loader image

Salesforce.com Security Grants & Evaluation Matrix

Objectives for this Resource:

Security controls in Salesforce largely fit into one of the following classifications:

  • Organization Security: When (Login Hours), where (Login IP Ranges), and how (UI/API/etc.) a user can login.
  • Object Security: What actions a user can take on the records of a particular object (in conjunction with record security).
  • Record Security: What actions a user can take on an existing record (in conjunction with object security).
  • Field-Level Security: Determines which fields a user can view and update for each object.

Security at all applicable levels is required in order to complete an action.

For example, in order to create a lead record, a user must authenticate (organization security) and must have create access to the lead object (object security).  Field-level security will then determine which fields the user can view and modify.

All actions require an active session (organization security allowed), and:

  • Create a record: Create on Object, Edit on Field
  • View a record: Read on Object, Read on Record, Read on Field
  • Edit a record: Edit on Object, Read/Write on Record, Edit on Field
  • Delete a record: Delete on Object, Full Access on Record

Organization-wide default settings determine the default record-level permissions granted to all users for all records within each object. For example, setting the Account object to “Public Read/Write” will ensure that all users have “Read/Write” record-level permissions to all account records.

  • Private: No record access granted
  • Public Read Only: Read only record access granted
  • Public Read/Write: Read/Write record access granted
  • Public Read/Write/Transfer (Only: Cases, Leads): Read/Write plus transfer (ability to change the record owner) permissions granted
  • Controlled by Parents (Only: Contacts, Activities): Parent record controls access
  • Public Full Access (Only: Campaigns): Read/Write/Delete access granted


Leave a Reply