Salesforce Data Security
Setup Audit Trail
Administrators can also view a Setup Audit Trail, which logs when modifications are made to your organization's configuration. For more information, see Monitor Setup Changes.
Record Modification Fields:
All objects include fields to store the name of the user who created the record and who last modified the record. This provides some basic auditing information.
Organization Access Level
At the highest level, you can secure access to your organization by maintaining a list of authorized users, setting password policies, and limiting login access to certain hours and certain locations.
Can you edit object permissions on a standard profile?
NEVER, but you can clone an existing profile, use the clone as a basis for a new profile and adjust the permissions on the clone.
Levels of Data Access
Organization->Objects->Fields->Records
What can you restrict regarding login for added security?
Salesforce doesn't restrict the location or the times for login access. However, for added security, you can restrict both of these. You can also restrict IP ranges.
Field History Tracking:
You can also enable auditing for individual fields, which will automatically track any changes in the values of selected fields. Although auditing is available for all custom objects, only some standard objects allow field-level auditing. For more information, see Tracking Field History.
Login History:
You can review a list of successful and failed login attempts to your organization for the past six months. For more information, see Monitoring Login History.
A public group is
a collection of individual users, other groups, individual roles, and/or roles with their subordinates that all have a function in common. For example, users with the Recruiter profile as well as users in the SW Dev Manager role both review job applications.
A permission set is
a collection of settings and permissions that give users access to various tools and functions. *They extend users' functional access without changing their profiles. *Two common uses for this are: 1)To grant access to custom objects or entire apps. 2)To grant permissions—temporarily or long term—to specific fields.
Every user is identified by
a username, a password, and a single profile.
Record-level security
allows you to control data with greater precision, you can allow particular users to view an object, but then restrict the individual object records they're allowed to see. For example, record-level access allows an interviewer to see and edit her own reviews, without exposing the reviews of other interviewers. You can manage record-level access in these four ways.
Field-level security
is used to restrict access to certain fields, even for objects a user has access to. For example, you can make the salary field in a position object invisible to interviewers but visible to hiring managers and recruiters.
Role hierarchies
on't have to match your org chart exactly. Instead, each role in the hierarchy should just represent a level of data access that a user or group of users needs.
Manual sharing allows
owners of particular records to share them with other users. Although manual sharing isn't automated like organization-wide sharing settings, role hierarchies, or sharing rules, it can be useful in some situations, for example, if a recruiter going on vacation needs to temporarily assign ownership of a job application to another employee.
Object-level security
provides the simplest way to control which users have access to which data. By setting permissions on a particular type of object, you can prevent a group of users from creating, viewing, editing, or deleting any records of that object. For example, you can use object permissions to ensure that interviewers can view positions and job applications but not edit or delete them.
At the highest level of security you can
secure access to the data in your organization by managing authorized users, setting password policies, and by limiting when and from where which users can log in.
Auditing features does not
secure your organization by itself. It provides important information about system usage, which can be useful in diagnosing potential or real security issues. It is important that someone in your organization perform regular audits to detect potential abuse.
With other settings, the profile determines what
tasks users can perform, what data they see, and what they can do with the data.
Organization-wide defaults specify
the default level of access users have to each others' records. You use organization-wide sharing settings to lock down your data to the most restrictive level, and then use the other record-level security and sharing tools to selectively give access to other users.
field-level security controls
the visibility of fields in any part of the app, including related lists, list views, reports, and search results.
Role hierarchies open
up access to those higher in the hierarchy so they inherit access to all records owned by users below them in the hierarchy. They don't have to match your organization chart exactly. Instead, each role in the hierarchy should represent a level of data access that a user or group of users needs.
How should you use profiles and permissions for security?
use profiles to grant the minimum permissions and settings that all users of a particular type need, then use permission sets to grant additional permissions, without changing anyone's profiles.
How can you set object permissions
using either profiles or permission sets. *Profiles determine the objects a user can access, and the permissions a user has on any object record: Create, Read, Edit, and Delete. *You can use permission sets to grant additional permissions and access settings to users. *KEY DIFFERENCE: Users can only have one profile, but can have many permission sets
Sharing rules enable
you to make automatic exceptions to organization-wide defaults for particular groups of users, to give them access to records they don't own or can't normally see. Sharing rules, like role hierarchies, are only used to give additional users access to records default settings.
What are the record level security & sharing tools?
**Listed in order of increasing access: *Organization (least visibility)-wide defaults—specify the default level of access users have to each others' records. *Role hierarchies—allow you to ensure a manager will always have access to the same records as his or her subordinates. Each role in the hierarchy represents a level of data access that a user or group of users needs. *Sharing rules—enable you to make automatic exceptions to organization-wide defaults for particular groups of users, to give them access to records they don't own or can't normally see. *Manual sharing(most visibility)—allows record owners to give read and edit permissions to users who might not have access to the record any other way.
What can you do in the Manage users list as an admin?
*Create one or more users. *Reset passwords for selected users. *View a user's detail page by clicking the name, alias, or username. *Edit a user's details.
What are the different levels of access to data
*Object permissions- determine what objects an individual can see *Field permissions: determine what fields on an object individuals can see *Org Wide defaults determine what records should be hidden by default *Role hierarchy, sharing rules, and manual sharing determine what exceptions should be made **The last two are record-level security
How can you manage Record level security?
*Organization-wide defaults *Role hierarchies *Sharing Rules *Manual sharing
What are the two profile interfaces?
*Original *Enhanced: provides a streamlined experience, making it easy to navigate, search, and modify settings for a profile. Permissions and settings are organized into pages under app and system categories, which reflect the rights users need to administer and use app and system resources.
What are password policies that you can setup?
*Password policies—set various password and login policies, such as specifying an amount of time before all users' passwords expire and the level of complexity required for passwords. *User password expiration—expire the passwords for all the users in your organization, except for users with "Password Never Expires" permission. *User password resets—reset the password for specified users. *Login attempts and lockout periods—if a user is locked out due to too many failed login attempts, you can unlock them.
What are the setting for a sharing model for an object?
*Private=Only the record owner, and users above that role in the hierarchy, can view, edit, and report on those records. *Public Read Only= All users can view and report on records but not edit them. Only the owner, and users above that role in the hierarchy, can edit those records. *Public Read/Write= All users can view, edit, and report on all records. *Controlled by Parent = A user can perform an action (such as view, edit, or delete) on a contact based on whether he or she can perform that same action on the record associated with it.
Types of Auditing features
*Record Modification Fields *Login History: *Field History Tracking *Setup Audit Trail
What can you do in the profile overview page?
*Search for an object, permission, or setting. *Click an item in the list to go to its settings page. *Clone the profile by clicking Clone. *Delete the profile by clicking Delete (if it's a custom profile that isn't assigned to any user). *Change the profile name or description *View a list of users who are assigned to the profile. *Under Apps and System, click any of the links to view or edit permissions and settings.