This document discusses sharing and security controls in Salesforce, including profiles, permission sets, and record-level security. Profiles control object, field, and user permissions, while permission sets can grant additional access. Record-level security can be set at the organization, manual sharing, role hierarchy, and sharing rule levels to determine which users can access individual records.

1. Sharing & Security
Salesforce.com

2. Why Cloud…??
• Bringing down computing costs in organization.
• Freedom to access data anywhere from any of the devices.
(Mobile, Tablets, Computers, etc.)
• Centralized and agile.
• More Secure than a scattered network.
• No headache of maintaining servers.

3. Sharing & Security Importance
• First of all it is important that who's actually going to be using
the app.
• How much access they should have to the data.
• Otherwise app will expose sensitive information.
• So the security controls should be configured, and the access
should be defined.

4. Controlling Access To Objects
Controlling the application access can be done by two ways
which are actually the collection of Settings and Permissions
• Profile : A mandatory field of user which provides settings and
permission which are used for data access purpose.
• Permission Sets : A non-mandatory field that provide extra
access to objects, fields etc.

5. Profiles
What controls a Profile holds:
• Object Permission
• Field permissions (Field-level security)
• User permissions
• Tab settings
• App settings
• Apex class access
• VisualForce page access
• Page layouts
• Record types
• Login hours
• Login IP ranges

6. Standard Profiles
• Read Only
• Standard User
• Marketing User
• Contract Manager
• Solution Manager
• System Administrator
Creating a new profile will ask you to refer existing profile or
make a clone of it.

7. Permission Sets
What controls a Permission set holds:
• Object permissions
• Field permissions(Field Level Security)
• User permissions
• Tab settings
• App settings
• Apex class access
• VisualForce page access

8. License Concept behind the
User, Profiles & Permission sets
• While creating a user , profile or a permission set the license
must be specified.
• These licenses are having some accessibilities which are
provided along with them.
• The license of a user should match with the permission set we
are applying to it.
• The licenses of a user, its profile and the permission set that is
being assigned to it, are the same.

9. Comparing Profiles &
Permission Sets
• User can have only one Profile but can have many permission
sets.
• Profiles are having more permissions options than permission
sets. Record type, Page layout, Login hours, Login IP ranges is
missing from the permission set.
• Permissions are mostly used for temporary purpose.
• Profile are mandatory and used for minimum access.
• Permission are not mandatory and always used to grant more
access.

10. Data Access Concepts
• Object-Level Security : Preventing a user from seeing,
creating, editing, or deleting any instance of a particular type
of object.
• A profile or a permission set can provide object-level security.
• Defined using Tab settings and object permissions.
• Field-Level Security : Preventing a user from seeing, editing,
or deleting the value for a particular field on an object.
• A profile or a permission set can provide Field-level security.
• Provide Read and Edit options for fields.
• Record-Level Security : Preventing a user for individual object
records that he is allowed to see.

11. Record-Level Security can be achieved by:
• Organization-wide Defaults : Allow us to specify the baseline
level of access that a user has in our organization. The access
can be,
• Private
• Public Read-only
• Public Read/Write
Org-wide defaults do not sets the access levels for a child record of
Master-detail Relationship.
• Manual Sharing : Allows record owners to give read and edit
permissions to users who might not have access to the record
any other way.

12. • Role Hierarchies : Allow us to make sure that a user above in
role hierarchy will always have access to the same records as
his or her subordinates.
• Grant access using role hierarchies can be decided from Org-wide
Defaults for custom objects.
• Sharing Rule : Allow us to make automatic exceptions to
organization-wide defaults for particular groups of users.
• Allows to be based on owner of record & Based on criteria.
• Share with Public Groups.

13. Points to Remember about the Record-Level Securities :
• A Record-Level Security is used to grant more access not to
restrict access. So we can say Org-default as most restrictive
among all the record level securities.
• A record creator can not be changed but the owner of the
record can be changed.
• A record can also be shared using the Apex Managed Sharing.

14. Displaying Field Values and
Page Layouts According to
Profiles
• We can use the different page layouts for different profiles.
• For that, what we need is the record type.
• The record type created will be assigned with a new page
layout created.
• Afterwards page layouts access can be assigned through the
Profiles.
• For field access the page layouts can further be modified.

15. Exploring ViewAll/ ModifyAll
• The ViewAll and ModifyAll from the Profile ignores all the
sharing model , role hierarchies, sharing rules.
• These provides access to all the records created by any type of
user.
• ModifyAll gives ability to mass transfer , mass update, mass
delete records.
• ModifyAll gives access to approvals also to Accept or Reject.

16. Field Accessibility
• The Sharing Controls of Salesforce provides a Field
Accessibility which allows to view & modify the fields access
from different aspects for a particular object.
• View By Fields
• View By Profiles
• View By Record types

17. Delegating Data
Administration
• There are two ways to quickly delegate restricted data
administration access:
• Object-Level Permissions
• Provides the all Object level access to other user which can then act
as a delegated administrator.
• Delegated Administration Group.
• Creating a new non-admin i.e. delegated administration group with
limited admin privileges which are rather than object settings. Like
creating new user, modify user , reset passwords, access to selected
objected provided by primary admin.

18. Accessing Records in Apex
• While accessing the records or information of an custom
object using SOQL queries will give you all the records access
even if the user accessing it is not having the access to those
records.
• So at these conditions use the following type of syntax to
classes to restrict the access as per the sharing rules
Public with sharing class MyClassname{
}

19. Thank You