- Describe how security is structured in Salesforce.com.
- Explain how to determine what security permissions are required in order to complete an action in Salesforce.com.
- Describe profiles and their influence on security.
- Describe the significance of the Enable Enhanced Profile User Interface setting.
- List and describe the standard Salesforce profiles.
- Explain when to create a custom profile in Salesforce.com.
- Describe permission sets, and common use cases where they are appropriate.
- Describe the settings an administrator controls to conditionally allow or prevent user authentication.
- Describe how Organization-Wide Defaults (OWDs) influence security.
- Describe how the sharing button can be used to monitor record access and facilitate manual record sharing in Salesforce.com.
- Describe the significance of a user’s role and Grant Access Using Hierarchies on record security.
- Given a scenario, determine how to properly structure the role hierarchy.
- Describe the impact of role configuration on accessing records related to an account (contacts, cases, opportunities).
- Describe sharing rules, and when their usage is appropriate.
- Describe the different types of groups available in Salesforce and when their use is appropriate.
- Describe when to select Grant Access Using Hierarchies when configuring a public group.
- Describe a queue’s influence on security.
- Describe how access to list views, documents, email templates, and similar information is secured in Salesforce.com.
- Describe the permissions required to transfer (change ownership) a record in Salesforce.com.
- Describe delegated administration, and when its usage would be appropriate.
- Describe the significance of the View All and Modify All permissions in Salesforce.com.
- Security – Module Checkpoint
Salesforce.com Security Grants & Evaluation Matrix
Video
Must
15m
CertifiedOnDemand.com
ARVE Error: API endpoint returned a 403 error. This can occur when a video has embedding disabled or restricted to certain domains.
Objectives for this Resource:
Security controls in Salesforce largely fit into one of the following classifications:
- Organization Security: When (Login Hours), where (Login IP Ranges), and how (UI/API/etc.) a user can login.
- Object Security: What actions a user can take on the records of a particular object (in conjunction with record security).
- Record Security: What actions a user can take on an existing record (in conjunction with object security).
- Field-Level Security: Determines which fields a user can view and update for each object.
Security at all applicable levels is required in order to complete an action.
For example, in order to create a lead record, a user must authenticate (organization security) and must have create access to the lead object (object security). Field-level security will then determine which fields the user can view and modify.
All actions require an active session (organization security allowed), and:
- Create a record: Create on Object, Edit on Field
- View a record: Read on Object, Read on Record, Read on Field
- Edit a record: Edit on Object, Read/Write on Record, Edit on Field
- Delete a record: Delete on Object, Full Access on Record
Organization-wide default settings determine the default record-level permissions granted to all users for all records within each object. For example, setting the Account object to “Public Read/Write” will ensure that all users have “Read/Write” record-level permissions to all account records.
- Private: No record access granted
- Public Read Only: Read only record access granted
- Public Read/Write: Read/Write record access granted
- Public Read/Write/Transfer (Only: Cases, Leads): Read/Write plus transfer (ability to change the record owner) permissions granted
- Controlled by Parents (Only: Contacts, Activities): Parent record controls access
- Public Full Access (Only: Campaigns): Read/Write/Delete access granted
The sharing button will appear (in Salesforce Classic only) when added to the page layout and the Org-Wide Defaults for the object are set to Private or Public Read Only.
This button can be used to determine who has what level of access to a record. The default view shows the grants providing access to the record, while the expanded view shows all users provided access.
In addition, users with Full Access to a record can manually share access to the record.