Salesforce Security and Access

Creating users entails – key information about a user, own unique username, logs in with username and password, users (uses a license) can be active or inactive, users must be associated with a profile, users are usually associated to a role.

Record Ownership – the user (queue or Case and Leads) who controls or has rights to the particular data record.

Owner has following particular privileges – view and edit capability, transfer capability, deletion capability only if object permissions is enabled. 

Organization Wide Defaults – defines the baseline level of access to data records for all users in the organization – used to restrict access to data. Org Wide Defaults are a minimum level or access for all users.

  • Private – no searching, no reporting.
  • Read only – Search records, report on records, add related records.
  • Read/Write – Search records, Report on records, Add related records, Edit details on records.
  • Read/Write/Transfer – Search records, report on records, add related records, edit details of records, change ownership of record, delete record.

Role – controls the level of visibility that users have to an organizations data. A user may be associated to one role.

Role Hierarchy – controls data visibility, controls record roll up – forecasting and reporting. User inherits the special privileges of data owned by or shared with users below them in the hierachy.

Users have ALL access to records they own plus records owned by users beneath them in the hierarchy, regardless of the sharing model used. Only exception is Contract marked as “private” only seen by owner and system administrator.

EE can create Account, Contact, Opportunity and Case Sharing Rules. PE can ONLY create Account and Contact Sharing rules.

When a sales rep transfers regions, do not simply update the user role because revenue from opportunities closed in the old region will follow them. Instead, de-activate the user and create a new user for the sales rep with the new role.

Sharing Rule – automated rules that grant access to groups of users, exceptions to organization wide defaults. Irrelevant for public read/write organizations. Level of Access that can be granted are read only or read/write.

Sharing Rules open up access whereas organizations wide defaults restricts access.

Types of Sharing Accounts:

  • Account Sharing Rules
  • Contact Sharing Rules
  • Opportunity Sharing Rules (EE/UE)
  • Case Sharing Rules (EE/UE)
  • Lead Sharing Rules (EE/UE)
  • Campaign Sharing Rules (EE/UE)
  • Custom Object Sharing Rules (EE/UE)

Public Groups – a grouping of:

  • Users
  • Public Groups (nesting)
  • Roles
  • Roles and subordinates

used when more than a few roles need to be shared.

Manual Sharing – granted record access, once-off basis. Owner, anyone above owner in hierarchy and administrator can manually share contacts. Like sharing rules, irrelevant for Public Read/Write organizations.

Sales Team – used for collaborative selling in EE and UE, used for sharing as well as reporting purposes. Ad hoc or may use default sales team. Sales team may be automatically added to a user’s opportunity. Persons who can add a Sales Team:

  • Owner
  • Anyone above owner in role hierarchy
  • Administrator

Users with access to opportunities as sales team members cannot extend sharing for those records.

Professional Edition does not have access to Team Selling Feature

Account Team – used for collaborative account management, used for sharing as well as reporting purpose. Manually added to account records.

The Account Access, Contact Access and Opportunity Access depends on sharing model.

Folders – used for organizing email templates, documents and reports and dashboards. Access is defined as Read or Read/Write. Access is explicit and cannot roll up through role hierarchy.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s