Salesforce Admin 201 - Security and Access
Use profile and permission sets
2 options to control access to apps and objects, including fields and record types within objects:
Use sharing settings or manual sharing
2 ways to control access to specific records.
Delegated Administration
A group of non admin users who get limited admin privaleges. 1. Create a Delegated Admin group 2. Assign Users to be in the Delegated group (must have View Setup and Configuration permissions) 3. Set Roles and Subordinates group can set. 4. Set Profiles group can assign 5. Set Permission sets group can assign 6. Set Assignable Public Groups can assign 7. Set custom objects group can assign
Delegating Data Administration
A permission set or profile created with Limited Admin privilages to create, edit users, reset passwords, assign users to specific profiles, login as user. Creating a profile with the "Manage Users" permission is not advisable because that profile will have total control over SFDC.
Sharing Rules
Allow you to selectively grant data access to defined sets of users Grant Wider access to data. Apply to all new and existing records that meet definition of the source data set Apply to both active and inactive users When access levels change for a sharing rule all existing records are automatically updated to reflect the new access level. Deleting a sharing rule deletes access created by the rule automatically. When records change ownership sharing rules are reevaluated to add or remove access to transferred records Automatically grant additional access to related records. If multiple sharing rules apply user gets the most permissive access level.
Sharing Rules
Allows users who need access to the same records to be grouped together with...
Profile Controls - Contract manager
Can create, edit, activate, and approve contracts. Can delete contracts as long as they are not activated. Can edit personal quota and override forecasts.
Profile Controls - Marketing User
Can manage campaigns, import leads, create letterheads, create HTML email templates, manage public documents, and update campaign history via the import wizards. Also has access to the same functionality as the Standard User.
Profile Controls - Chatter user/moderator
Can only log in to Chatter. Can access all standard Chatter people, profiles, groups, and files
Profile Controls - Customer portal user/manager
Can only log in via a Customer Portal. Can view and edit data they directly own or data owned by or shared with users below them in the Customer Portal role hierarch; They can view and edit cases where they are listed as the contact Name field.
Profile Controls - Partner user
Can only log in via a partner portal
Profile Controls - Site.com user
Can only log into the Site.com app. Each Site.com Only user also needs a Site.com Publisher feature license to create and publish sites, or a Site.com Contributor feature license to edit the site's content.
Profile Controls - Solutions manager
Can review and publish solutions. Also has access to the same functionality as the Standard user
Profile Controls - Standard platform user
Can use custom apps and the apps from AppExchange and can use core platform functionality such as accounts, contacts, reports, dashboards, and custom tabs
Profile Controls - Read only
Can view the organization's setup, run and export reports, and view, but not edit other records
Tab security
Default on - displays on the top of user's page Default off - hidden from user's page but available when all Tabs is clicked Tab Hidden - Tab is unavailable and completely hidden.
Criteria-based sharing rules
Determine who to share records with based on field values in records. Ex - status = pricing then all of the profile pricing folks could see the record. Status = closed only admin can see.
Profile Controls - System Admin
Has access to ALL functionality that does not require an additional license. Ex. Cannot manage campaigns unless they also have a Marketing User license.
Record level security types
Organization-wide defaults allow us to specify the baseline level of access that a user has in your organization. For example, we can make it so that any user can see any record of a particular object to which their object permissions give them access, but so that they'll need extra permissions to actually edit one. Role hierarchies allow us to make sure that a manager will always have access to the same records as his or her subordinates. (vertical) Sharing rules allow us to make automatic exceptions to organization-wide defaults for particular groups of users. (horizontal) Manual sharing allows record owners to give read and edit permissions to folks who might not have access to the record any other way.
Sharing Model - Ownership
Record owners can view/edit, transfer, delete records. They can also view but not edit the Accounts their records are associated to
Sharing Access Diagram
Sharing Access Diagram: 1. Salesforce checks whether a user's profile has object level permission to access that object. 2. Salesforce checks whether user's profile has any administrative permissions (view all data, modify all data) 3. Salesforce checks the ownership of the record (Organization wide defaults, role-level access, any sharing rules will be checked)
Standard profiles
System Administrator Standard Platform User Standard Platform One App User Standard user Customer Community User Customer Community Plus User Partner Community User Customer Portal USer High Volume Customer Portal Authenticated Website Customer Portal Manager Partner User Solution Manager Marketing User Contract Manager Read Only Chatter Only User Chatter Free User Chatter External User Chatter Moderator User Site.com Only User
Sharing Model - Org wide defaults
The adminsitrator defines the default-sharing model for the org by setting OWDs. OWDs specify the default level of access to records. Allows specification of baseline level of access that any user has in the org.
Sharing Rules
These rules based on record owner or criteria opens up record access (horizontal/lateral), used by the admin it is a way to automatically grant users access to object records when OWDs or Role hierarchy doesn't allow it.
Sharing Rules
These setting Open up Access laterally. These two sales reps can see each others records. Opens up Access
Role Hierarchy
These settings Open up Access vertically. The manager of a sales team can see his teams recods. Opens up Access
Team sharing rules
These types of rules only apply to Cases Accounts and Opportunities.
Manual Sharing
This allows a record owner to manually share a record if the OWD are set to private or public read only. Open up Access - Flexible
User Profile
This is a collection of settings (what objects user can see) and Permissions (what a user can do) Settings (what users see): Apps, Tabs, Record Types, Page layouts, Fields Permissons (what users can do) Administrative (customize app), General User (run reports, mass email),Standard Object (create record), Custom Object (create rate increase)
Object Level Security
This is set in user Profiles and Permission sets. This setting prevents a user from viewing, creating, editing or deleting any instance of a particular type of object. You can hid tabs & objects from particular users.
Field level security
This is set in user Profiles and Permission sets. This setting prevents or sets a field to be visible or read only.
Sharing Model - Org wide defaults - Public Read/Write
This setting allows all users the ability to view and edit records owned by others. Ownership itself cannot be changed except by the owner of the record.
Sharing Model - Org wide defaults - Public Read only
This setting allows users to see, but not change, records in their org, regardless of who owns them. Items can also be added by anyone onto related lists with this permission level
Sharing Model - Org wide defaults - Private
This setting for a given object allows users to access only the data they own. No one will be able to view records owned by others.
Sharing Model - Org wide defaults - Public Read/Write/Transfer
This setting on an object allows all users the ability to view, edit and even change ownership of records owned by others
Sharing Model - Role Hierarchy
This setting opens up access to records vertically. Gives access to managers of the account owners. Manager will always have access to the same records as his subordinates.
OWD - Org Wide Defaults
To set the most strict access to records, you set these. These are the strictest of all sharing rules -Restrict Access -Object Records can be: -Public Read/Write -Public Read only -Private
Exceptions to Role Hierarchy based Sharing
Users can always view and edit all data owned by or shared with users below them in the role hierarchy. Grant Access Using Hierarchies in OWDs allows you to ignore hierarchies when determining access to data. Grant using hierarchies cannot be disabled for standard objects Contacts that are not linked to an account are always private. Only the owner of the contact and administrators can view it. Contact sharing rules do not apply to private contacts. Notes and attachments marked as private via the private checkbox are accessible only to the person who attached them and administrators Users above a record owner in the role hierarchy can only view or edit the record owner's records IF they have the "Read" or Edit" object permission for the type of record.
Global Administrative permissions
"View ALL Data", "Modify ALL Data" (including mass transfer / update records and Undelete what others delete), "Customize Application", "Manage Users" (add and remove users, reset passwords, grant permissions