The record-level access can be managed in four different ways and these are as follows:
- Organization-wide defaults
- Role Hierarchies
- Sharing Rules
- Manual Sharing
It specifies the default level of access users have to each other’s records and these are the baseline level of access for all records of an object. Further, these settings are used to lockdown your Salesforce data to the most restricted level. However, you can share access to other users by using sharing tools.
Organization-wide defaults can be set in the following ways:
- Public Read/Write– Any user can view and edit records of an object.
- Public Read only- All users can view records of an object but can’t edit and delete this. Only the users having role above according to role hierarchy and record owner can edit those records.
- Private- No user is permitted to view and edit the records of an object. Only the owner and user having the role above according to role hierarchy can view and edit the records.
Every organization contains some sensitive data that can’t be shared with all users except those who need it according to the role-hierarchies, sharing rules, and manual sharing. Whenever any change is made in Organization-wide default settings, Salesforce sent an email regarding these updates, and then sharing calculation gets started in the organization.
There are few steps to find the Organization-wide defaults sharing setting in Salesforce as follows:
- Login to your Salesforce.
- Go to the Setup menu and click on it.
- Enter the sharing in Quick Find Box and click the sharing settings under the Security control tab.
- Now you will find the sharing setting window.
Sharing setting screen is divided into two sections as follows:
- Organization-wide defaults
- Sharing Rules for various objects.
Organization-wide defaults are the fundamental baseline of all securities in Salesforce, which means everything begins with the organization-wide defaults. Hence, we can say that at a base level, Organization-wide defaults are the primary security setting on different objects.
Organization-wide defaults are the most restricted level of security and further, it opens for additional users through sharing settings.
Salesforce provides a feature of creating role-hierarchy to its all organizations. Role Hierarchy determines that a higher-level person can view and edit the lower hierarchy person’s records. In role-hierarchy, each role represents a data access level that a user or group of users required.
Sharing rules creates an automatic exception to organization-wide defaults for a user or group of users who don’t own the record. Sharing Rules are applied where Organisation-wide defaults are set to public-read only or private settings.
Sharing rules can’t restrict the access provided by organization-wide defaults but it can extend the access to users in the organization.
Types of Sharing Rules:
- Owner Based Sharing Rules- It shares the records owned by a certain number of users only and the owner of that record can be identified through public groups, roles, and sub-ordinates.
- Criteria Based Sharing Rules- It shares the records based on certain criteria where you need to answer three questions. These are as follows:
- Which record to be shared?
- With whom the record needs to be shared?
- Which level of access requires the users?
Manual sharing helps to share records individually with other users using the share button available on the records. Whenever it is difficult to define a group of users who need access to a specific record, manual sharing helps to grant access to them. Manual Sharing enables a user to share the record with their colleagues who don’t have access to those records.
Manual Sharing can be done by following users only:
- Record owner
- A user who is having a role above the owner in role-hierarchy
- A user who has “Full Access”
Read also: Salesforce Full tutorial and Salesforce Admin full guide here
How to create a custom profile by cloning a profile?
There are some steps to create a custom profile in Salesforce as follows:
- Login to Salesforce
- Go to the Setup menu and click on it.
- Enter the Profile in Quick Find Box and then click on it under Users
4. Navigate to System Administrator profile from the given list of profiles.
5. Click the Clone button as shown in the below image.
6. Enter Junior Administrator in the Profile name field.
7. Click the Save button.