Control What Your Users Can Access

Learning Objectives

After completing this unit, you’ll be able to:

Describe the different levels of controlling data access at Salesforce.
Create permission sets and permission set groups.
Set organization-wide default sharing settings.

Introduction to Data Security

Now that you know how to add users, you probably want to know how to ensure they can see what they need to see and only what they need to see. In this unit, you learn how to configure your users’ access to your Salesforce records, so they can access only the information they need.

Salesforce includes simple-to-configure security controls that make it easy to specify which users can view, create, edit, or delete any record or field in the app. You can configure access at the level of the organization, objects, fields, or individual records. By combining security controls at different levels, you can provide just the right level of data access to thousands of users without having to specify permissions for each user individually.

In this unit, we cover the levels of data access and some of the available features for managing object, record, and field access. But we’re only scraping the surface here. For more info and hands-on practice with controlling access to data, check out Data Security.

Levels of Data Access

You can configure access to data in Salesforce at four main levels.

Organization

At the highest level, you can secure access to your organization by maintaining a list of authorized users, setting password policies, and limiting login access to certain hours and certain locations.

Objects

Object-level security provides the simplest way to control which users have access to which data. By setting permissions on a particular type of object, you can prevent a group of users from creating, viewing, editing, or deleting any records of that object. For example, you can use object permissions to ensure interviewers can view positions and job applications but not edit or delete them. We recommend you use permission sets and permission set groups to configure object permissions.

Fields

Field-level security restricts access to certain fields, even for objects a user has access to. For example, you can make the salary field in a position object invisible to interviewers but visible to hiring managers and recruiters. Field permissions are also configured in permission sets.

Records

To control data with greater precision, you can allow particular users to view an object, but then restrict the individual object records they're allowed to see. For example, record-level access allows interviewers to see and edit their own reviews, without exposing the reviews of other interviewers. You set the default level of access that users have to each others’ records using organization-wide defaults. Then, you can use the role hierarchy, sharing rules, manual sharing, and other sharing features to open up access to records.

Let’s take a closer look at two features used to configure data access: permission sets and organization-wide defaults.

Permission Sets

Permission sets are collections of settings and permissions that determine what users can do in Salesforce. Use permission sets to grant access to objects, fields, tabs, and other features and extend users’ access without changing their profiles.

What’s so great about permission sets? Because you can reuse smaller permission set building blocks, you can avoid creating dozens or even hundreds of profiles for each user and job function. That’s why we recommend you assign users the Minimum Access - Salesforce profiles, and then use permission sets and permission set groups to manage your users’ access.

When you create permission sets, include all permissions necessary for a job or task.

Create a Permission Set

Let’s give creating a permission set a try.

From Setup, in the Quick Find box, enter Permission Sets, and then select Permission Sets.
Click New.
Enter your permission set’s label and description.
Optionally, you can select whether only users with certain licenses are assigned this permission set.
Click Save.

The permission set’s overview page includes sections for all the permissions and settings available to be configured. We’ll enable object, field, and user permissions.

Click Object Settings and select an object. (Or, to jump directly to an object, search for it in the Find Settings… box.)
Click Edit. From this page, you can enable object permissions and field permissions you want users assigned to this permission set to have. After you make your edits, click Save.
Click the Permission Set Overview link to return to this page.
User permissions are located in the App Permissions and System Permissions sections. For our purposes, click App Permissions.
Click Edit. To enable a user permission, select the permission’s checkbox, and then click Save.

Nice! You created and set permissions in a permission set. You can directly assign the permission set to users now…but we have a better way! We’ll first create a permission set group that includes the permission set so we can manage our users’ permissions more easily.

Permission Set Groups

Permission set groups are exactly what they sound like—groups of permission sets. Use permission set groups to bundle permission sets together based on a job persona or role. You can then assign a permission set group to users, rather than keep track of multiple permission set assignments. Users assigned a permission set group receive the combined permissions of all the permission sets in the group.

What makes permission set groups so powerful is that you can include a permission set in more than one permission set group. And you can mute specific permissions within a permission set group so the assigned users don’t have those permissions.

When you put all these capabilities together, you can get efficient about your reuse of permission sets. You can ensure your users have only the permissions they need for their jobs without needing to clone dozens (or hundreds!) of profiles to achieve the same setup.

Like the rest of the data security features we’ve mentioned, we’re only touching on permission set groups here. To learn more, you can check out Permission Set Groups.

Create a Permission Set Group and Mute a Permission

To create a permission set group:

From Setup, in the Quick Find box, enter Permission Set Groups, and then select Permission Set Groups.
Click New Permission Set Group.
Enter your permission set group’s label and description. Click Save.
On the overview page, click Permission Sets in Group. Click Add Permission Set, then select the permission sets you want to be included in this permission set group. Click Add, then click Done.

To mute a permission in the permission set group:

On the permission set group’s overview page, click Muting Permission Set in Group.
Click New. Leave the muting permission set’s name as is, then click Save.
Click the name of your muting permission set.
Jump to objects or permissions directly using the Find Settings… box. Or, navigate to the section that contains the permissions you want to mute.
Click Edit and select the checkbox for the permissions in the Muted column. Then, click Save.

Almost done! Your last step is to assign the permission set group to your users:

On the permission set group’s overview page, click Manage Assignments and then Add Assignments.
Select the users to assign the group, and then click Next.
Optionally, select an expiration date for the user assignment to expire. This option can be useful if you want users to be assigned the permission set group temporarily.
Click Assign.

You can control data access with greater precision by allowing particular users to view an object, but then restricting the individual records within the object they’re allowed to see. As we mentioned earlier, you use organization-wide defaults to specify the baseline level of access users have to records they don’t own.

You can determine the organization-wide defaults by answering the following questions for each object.

Who is the most restricted user of this object?
Is there ever going to be an instance of this object that this user shouldn't be allowed to see?
Is there ever going to be an instance of this object that this user shouldn’t be allowed to edit?

Based on your answers to these questions, you can set the sharing model for that object to one of the following settings.

Field	Description
Private	Only the record owner, and users above that role in the hierarchy, can view, edit, and report on those records.
Public Read Only	All users can view and report on records but not edit them. Only the owner, and users above that role in the hierarchy, can edit those records.
Public Read/Write	All users can view, edit, and report on all records.
Controlled by Parent	A user can perform an action (such as view, edit, or delete) on a record based on whether he or she can perform that same action on the record associated with it.

If you set the organization-wide sharing setting for an object as Private or Public Read Only, you can grant users more access to records by setting up a role hierarchy, defining sharing rules, or using other sharing features. You can only use these features to grant more access—they can’t be used to restrict access to records beyond what was originally specified with the organization-wide sharing defaults.

Now that you know about organization-wide defaults, you’re ready to set some.

From Setup, in the Quick Find box, enter Sharing Settings, and then select Sharing Settings.
Click Edit in the Organization-Wide Defaults area.
For each object, in the Default Internal Access column, select the default access you want to use.
To allow employees at higher levels in the role hierarchy to access records automatically, select Grant Access Using Hierarchies for any custom object that doesn’t have default access of Controlled by Parent.

You learned the basics of controlling data access at Salesforce and even got some hands-on practice configuring features that control object, field, and record access. To dive deeper into setting up access for your users, remember to check out Data Security.