Data Security and Level of Data Access in Salesforce

Data security :
Data security in Salesforce deals with the security or sharing
settings of data and visibility between users across the organization.

1. Organization Level
2. Object Level

3. Field Level

4. Record Level
1.1 User Management In Salesforce
A user is anyone who logs in to Salesforce. Users are employees in your organization.
Every user in Salesforce has a user account
User Account contains the following

USERNAME- It must be unique across all Salesforce organizations(instances).

User Licenses - It determines which features the user can access in Salesforce. You can
purchase the Licenses based on your company needs.

Profiles - It determines what users can do in Salesforce. Profiles should be selected based on a
user’s job function.

Roles - It determines what additional access a user has in Salesforce based on where they are
located in the role hierarchy. These are optional but each user can have only one role assigned.

Q1. Can you delete the user record?

 Difference Between Deactivating And Freezing A User
Deactivate a User
Users cannot be
deleted so to stop the
user from logging in to
the Salesforce
organization
administrators need to
deactivate them.
Deactivating the user frees
up the license assigned to
the user. So that now new
users can use that license
to access Salesforce
platform features.
Freeze a User
A user cannot be deactivated
immediately when a user is
selected in a custom hierarchy
field. So to prevent the user You can freeze user by clicking freeze
from login into the organization button
while administrators perform
the steps to deactivate them,
they can simply freeze that
user first.
The license assigned to the
user does not free by Freezing
a user. you Have to edit user to Deactivate.
(Uncheck the checkbox -Active)
1.2 Managing Password Policies (Can be set at Both Profile level and 0rg level)

Password Policies - Set login and password policies, such as

minimum password length, the type of password complexity,
and specifying the amount of time before all user’s
passwords expire.

User Password Resets - Reset a password for specific users.

User Password Expiration - Expire the passwords for all the users in your organization after a
specific duration, except for users with “Password Never Expires” permission.

Login Attempts And Lockout Periods - Specifies the number of attempts a user can make and if
a user is locked out due to too many failed login attempts, the administrator can unlock its
access.
1.3 Restrict Login Access By IP Address
By default, Salesforce doesn’t restrict the location for login access. However, for added
security, administrators can restrict login access by IP.

Organization Level - Users who log in outside the IP range(which is set) are shown a login challenge.
If they complete the challenge question, typically by entering an activation code sent to their
mobile device or email address, login access is granted. This method does not restrict access,
entirely, for users outside of the IP range(which is set). Here the set IP range is called the “trusted”
IP range.
Profile Level - Users outside the permitted IP range(which is set) are always denied access.

Q2. Which is More Restrictive Organization Level or Profile Level?

1.4 Restrict Login Access By TIME

Restricting login access by time can only be achieved at the profile level only.
(As Org Level can Even restrict Admin)

For each profile, administrators can specify the hours

when users can log in.

If users are logged in when their login hours end, they can
continue to view their current page, but they can’t take
any further action

HEALTH CHECK - A Dashboard that shows how closely the

security settings in your org align to the settings
recommended by Salesforce in a scale of 0-100
2 Object Level Security

2.1 profile
profile controls the following
A profile is a collection of settings and permissions that
determine which data and features in the platform users Field Permission
have access to. User Permission
Tab Settings
It is like a template, it means whenever we want to create a App Settings
new profile we have to choose a profile that is already Apex class access
given by Salesforce and then we can customize them Visualforce page access
according to our requirements.
Page Layouts
Record Types
Login Hours
PROFILE - USER = 1-many(one profile have many user) Login IP Ranges
USER - PROFILE = many-1(many users under same profile)
2.2 Permission Sets

Permission sets in Salesforce are additional collection of settings and permissions that determine
users’ access to various tools and functions on the platform.

Use permission set to grant additional access to specific users on top of their existing profile
permissions, without having to modify an existing profile, and creating new profiles.
Add a little bit of body text

Permission Sets Expiration In Salesforce

Set assignment expiration dates and assign permissions that expire to users via permission sets
You can specify the expiration date with 1 day, 7 days, 30 days, 60 days, and a custom date from
the permission set assignment.

An org can have upto 1000 Permission Sets.​

Profiles ,Permission & Permissions set Group

Profile Permission Sets Permission Set Groups

Grouping more than one permission sets to the
Profiles have the most
Permission Sets extend user is called permission set groups
restrictive settings and
the access settings and
permission a user
permissions provided by
assigned to this profile you can mute some permission sets in
the profile.
should have. permission set groups, It will reflect only in
Particular permission set groups not in all
A user can have only Users can have more
one profile assigned. than one permission set. others.

Permission sets are

Profiles are restrictive.
additive.
It is not mandatory to give the license to the
permission sets while creating it, but once
the license is assigned it cannot be changed.
Every user doesn’t
Every user must be need to have a
assigned a profile. permission set
3 Field Level Security
Field-level security in salesforce controls whether a user can see and edit the value for a particular
field on an object’s record, unlike page layouts which only control the visibility of the field on detail
and edit pages of an object. It secures the visibility of fields in any part of the app including related
lists, list views, reports, and search results.

3.1 Restrict Field Access with a Profile

Restrict a user’s general access to fields by providing Read Access and Edit Access.

3.2 Add Field Access with a Permission Set

Restrict a user’s general access to fields by providing Read Access and Edit Access.

We can also set field-level security from field accessibility in Setup.

4 Record Level Security Is of 4 Stages
4.1 OWD
Sets the baseline access for the entire org on the
particular object

OWD Should be the Most restrictive access

There are various levels in OWD

Public Read/Write: This setting allows all users to view and edit all
records of the object.

Public Read/Write: This setting allows all users to view and edit all
records of the object.

Private: This setting restricts access to the record owner and

users with appropriate sharing permissions.

If OWD is made Public Read/Write then there is no use of other stages in record
level security.
4.2 Role Hierarchy
The role hierarchy is a representation of the reporting relationships among users or
employees in your Salesforce organization.

In this case If Grand Access by Hierarchy is enabled , then

Managing Director should able to see all records created by the
user under him in this role hiererchy.

If you don’t want to share the records using role hierarchy you can
uncheck Grand Access by Hierarchy in Sharing setting.
 Criteria Based
4.3 Sharing Rules
Owner Based

When the records falls under some criteria you can share with sharing rules

With Sharing rules you cannot restrict the access provided by OWD and Role hierarchy

By Sharing Rules You can Share record to Public Groups, Roles , Roles & Subordinates

If the user received the record using sharing rules then Deletion of the particular record is not
possible to that user

Public groups-We can group users Irrespective of roles and profiles. and use these groups in
sharing rules
4.3 Manual Sharing
In order to share single record or the record which don’t come under criteria , we
can go with Manual Sharing
Simply click the sharing button in the record detail page of the particular record .

Who Can Share a Record?

Any person can follow these sharing steps, as long as they have full access to the
record. This includes system administrators, the record owner, anyone above the
record owner in the role hierarchy, or anyone who has been granted full access via
sharing

Who Can I Share With?

You can share a record with anyone who has, as a minimum, access to view a
particular object.
 Quick Look Back
1. Can We Have More than 1 Admin for an Org? YES

2. which Two settings Makes the Admin PowerFul? VIWEALL MODIFYALL

3. If a user does not have access to a specific record type, will they be able to see
the records that have that record type? Yes, Record type controls only visibility of
record on UI but not its access to users.
4.The OWD Setting, Public read write/Transfer is only Applicable to? Lead/case
Objects! as this allows users to transfer their leads or cases to someone.

Answer for Q in the slide

Q1. You Cannot Delete User record, As Deleting a user can result in
orphaned records and the loss of critical business information
Q2. Profile level is the most restrictive