Profiles and Permission Sets – The Big Misunderstanding

Profiles and Permission Sets are THE tools to manage Salesforce User permissions, permissions to manipulate data that lives in Salesforce records. BUT… what about access to these records? Is that not covered by Profiles and Permission Sets too? So you thought, but not quite. It’s all about understanding how they play along with the entire Data Security Model. What does this mean? Let’s break it down into edible pieces.

Author: Peggy Schael | Salesforce Trainer | WeLearnSalesforce

Profiles and Permission Sets are THE tools to manage Salesforce User permissions, permissions to manipulate data that lives in Salesforce records. BUT… what about access to these records? Is that not covered by Profiles and Permission Sets already? So you thought, but not quite. It’s all about understanding how they play along with the entire Salesforce Data Security Model. What does this mean? Let’s break it down into edible pieces.

What you really need to understand is that Profiles and Permission Sets have to be seen from a record owner’s perspective. It’s like going into a public parking garage. 🚗🚙 One of the cars is yours or is the car you have the key to. However, all the other cars are there too but you can’t drive them. Not without a key. 🔑

It’s the same with accessing Salesforce records. A Salesforce Object is like a parking garage and contains a lot of records. However, not all records are necessarily accessible to you. A Salesforce User Profile only determines which Salesforce Object a User can go into. It does not determine which of the records within the specific Object the User can actually ‘drive’. Therefore, we need to discuss how Salesforce Users get access to the individual records.

SALESFORCE DATA RECORD ACCESS MODEL

That’s where the Salesforce Data Record Access Model comes into play. That’s the one that determines whose records you are allowed to access, like giving a User one or more keys to drive selected cars. It’s the highest priority of every Salesforce Organization to protect the data of their customers, partners, supplies and others. Not every Salesforce User should have access to every Salesforce record, only those they need to work with on a daily basis, in order to fulfill the job they were hired for.

Unfortunately, this is not the case for many organizations. Especially smaller organizations oftentimes leave record access open to everyone because they don’t have the capacity to get to know the Salesforce Setup items. And what makes things worse, most Salesforce Users are given a System Administrator Profile. Sounds familiar? I hope not, but I’m sure it does. 😉

We won’t discuss the entire Salesforce Record Access Model in this article. We’ll focus on the two most important elements from a Salesforce User perspective. And this is about what they can DO in Salesforce and what they can SEE after they’ve logged in.

WHAT SALESFORCE USERS CAN DO

It all starts with Profiles and Permission Sets for sure. They are used to determine what Users can do in Salesforce, including what they can do with the records they have access to. This is referred to as ‘Object Permissions’. The four essential permissions you need to be familiar with are Create, Read, Edit and Delete. In short, the ‘CRED’ permissions. There are two more, but let’s stick with CRED for now.

Salesforce provides a number of Standard Profiles to get you started with, so you don’t have to define and select them all from scratch. These Standard Profiles contain a carefully selected combination of Object and other permissions Salesforce has determined relevant for most common job functions. But remember to clone them first and save them as Custom Profiles. Only assign Custom Profiles to your Salesforce Users because Standard Profiles cannot be changed. You have been warned. 😉

And please also consider that Profiles should only contain the very minimum of permissions. Everything else is managed through Permission Sets and Permission Set Groups.

WHOSE SALESFORCE RECORDS USERS CAN SEE

As mentioned earlier, Profiles and Permission Sets only determine which parking garage (Salesforce Object) Users can get into, but not which individual cars (Salesforce records) they will have the keys to.

When we apply this concept to the CRED permission, this looks like this:

DO = Create – Set up a new record within this Object

SEE = Read – Access to the Object

DO = Edit – Change data on records within these Objects

DO = Delete – Get it out of Salesforce

By default, when a Salesforce User has been granted access to a Salesforce Object, they automatically have full access to records they created and own. This does not apply to records a Salesforce User does NOT own.

However, also by default, Salesforce does not restrict access to many Salesforce records, to begin with. That’s why it often appears as if Users automatically have access to all records when they have Read access through their Profile. While this makes it easier to get started with Salesforce it makes it harder later in life when you do need to take away access.

And that brings us to the Sharing Settings. The baseline settings which determine whether Users have access to all or only their own records is managed through the Organization-Wide Defaults (OWD). Each Object has a specific access level selected.

The access levels you can choose from vary by Object. Here is what the most common access levels mean:

And this is just the starting point. As soon as you choose something like Private or Read-Only you will have managers and executives come yelling and screaming why they can’t see their teams’ data anymore. It’s because you’ve taken it away. 😱 But the good news is, that you have other tools to give access back by business unit or other specifications. 😅 And this makes up your Data Record Access Model:

Now you know why Profiles and Permission Sets alone do not dictate access to Salesforce records. You must use them in combination with the Sharing Settings:

DO = Create – Set up a new record within this Object

SEE = Read – Access to the Object -> Access to individual records managed through Sharing Settings

DO = Edit – Change data on records within these Objects

DO = Delete – Get it out of Salesforce

This is a lot to take in. The entire Data Security Model including record access is pretty complex and needs time and practice. I hope this article has clarified some of the key elements you need to consider when it comes to data security.

If you’d like to dive deeper, we have it all covered in detail in our comprehensive Salesforce Administrator Certification Course. You can get a sneak peek at our Free Salesforce Introduction Course. Have a look, no strings attached. 🙂

Let me know in the comments if this is helpful.

WHAT ELSE…

We make learning simple with our range of well-structured Salesforce Video Tutorials, downloadable Study Workbooks and realistic Practice Exams.

And if you are brand new to the world of Salesforce, make sure to sign up for our FREE 21-Day Salesforce Beginners Challenge.

Leave a Reply

%d bloggers like this: