SalesForce Roles, Profile, Permission Set, Sharing Rules, OWD
Types of Permission in a Profile
Administrative: can grant some administrative permissions to custom profile General User: control the ability that standard user can do like editing tasks Standard Object: control read, create, edit and delete action on standard objects Custom Object: control read, create, edit and delete actions on custom objects View All Data allows administrators to view all records regardless of all other security settings Modify all Data - allows administratos to modify all records Customize Application permits administrators to administer the application API only user cannot login to sf.com. such users can only use the application through API calls Password Never Expires prevents password expiring
OWD
OWD is the default access level on records for any object in sales force. By default while creating custom object OWD is set to Public Read/Write For custom objects we can see below access levels - Private: only owner and above hierarchy users can have Read/Write access and below hierarchy users don't have any access. Public Read only: only owner and above hierarchy users can have Read/Write access and below hierarchy users can have only Read Only. Public Read/Write: Irrespective of role hierarchy every one can have Read/Write permissions on the records.
Profiles
Profile deals with CRED (Create, Read, Edit and Delete) permissions over Apps, Tabs, sObjects, Fields, Record Types, etc... We can map only one profile for one user and without mapping the profile we cannot create the user.
Roles
Role deals with authorization to access data. defines data access rights granted to users at higher roles users access to all records they own and their sub-ordinates
Permission Set
To improve the permissions for the users over profiles we should go for Permission Sets. It cannot be used to restrict permissions. Example- To give additional permissions to few users who belongs to different profiles over Apps, Tabs, sObjects and fields.
Apex Sharing
allow developers to define the reason why a user or group of users have access to record apex sharing reasons exist only for custom objects and they are defined for individual objects. each object can have up to 10 apex sharing reasons
Sharing Rules
are created to grant access to records between users when access does not roll up Using sharing rules, read only and read/write access can be granted to users Sharing rules cannot be more restrictive than owd settings.
Field Level Security
restricts access to fields list views, reports, force.com, conenct offline, custom links, mail merge, related lists overrides less restrictive page layout settings set at profile level each profile can have different level of access to object doesn't allow conditional security of records all users can edit any accessible fields
Manual Sharing
used to grant access to records on a one-off basis when randon users require record access. Access rights can be granted by the owner of a record, anyone above the owner in the role hierarchy and by the system adminsitrator It is granted at the record level and is not used to grant access at the organization level