In this tutorial, we will discuss the following topics:
- Detailed Look at User Profiles and Permission Sets
- Overview of Record-Level Security
- Understanding Field-Level Security and the Audit Trail
Detailed Look at User Profiles and Permission Sets
Understanding User Profiles
User profiles in Salesforce are fundamental components of the platform’s security model, defining how users can interact with the CRM. Each profile sets permissions that determine what the user can view, edit, and execute within Salesforce, affecting data access and influencing overall system security.
Function of User Profiles
- Access Control: Profiles control access to various tools and features within Salesforce, including which objects and fields users can see and which actions they can perform (e.g., read, create, edit, delete).
- Page Layouts and Field-Level Security: Profiles determine the layout that users see and the fields they can access on that layout, helping ensure that sensitive data is only visible to authorized users.
- Login Hours and IP Ranges: Admins can specify allowable login hours and restrict login attempts to certain IP ranges for each profile, enhancing security by limiting access to the system.
Customizing User Profiles
- Edit Standard Profiles: While extensive changes to standard profiles (e.g., System Administrator, Standard User) are not recommended, they can be adjusted to better suit organizational needs.
- Create Custom Profiles: It is often better to create custom profiles for different types of users within your organization. This practice allows for more tailored access control and minimizes potential security risks by ensuring users only have the permissions necessary for their roles.
Leveraging Permission Sets
Permission sets in Salesforce are additional layers of access control that can be assigned to users on top of their existing profiles. They are designed to extend users’ privileges without altering their base profile.
Difference Between Profiles and Permission Sets
- Profiles: Every user must be assigned a profile; it is their primary access control mechanism. Profiles are comprehensive, affecting many aspects of a user’s access across Salesforce.
- Permission Sets: These are optional and used to grant additional permissions above what the profile provides. They are useful for managing exceptions and special cases without creating numerous custom profiles.
Assigning Permission Sets for Additional Access
- Identify the Need: Determine scenarios where users require more access than their profiles provide. Examples include granting report and dashboard creation rights or access to specific objects and fields.
- Create and Configure: Create a new permission set in Salesforce by navigating to Setup, entering ‘Permission Sets’ in the Quick Find box, and selecting ‘New.’ Add specific permissions that align with the user’s additional needs.
- Assign to Users: Once configured, assign the permission set to individual users as needed. This assignment does not change the user’s profile but supplements it with additional permissions.
Overview of Record-Level Security
Implementing Organization-Wide Defaults (OWD)
Organization-wide defaults (OWDs) are a fundamental aspect of Salesforce’s security model. They set the baseline level of access that users have to records they do not own.
- Purpose of OWD Settings: OWDs are primarily used to lock down data access to the most restrictive level necessary for business operations. This setting ensures that additional access is granted intentionally through more targeted sharing mechanisms.
- Configuring OWD for Different Objects:
To set up OWDs:
- Navigate to Setup, enter ‘Sharing Settings’ in the Quick Find box, then select it.
- Find the object you want to configure and set its default sharing model to either Private, Public Read Only, or Public Read/Write, depending on the required level of access.
Utilizing Roles and Role Hierarchies
Roles and role hierarchies in Salesforce manage and streamline access to records by grouping users into different levels of a hierarchy.
- Defining Roles: Roles define a user’s position within the organization, influencing what records they can access based on the hierarchy. For example, a sales manager might have access to all records owned by sales reps in their team.
- Influencing Record Visibility with Roles: Role hierarchies allow users higher in the hierarchy to access all records owned by users below them in the hierarchy, facilitating access control in line with organizational structure.
Applying Sharing Rules
Sharing rules extend record access beyond the baseline levels set by OWDs, allowing more nuanced data sharing among different user groups.
Types of Sharing Rules
- There are two main types:
- Owner-based Sharing Rules: Allow record access based on who owns the record. For example, all records owned by a sales rep can be shared with their manager.
- Criteria-based Sharing Rules: Allow record access based on record values. For example, all opportunities with a value over $50,000 can be shared with senior sales personnel.
Creating Sharing Rules for Extended Access:
- To create sharing rules:
- Go to Setup and enter ‘Sharing Settings’ in the Quick Find box, then navigate to the appropriate object.
- Click ‘New’ under either Owner-based or Criteria-based Sharing Rules.
- Define the rule by setting the criteria, specifying which users or roles it applies to, and setting the level of access (Read-Only or read-write).
- Save the rule to implement it.
Understanding Field-Level Security and the Audit Trail
Managing Field-Level Security
Field-Level Security (FLS) in Salesforce allows administrators to control access to specific fields even if a user has access to the object containing those fields. This means you can restrict sensitive data at a more granular level.
Restricting Field Access
- To restrict access to certain fields:
- Navigate to Setup, enter ‘Field Accessibility’ in the Quick Find box, and select the object you need to configure.
- Click on ‘View by Profiles’, select a profile, and then adjust the accessibility for each field (Visible or Hidden).
Customizing Field Accessibility for Different Profiles
This feature enables you to set different levels of access for different user profiles. For instance, you might allow sales managers to see revenue figures while hiding this data from sales representatives. Customization ensures that users only access data pertinent to their roles, enhancing data security and compliance.
Utilizing the Audit Trail
The Audit Trail is a Salesforce feature that helps administrators track organizational changes, particularly in the configuration and setup area.
Monitoring Changes with the Audit Trail
The Audit Trail records who made what changes, when these changes were made, and the specific changes over the last six months. Commonly monitored changes include creating new users, changes to security settings, field-level security modifications, and records updates.
- To view the Audit Trail, navigate to Setup, enter ‘View Setup Audit Trail’ in the Quick Find box, and click on it to see the recent setup changes.
Best Practices for Reviewing Audit Logs
- Regular Reviews: Conduct regular reviews of your audit logs to monitor unauthorized changes or patterns that could indicate a security issue.
- Set Alerts: Although Salesforce does not directly allow alerts for audit trail events, consider using third-party monitoring tools that can alert you to specified changes in real-time.
- Maintain Records: Regularly download and archive your audit logs for compliance purposes and to extend the history beyond Salesforce’s six-month limit.
