sharing and security in salesforce
TRANSCRIPT
Sharing & SecuritySalesforce.com
Why Cloud…??
• Bringing down computing costs in organization.
• Freedom to access data anywhere from any of the devices. (Mobile, Tablets, Computers, etc.)
• Centralized and agile.
• More Secure than a scattered network.
• No headache of maintaining servers.
Sharing & Security Importance
• First of all it is important that who's actually going to be using the app.
• How much access they should have to the data.
• Otherwise app will expose sensitive information.
• So the security controls should be configured, and the access should be defined.
Controlling Access To Objects
Controlling the application access can be done by two ways which are actually the collection of Settings and Permissions
• Profile : A mandatory field of user which provides settings and permission which are used for data access purpose.
• Permission Sets : A non-mandatory field that provide extra access to objects, fields etc.
Profiles
What controls a Profile holds:
• Object Permission
• Field permissions (Field-level security)
• User permissions
• Tab settings
• App settings
• Apex class access
• VisualForce page access
• Page layouts
• Record types
• Login hours
• Login IP ranges
Standard Profiles
• Read Only
• Standard User
• Marketing User
• Contract Manager
• Solution Manager
• System Administrator
Creating a new profile will ask you to refer existing profile or make a clone of it.
Permission Sets
What controls a Permission set holds:
• Object permissions
• Field permissions(Field Level Security)
• User permissions
• Tab settings
• App settings
• Apex class access
• VisualForce page access
License Concept behind the User, Profiles & Permission sets
• While creating a user , profile or a permission set the license must be specified.
• These licenses are having some accessibilities which are provided along with them.
• The license of a user should match with the permission set we are applying to it.
• The licenses of a user, its profile and the permission set that is being assigned to it, are the same.
Comparing Profiles & Permission Sets
• User can have only one Profile but can have many permission sets.
• Profiles are having more permissions options than permission sets. Record type, Page layout, Login hours, Login IP ranges is missing from the permission set.
• Permissions are mostly used for temporary purpose.
• Profile are mandatory and used for minimum access.
• Permission are not mandatory and always used to grant more access.
Data Access Concepts
• Object-Level Security : Preventing a user from seeing, creating, editing, or deleting any instance of a particular type of object.• A profile or a permission set can provide object-level security.
• Defined using Tab settings and object permissions.
• Field-Level Security : Preventing a user from seeing, editing, or deleting the value for a particular field on an object.• A profile or a permission set can provide Field-level security.
• Provide Read and Edit options for fields.
• Record-Level Security : Preventing a user for individual object records that he is allowed to see.
Record-Level Security can be achieved by:
• Organization-wide Defaults : Allow us to specify the baseline level of access that a user has in our organization. The access can be,
• Private
• Public Read-only
• Public Read/Write
Org-wide defaults do not sets the access levels for a child record of
Master-detail Relationship.
• Manual Sharing : Allows record owners to give read and edit permissions to users who might not have access to the record any other way.
• Role Hierarchies : Allow us to make sure that a user above in role hierarchy will always have access to the same records as his or her subordinates.
• Grant access using role hierarchies can be decided from Org-wide Defaults for custom objects.
• Sharing Rule : Allow us to make automatic exceptions to organization-wide defaults for particular groups of users.
• Allows to be based on owner of record & Based on criteria.
• Share with Public Groups.
Points to Remember about the Record-Level Securities :
• A Record-Level Security is used to grant more access not to restrict access. So we can say Org-default as most restrictive among all the record level securities.
• A record creator can not be changed but the owner of the record can be changed.
• A record can also be shared using the Apex Managed Sharing.
Displaying Field Values and Page Layouts According to Profiles
• We can use the different page layouts for different profiles.
• For that, what we need is the record type.
• The record type created will be assigned with a new page layout created.
• Afterwards page layouts access can be assigned through the Profiles.
• For field access the page layouts can further be modified.
Exploring ViewAll/ ModifyAll
• The ViewAll and ModifyAll from the Profile ignores all the sharing model , role hierarchies, sharing rules.
• These provides access to all the records created by any type of user.
• ModifyAll gives ability to mass transfer , mass update, mass delete records.
• ModifyAll gives access to approvals also to Accept or Reject.
Field Accessibility
• The Sharing Controls of Salesforce provides a Field Accessibility which allows to view & modify the fields access from different aspects for a particular object.
• View By Fields
• View By Profiles
• View By Record types
Delegating Data Administration
• There are two ways to quickly delegate restricted data administration access:
• Object-Level Permissions
• Provides the all Object level access to other user which can then act as a delegated administrator.
• Delegated Administration Group.
• Creating a new non-admin i.e. delegated administration group with limited admin privileges which are rather than object settings. Like creating new user, modify user , reset passwords, access to selected objected provided by primary admin.
Accessing Records in Apex
• While accessing the records or information of an custom object using SOQL queries will give you all the records access even if the user accessing it is not having the access to those records.
• So at these conditions use the following type of syntax to classes to restrict the access as per the sharing rules
Public with sharing class MyClassname{
}
Thank You