Skip to main content
Join us at TDX in San Francisco or on Salesforce+ on March 5-6 for the Developer Conference for the AI Agent Era. Register now.

Grow your business with Salesforce Starter

Deepen customer relationships with sales, service, and marketing in one app.

Start your free 30-day trial

Time Estimate

About 15 mins

Topics

Looking for Help?

Ask the Community

Expect a response within 24-48 hours from Help or the community.

Control Access to Fields

Learning Objectives

After completing this unit, you’ll be able to:

  • List reasons to limit access to specific fields.
  • Manage field permissions in permission sets.

Modify Field Permissions

Defining field-level security for sensitive fields is the second piece of the security and access puzzle, after controlling object-level access.

In some cases, you want users to have access to an object, but limit their access to individual fields in that object. Field permissions—or field-level security—control whether a user can see and edit the value for a particular field on an object. These are the settings that allow us to protect sensitive fields such as a candidate’s social security number without having to hide the candidate object.

Unlike page layouts, which only control the visibility of fields on detail and edit pages, field permissions control the visibility of fields in any part of the app, including related lists, list views, reports, and search results. In fact, to make absolutely sure that a user can’t access a particular field, it’s important to use the field permissions for a given object to restrict access to the field. There are simply no other shortcuts that provide the same level of protection for a particular field.

For example, here are some field-level security settings you can set for the example Recruiting app.

  • Position object—hide minimum and maximum bonus from standard employees and interviewers.
  • Candidate object—hide social security numbers from hiring managers and interviewers.
  • Job Application object—make the Position and Candidate lookup fields read-only for hiring managers.

Field settings can be applied either by modifying profiles or permission sets, or from the Field Accessibility menu in Setup. Like object permissions, we recommend that you use permission sets and permission set groups to manage field permissions.

Note

Some field permissions are always enabled and can’t be modified in permission sets or profiles.

After setting field-level security for users, you can:

  • Create page layouts to organize the fields on detail and edit pages.
  • Verify users’ access to fields by checking the field accessibility.
  • Customize search layouts to set the fields that display in search results, in lookup dialog search results, and in the key lists on tab home pages.

Set Field Permissions in a Permission Set

Let’s look at how field permissions can be applied by modifying permission sets. You want to make sure the right fields in your objects are available to the users who need them.

Going back to the Recruiting app example, set up your interviewers to update the candidate record after they interview a candidate. You create a new permission set, and set both the object and field permissions this time.

  1. From Setup, in the Quick Find box, search for and select Permission Sets.
  2. Click New.
  3. Enter your permission set’s label and description. Name this one Update Candidate Records.
  4. For the license, select –None–.
  5. Click Save.
  6. In the Find Settings box, search for and select Candidates, then click Edit.
  7. Under Object Permissions, enable the Read permission.
  8. Under Field Permissions, enable the required field permissions.
  9. Click Save.

The Field Permissions section on permission sets

Enable your interviewers to both read and change the values of the Apex and C# checkboxes. Then they can check or uncheck those boxes when they determine the candidate’s command of those skills. Prevent them from changing the Hire By date or the name of the hiring manager, but allow them to see that information. They also certainly don’t need to see the candidate’s SSN, email, or phone number, so you don’t grant Read or Edit access for those fields.

Great job! You can now add this permission set to a permission set group, or assign it directly to users.

Set Field Permissions for Multiple Permission Sets

What if you want to update field permissions for multiple permission sets? For example, you create a new field on an object, and want to enable field permissions in the relevant permission sets. Or, you’re making access updates for existing fields across all your permission sets. As you can imagine, it can take awhile to edit many permission sets individually. Instead, you can make these changes in one go.

  1. From Setup, in the Quick Find box, search for and select User Management Settings.
  2. Enable Field-Level Security for Permission Sets during Field Creation if it isn’t already enabled.
  3. In Object Manager, select Candidate.
  4. Click Fields & Relationships, and then select the Job Category.
  5. Click Set Field-Level Security.
  6. For the available custom permission sets, update the field permissions. You can select Permission sets with object permissions so that you only see permission sets that have Create, Read, Edit, or Delete access on categories.
  7. Click Save.

The Set Field-Level Security screen for the Job Category field with Read and Edit permissions checked.

You defined field-level security for sensitive data. For the final piece, specify the individual records each user needs access to. By combining security controls at all three levels, you can set up a highly secure data access model that’s flexible enough to meet the needs of many different types of users.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback