Before talkin about how you can access the objects in terms of the main scheme of access, it is essential that we go through the Salesforce access model in general.
This model consists of the following levels: organization level, object level, record level, and field level. This means that, if the user needs to have an access to the Salary field that belongs to some record of the Employee object, this user should have:
- An access to login to the organization
- At least read-only access to the Employee object
- At least read-only access to the target record within the Employee object
- At least read-only access to the Salary field
In this piece, we will focus on the access to the second level - namely, to the object.
Security on the object’s level is a simple way to control which users have the right to access the specific data. This access is provided by the platform itself. By configuring the object’s permissions, you can prevent a certain group of users from creating, editing, deleting, and viewing any instance of the certain object type. For instance, you can use the object’s permissions to allow your Sales team member to view and edit products, but not delete them.
Object permissions define, which type of records can be viewed, created, edited, or deleted by a user. Please note that we are talking about the record type, not the specific records. To understand it better, you can draw a parallel with your driver’s license: it defines the type of vehicle a person is qualified to drive (motor car, motor truck, motorcycle), but not the specific car (Dodge, Chevrolet, etc.).
Let’s take a closer look at the permissions that define the object’s access level.
- Read: Provides read-only rights to view an object; respects sharing
- Create: Grants the rights to read and create records of the given object; respects sharing
- Edit: Grants the rights to view and edit records; respects sharing
- Delete: Grants the rights to view, edit, and delete records; respects sharing
- View All: Grants the rights to view all the records of the given object, regardless of the sharing access parameters; overrides sharing
- Modify All: Grants the rights to view, edit, delete, pass the ownership and transfer all the object’s records, regardless of the sharing access parameters; overrides sharing.
As you can see, Create, Read, Edit, and Delete settings keep the sharing access rules to the records (which are defined at the Record Level Access). Meanwhile, there are permissions that override sharing access - View All and Modify All. This means that the users with these permissions are granted the access to all records related to the selected object in the organization.
Sharing object’s permissions
There are two ways to set the access to the object:
- Use profiles
- Use permission sets
The profiles specify the objects that can be accessed by the users, along with this objects’ permissions: Create, Read, Edit, и Delete. Apart from the profiles, you can use permission sets to grant permissions and access to the object.
The main difference between the profiles and permission sets is that a user can only have one profile, but they can have multiple permission sets assigned. This means that profiles should be used to provide a minimal set of permissions to the users of a certain type. Later on, you can use the permission sets to grant extra permissions to some users without having to change their profile.
A profile is a selection of settings and permissions that define which data and possibilities of the Salesforce platform as user can access.
- The settings define what a user can see (for instance, tabs, applications, Record Types)
- The permissions define what a user can do (for example, create or edit a certain type of records, launch reports, adjust the applications, etc.)
Standard and Custom profiles
Salesforce platform provides a set of standard profiles.
Each standard profile includes a set of permissions for all the standard objects. For instance, a Standard User can create and edit the records, while a Read Only User can only view the records. The System Administrator profile has the widest level of data access, along with the option to set the Salesforce organization up. This profile also includes the specific ‘Modify All Data’ and ‘View All Data’ permissions. These permissions override all sharing rules and settings. That is why you should be careful when granting these permissions to other profiles (which are not System Administrators).
You cannot change the permissions for a standard profile. Nonetheless, any standard profile can be cloned to create a custom profile. In this custom profile, you can then adjust the permission settings the way you need. If you already have a user with a standard profile assigned, the permissions for this user can be extended by creating and assigning them a permission set.
You can find the list of all the standard and custom profiles in ‘Setup->Manage Users->Profiles’.
Once you have selected the necessary profile from the list, you can go to the View Profile page, on which you will get all the information about the profile settings, and its objects’ permissions.
You can create the new profile by navigating to ‘Setup->Manage Users->Profiles’.
There are two ways to create a new profile:
- Select ‘New Profile’ to create a profile from scratch
- Clone one of the existing profiles. This is really handy when you already have a profile with similar permission settings. In this case, you can clone the existing profile, and change some of its settings according to your needs.
Once you have created a profile and configured the permissions for its objects, this profile should be assigned to the specific users, as the profile per se is nearly useless.
You can do so in two ways:
- On the User Edit page: please select the user in ‘Setup->Manage Users’, then choose ‘Edit’, and specify the profile you would like to assign to this user.
- On the View Profile page: please click ‘View Users’. This way is convenient when you need to assign a certain profile to several users at once, when creating new users.
We have already examined the ways you can assign the necessary object permissions to various user group using the profiles.
Now let’s imagine there is some Sales organization, in which users can only view, create and edit the records of the Product object. And yet, we need to provide the user John Smith with the option to delete the Products that are no longer used. Changing the entire profile of this user is a bad idea, as this will also impact other users, for whom the same profile is used.
Creating a new profile with different permissions is an option, however, it is not really convenient - or viable, as this is but a temporary measure.
That is where the permission sets come in handy. These sets allow you to provide specific users with extra permissions for the objects, without having to make any changes to their profile. Using the permission sets, you can provide the App, tab, user, object, field, service provider, Apex Class, and VisualForce permissions.
Some of the settings are only available in the profiles, and are not presented in the permission sets - such as Page Layouts, IP ranges, Login Hours, and Desktop Client access. However, most of the settings (such as App Permissions, Record Types, Tab settings, and most importantly for us, Object Permissions и Field Level security) are available both in profiles and permission sets.
You can create up to 1000 permission sets in an organization.
User’s object permissions consist of the permissions that were set in the profile, and the permissions from all the permission sets that were assigned to the user.
For instance, if the user has an access to Read and Create the Lead object, and they have a permission set for Reading and Editing assigned to them, along with with the permission set that allows them to Read, Edit and Delete - this user will be able to view, create, edit, and delete the records for the Lead object.
A user can have several permission sets assigned to them, but they can only have one profile.
Permission sets can only provide extra permissions for an object, thus extending those permissions that are provided on the profile level. Permission sets cannot interdict the permissions that were provided in the user’s profile. You can only remove certain permissions by deleting them in the profile, or by deleting the permission set.
Permission Sets Management
To view the list of the permission sets, please go to ‘Setup->Manage Users->Permission Sets’.
To open the page that allows you to view a permission set and its settings, you first need to choose the permission set from the list. On the following page, you will be able to view and edit the settings for the permission sets.
On the ‘View Permission Set’ page you can also do the following:
- Clone the permission set
- Delete the permission set
- Assign the permission set to certain users (‘Manage Assignments’ button)
Creating and Assigning Permission Sets
To provide a user with extra permissions for the object, please go through the following steps:
- Create the new permission set, or clone the existing one:
- Choose ‘New’ to create a permission set that does not feature any pre-built permissions
- Choose ‘Clone’ to create a permission set based off the existing one
- Set up CRED permissions for the objects according to the requirements
- Assign the permission sets to the necessary users, which can be done in two ways:
- By using the related list on the user record.
- By using the ‘Assigned Users’ button on the ‘View Permission Set’ page
View All Data and Modify All Data system permissions
Apart from View All and Modify All permissions for a certain object, there are also View All Data and Modify All Data permissions.
View All Data and Modify All Data provide full access to all objects in the organization. This option is essential for the administrators, as it allows them to manage all data in the organization. For instance, bulk deleting or transferring the records, deleting the duplicates, etc.
You can find this option in the profile (or the Permission Set), in the System Permission section.
Key takeaways concerning the access to objects
- The access to the objects is set in the profiles and permission sets
- Objects’ permissions include: Create, Read, Edit, Delete
- A user can only have one profile, but they can still have multiple permission sets
- Object permissions for a user consist of the permissions in their profile, plus the permissions granted by all the permission sets assigned to the user
- The profiles are used to provide minimal permissions for accessing the objects
- Permission sets can only extend the permissions provided in the profile, and cannot interdict them.