Security and Access (15%) Flashcards
Sharing Access
- User’s profile has object level permission to access that object? 2. User’s profile has any administrative permissions (view all data, modify all data)? 3. Ownership of the record (Organization wide defaults, role-level access, any sharing rules will be checked)
Organization Security
Org-level permissions determines under what conditions a user can login to Salesforce. When users can login (Login Hours) Where users can login from (Login IP Ranges) How users can login (API, UI, etc.)
Object Security
Object-level permissions determines what actions (Create, Read, Edit, Delete) a user can perform on records of each object.
Record Security (1)
There are 3 tiers of record-level permissions: Read Only Read/Write Full Access
Record Security (2)
“Read Only” and “Read/Write” access can be granted through a variety of means (org-wide defaults, sharing rules, etc.). Users with the object-level permission “View All” are granted “Read Only” record-level permissions to all records of that object.
Record Security (3)
“Full Access” is granted to: The record owner. Users higher in the role hierarchy than the record owner (when “Grant Access Using Hierarchies” is enabled). Users with “Modify All” object-level permission (this includes system administrators). Members of a queue to all records owned by the queue. It is not possible to share “Full Access” via sharing rules or other mechanisms at this time.
Record-level vs object-level permissions
CREATE VIEW EDIT DELETE Object Create Read Edit Delete Record N/A Read Only Read/Write Full Acc
Field-Level Security
Visible Read-Only Field-level permissions determine which fields a user can view and edit on records of an object.
Folder Security
Folders are used to secure a variety of data within Salesforce, including but not limited to: Reports Dashboards Email Templates Documents
Permission Sets
Privileges in addition to profile Use to grant additional privileges for one-off cases, or instances where the same set of privileges must be granted for users that are assigned to different profiles (e.g. providing access to a 3rd party application shared by several departments).
Roles
User is assigned one role, which sets the foundation for their access to records and folders. Role used by: 1. Sharing rules 2. Groups 3. Folder sharing criteria to structure access to content e.g. While a user’s profile and permission sets determine if a user can run reports, their role will influence which report folders they can access.
Grant Access Using Hierarchies
Setting for configuring organization-wide defaults (Setup –> Security Controls –> Sharing Settings). Standard objects: always enabled Custom objects: enabled by default but can be disabled. Users are granted full access (create, read, edit, delete) record-level permissions to the records meeting both criteria: 1. The record is owned by a user in a subordinate role. 2. The object has “Grant Access Using Hierarchies” enabled.
Groups
Comprised of users, roles, and other groups. Public Groups Created and maintained by administrators, and can be referenced in org-wide configuration (such sharing rules). Personal Groups Created and maintained by users, and can only be referenced in select configuration (such as Outlook contact synchronization).
Manual Sharing
Displayed if org-wide defaults for an object are either: Private Public Read Only (if added to the page layout) In order to share access to a record, the user must first have “Full Access” to the record
Delegated Administration
Allows named users to manage other users within selected roles and profiles, as well as manage fields on selected custom objects (standard objects excluded).
Security Matrix
