Security Model – Free

[SectionIntroduction]

[table id=7 /]

[NextSection]

89 thoughts on “Security Model – Free”

  1. hi john,l

    Which of the following is the best way to make the Field Mandatory for everyone?

    A. Page Layout
    B. Validation Rule
    C. Roles & Profiles
    D. Field Level Security

    1. i think it’s B ..

      A. Page Layout – would only make it mandatory on specific page layouts
      B. Validation Rule
      C. Roles & Profiles – not applicable
      D. Field Level Security – not applicable as this only determines whether fields are visible/read only/hidden

  2. Quick question regarding IP address. A company has an IP range set up and a user’s profile has a specific IP address. If the user moves out of that IP range but is still under the company’s IP address range, will the user be denied access, granted access or will be required to enter a security code ?
    -Thanks

    1. There are two types of IP ranges:

      trusted and login ranges

      if they login outside of trusted, then they need to activate
      if they login outside of login ip ranges, then login will be denied

      login ip ranges (restrictions) will override trusted ranges

  3. I just can’t. Since this is a training environment, I removed all the permission sets associated with Opportunity. Now, when I log as Matt and try to share the Opportunity, I can only share with user Matt. I created a permission set for the role EMEA Sales Rep (Karen’s role) and then I can share the Opp with Karen, but all EMEA Sales rep get the same access. I will try to remove some other stuff and see if works. I tried similar scenario on a Production environment and it worked fine. Really strange because Matt and Karen have the same profile and Matt owns both the Account and the Opportunity, still unable to share either with Karen.

  4. I have 2 users with profile as Sales User. OWD for Opportunity is private. Matt has a role as US Sales Rep and Karen has a role as EMEA Sales Rep. Under Security Control/Sharing Settings/Opportunity sharing rules, I see a Global Sales Rep Group which contains ALL Sales reps (US, EMEA, APAC) sharing ALL Opportunities with ALL Sales Rep as read only. When I login as any user with a profile Sales User, I can see any Opportunities (US, EMEA, APAC) regardless of owner/role.
    When I login as Matt, I want to share all his Opportunities with Karen or at least one Opportunity.
    I tried a permission set with read/edit access to Opportunities and added Karen, when I log as Karen, I can read but can’t edit Matt’s Opportunities. I logged again as Matt, chose one Opportunity and clicked on Sharing. I can pick Public Groups, Roles, Roles & Subordinates, Users. When I try to chose Users hoping to be able to pick Karen, it shows me only 5 users: One VP of Marketing (role) Excutive User (profile), one APAC Sales Rep (role) Sales User (profile), 2 Marketers (Role) General Marketing User (profile) and one Marketing Director (Role) General Marketing User (profile). All these 5 users were grated read only access thru existing Opportunity Sharing rules. If I chose Roles and pick EMEA Sales Rep with read/edit acces, Karen gets edit access to this Opportunity but ALL other EMEA Sales Reps get the same. How can I give access ONLY to Karen to edit this Opportunity that belongs to Matt? I thought manual sharing was exactly that. Sorry for the long question.

  5. Hey John,

    I have troubles understanding something.

    While in the Salesforce video that explains role hierarchy, it shows view/edit access can be controlled through roles as well. But when looking at dev org, there is no option to choose whether we can control view / edit access through roles as well.

    1. Access is granted via the role hierarchy (those in higher roles auto inherit access to records owned by those below) and through sharing rules to grant additional access. You are correct that there is a limited impact to security by configuring the role directly.

  6. If I update the password in Salesforce,will SSO reflect it and the other way around it. If I update the password in SSO will the password be update in SFDC?

      1. I don’t think you have a password at all with sso enabled. Your source system(eg active directory) performs the authentication. The password is not stored in salesforce in that scenario. Not an expert here, but that’s what I’ve seen working with clients that have it enabled (you will get an error in salesforce if you try to reset the password of a user that has an sso enabled profile).

  7. Hi John,

    I am not clear about the difference between:
    Role Hierarchy and Sharing Records with Manager Groups

    If an object has Private setting on OWD, the role hierarchy will allow higher roles in the hierarchy of the record owner to access it. Why would i use “Sharing Records with Manager Groups” than?

    Thank you,
    Gil

    1. Manager groups depend on the Manager lookup field on the user.

      E.g.

      Bob (reports to) –> Jim

      Jim (for whatever reason) is not above Bob in the role hierarchy. The Manager group allows you to declare sharing based on the manager field, rather than the role hierarchy (e.g. direct reports only… versus all those lower in the role hierarchy).

  8. Hi John,

    What are External users? what licence to they have to my org. instance?
    What is partner (user)?

    User sharing for external users
    Users with the “Manage External Users” permission have access to external user records for Partner
    Relationship Management, Customer Service, and Customer Self-Service portal users, regardless of
    sharing rules or organization-wide default settings for User records. The “Manage External Users”
    permission does not grant access to guest or Chatter External users.

    Regards,

    Gil

    1. External users would be customer/partner/community licenses- users in these categories are typically enabled from an existing account/contact record (the resulting user record is linked back to the contact that it was created from).

      If you are curious about this I would suggest enabling communities in your org – create a test account/contact and then grant access. DE orgs have community licenses to test with.

  9. Hi john,
    It might be a silly question at this stage , but want t know that record access level , sharing rules can only be defined by ADMIN in ur org, ?

    —————————————————————————————————————————————————————————————————–
    OR
    Record owner can also define there sharing rules , to whom they want to share with.
    and further in sharing rules and manual sharing ,,,,and hierechy,

    another question is …when i have OWD more restricted then public Read/Write…

    Hierarchy :
    there is a hierarchy and , if i m a subordinate of manager, and as the rule define at Role hierechy my manager can access my roles..so how much manager access allowed for a record at that point( i means is he able to vie,edit,delete,share to others in org.?)

    Sharing Rule:
    same for sharing rule (how much access to the person have with my record access), can he view,edit,delete,or further can share my record to others?
    and same question for manual sharing of my owned record. if i share manually to some user who w/o considering hierarchy…

    Manual sharing:
    how much access do he have with my record which one shared manually with him?
    can he view ,edit, delete, or further share to other user in org.?

    at this point , i m really craving for answer related to effect of security model(profile,Sharing settings and again it relate to one of my question on reports and dashboard).

    you answers Really helping me gain confidence with my Salesforce learning.
    Thank you for putting such an effort to direct learners to the right direction.
    Thank you .Thank you .
    Tejal.
    Tejal.

    1. Sharing rule = defined by admin
      Record level sharing = defined by a user that has full access to the record

      Role hierarchy grants full access for records owned by users below in the role hierarchy (where grant access via hierarchies is enabled, which is the case for standard objects)

      Sharing rule only grants up to read/write (not full access, which grants delete)

      Manual sharing also grants up to read/write (read or read/write)

      Cheers,

      John

  10. Hi John,
    The following video has been removed, a shame, I saved it to watch it later now that I have completed your guide but it is gone 🙁
    “I love Permission Sets: A Deep Dive Into Profiles 2.0”

  11. in the Who Sees What: Data Visibility How To Series, the first video “Who sees what: Overview” won’t load. I get an error “Error Code: 200
    : NetStream.Play.StreamNotFound”

  12. Hi John,

    I have a question regarding email notifications I receive as a system admin when OWD settings are changed in SF. How can this be switched off?
    Is this setting only valid when changing OWD or also other config?

    Secondly, the abbreviation SFDC is mentioned quite a lot, what does it stand for?

    Thanks,

    Soraya.

    1. Soraya,

      SFDC stands for Salesforce Dot (.) Com. Sometimes people just say SF instead.

      Hope this helps. (I don’t have the answer to your other question at the moment. Hopefully someone else does.)

      Rena

  13. Hey John can you please help me to understand this question.

    Accounts teams are used for the following reasons: (Select all that apply)

    a. Share roles with the sales team

    b. Are used for collaborative account management

    c. Are used for sharing and reporting purposes

    d. Are used for splitting of account credit if needed

    what his mean by “Accounts teams”
    its answer is a,b,c but I’m missing something here.

  14. Hello John,

    Thank you for this excellent Website.

    Would appreciate if you could explain or provide a link explaining the difference between team and group in Salesforce. I understand where groups are to be used but no clear understanding on how and when to use teams in sharing.

    Thank You

    1. That is a good question. I think Group is mainly used in Chatter and comprises of folks who share common interest or would like to keep themselves abreast on a particular topic; and Team mainly comprises of a group of people, across various teams/departments, that work on specific project. But, it would be great to get more info. on these for clarification.

    2. Teams are defined for select objects (e.g. accounts, opportunities) and are used to designate which users are involved on the record (e.g. an account team indicates who is involved in managing that accounts) – teams also provide access by sharing the record to the user (so that if you are a member of the account team you can view the record).

      Groups are multi-purpose and are generally leveraged for purposes (e.g. within a sharing rule).

  15. John:

    I think the answer is A.
    B. can only read , edit their own opportunities , but can view every one else
    VIEW EVERYONE ELSE? Does not make sense.

    Answer A should be correct because it says
    Can read,Edit and view their own and every one else opportunities

    It specifies EVERY ONE ELSE OPPORTUNITIES.

    View ALL permission is on Opportunity Object. So, the User will be able to View Opportunities they own AND ALL OTHER RECORDS ON THE OPPORTUNITY OBJECT that others own.

    Pl. correct me if I am wrong.

      1. If so, then, you may want to change your answer to A

        JohnCoppedge September 3, 2015 at 1:32 pm #
        Oh I didn’t see ‘view all’ my mistake – the answer would be b then

  16. Not sure it notified as a duplicate, so i just to be on the safer side i am posting only the question ..

    1) when the user profile on the opportunity was set to Edit and read , and view all .OWD is set to private ,The user can

    a)Can read,Edit and view their own and every one else opportunities
    b)can only read , edit their own opportunities , but can view every one else
    c)can only Read, view , edit their own opportunities and they can’t view other opportunities

    My answer is ‘b’ but the answers seems to be ‘a’ .

    I am confused now , can you please help me here???

      1. It depends on where the user is in the role hierarchy. The closest answer is probably c.

        If the OWD is private, that means that the user won’t be able to view or edit opportunity in the same role as they are assigned or any roles above that role. They will be able to view and edit (granted access via the role hierarchy) records owned by users in roles below theirs.

        1. hi John,
          Yes i agree with you depends on Role hierarchy, but if the role hierarchy was not enabled . And the OWD is private.
          But the User profile has ‘View all’ option , that means they can view all other opportunities .

          am i missing some thing here ?

  17. This is unfortunate. Yesterday all but one video was view-able. Today only 3 are available. I was only on like the 3rd one in the series and the were great. Why do they keep making them private then public?

  18. HI John,

    Who Sees What: Data Visibility How To’s — these videos are made private in you tube. can not access all of them. only 3 videos are made available.

  19. Hello John – I am not able to see all the videos in ” Who Sees What”. It says the videos are Private.
    Do I need any specific user credentials to view those videos ? Please help.

  20. I thought I’d posted this yesterday, but now I can’t seem to find it. I apologize in advance if, in fact, it is a duplicate post.
    For some reason, I’m having problems with this concept, and I’m taking my cert exam next week so I’m more than a little nervous :-).
    If someone has limited or no access at the profile level to an object and – therefore – to records they own, can the OWDs/Role Hierarchy/Sharing Rules/Etc. give them more access to objects and records that they don’t own?
    My instinct would be to say that if you can’t see/edit/etc. your own records at the profile level you can’t see/edit/etc. someone else’s records.

      1. Correct – you are granted the lowest combination of all of the permissions.

        E.g. in order to edit a record, you need edit at the object level and edit access to the record. So if your profile is read only on the account object, you will never be allowed to edit account records.

  21. Needs editing:

    Each user is assigned a one profile

    …should read

    Each user is assigned a one profile

    Also, a space needs to be between “user(page” in the same paragraph.

  22. I’m finding that the user interface screens in the video do not match what I’m currently seeing in the developer or my Enterprise edition. It’s making it a bit more difficult to follow along and find these fields. For instance, there are drop down arrows in the profile settings, but links instead.

    Any idea when SFDC will be updating these fields?

    1. You should be able to turn off the new UI:

      Instructions within this guide make the assumption that the Improved Setup User Interface is disabled.

      I suggest you double-check your org settings by navigating to Setup –> Customize –> User Interface; ensure “Enable Improved Setup User Interface” is not checked.

      If you enable this feature, step-by-step instructions within scenarios and exercises will not line up correctly (as the setup navigation menus will be different).

  23. Hi John,
    In the section “Describe the capabilities of the Salesforce App Launcher”, the link is damaged:
    [sc:youtubelink id=1_cTGhxPJHQ text=”Setting up the App Launcher”]

    BTW, thanks for creating this site…I’m working my way through…

  24. I recently took the exam and was asked the question.

    Whats is the Salesforce default OWD for accounts?

    Could be worth researching all the OWD defaults for the exam.

  25. What is your best practice regarding the organization-wide defaults? E.g. do you change these settings as soon as you start a new instance? Or do you keep these settings default?

    1. Generally you want to figure out what security settings will apply to the whole organization and then implement them after that is fully understood. If you need a private sharing model, it is generally best to implement sharing rules first – so that when you turn off org-wide access to the object the users will already have rules in place to grant access where needed.

Leave a Reply