Security Matrix

[table id=33 /]

“Folders” is a non-technical term that is used only on this site, and may not be referenced in Salesforce documentation.  This “Folders” concept refers to many of the containers not addressed in the other security controls (list views, for example).

This matrix should serve as a starting point for tracking down security-related issues, although it is not an all-inclusive list by any means.  See [sc:link id=https://help.salesforce.com/HTViewHelpDoc?id=viewing_which_users_have_access.htm&language=en_US text=”Viewing Which Users Have Access”] for a more comprehensive view of record-level security.

34 thoughts on “Security Matrix”

  1. Hi John,

    I’m confused as to why under Profiles>Records you show View All Data and View All (Per Object). Are there two options when setting a Profile? Also, you refer in a previous comment to “Record Level Security” (you also refer to it in the Security Overview). I’d like to get that cleared. Is record level security what I’d set using OWD?

    1. Yes there are two options – modify all data is a checkbox on the profile, which grants access to all objects; Modify All can also be granted on a per-object basis in the profile settings as well.

      OWD sets the baseline for record-level security. Sharing rules extend. Profiles can override those record level security permissions (e.g. for administrators) through modify all or view all. Hope that helps!

  2. John,

    I got a bit mixed up looking at the matrix. I understood that on Profile I can determine what Object will be available for a certain profile. And that Role will determine what records user may see (or edit). Why is than Records column is also indicated on the profile row?
    View All Data
    View All (Per Object)
    Modify All Data
    Modify All (Per Object)
    I should I understand that?

    Thank you,
    Gil

  3. John,

    I know this is basic question but I rather ask it though.
    What is in other words “API Enabled” (in the context of this matrix)?

    Thank you,
    Gil

  4. Hi John,
    I’m unclear about View All and Modify All settings. what does that mean? That the user can see and modify all the records (even those where he/she is not the owner)?
    Thanks

  5. Hello John,

    Under the Column, ‘FIELDS’ for a Permission Set (in the security matrix), you have mentioned it as Visible,Read Only.
    Should it not be Read and Edit. Because under Permission Set > Object Settings, we can always select an object and edit the field permissions for a particular field to have either Read or Edit or both.

    Regards,
    Gautam.

  6. Thanks for all your help with this, John. It’s a tough subject and I have been struggling with it for about 5 months. I finally feel like I’m getting closer. Woo-hoo! 🙂

  7. Hi John,

    Excellent Matrix. You have def put your heart into it.

    I need a quick clarification. I am struggling to understand the difference between OWD and Sharing Setting. Also what does mean by “Enable External Sharing Model”?

    Thank you.

    1. OWD sets the base record-level access for all users in the org. Sharing rules add additional record level access for specific sets (roles/groups/etc) of users. If you wanted one set of users to have a different level of access than other, then typically you would set the OWD to the lower of the two, and then using a sharing rule to grant additional access to the second set of users.

      External sharing refers to sharing to defining different OWDs for internal and external (portal, community) users.

      1. I’m having a lot of trouble wrapping my head around this (and have been for months), so any help would be appreciated.
        An example: A User has CR profile/permission set rights to the Account object and the Account records they own. Can a sharing model (OWD, Role Hierarchy, etc.) provide full (or more than CR) access to Account records not owned by this user?
        Or, can the sharing model only provide the user with up to CR (their profile) permissions?

        1. Role hierarchy can provide full access. OWD and sharing rules can only provide read or read/write. Full access provides delete and transfer rights – delete must also be present on the profile (object level permissions), without that they could not delete their own records either. Hope that helps!

          1. Great! Thanks. And, to add to this (from your answer to my other, similar post): “You are granted the lowest combination of all of the permissions. E.g. in order to edit a record, you need edit at the object level and edit access to the record. So if your profile is read only on the account object, you will never be allowed to edit account records.”

            Therefore, even if Role Hierarchy provided more access on the record level, you couldn’t have more access than what you had on the object through profile/permission sets.

          2. Hello John,
            Can you kindly help me with the reasoning of your statement above “Role Hierarchy can provide full access.”
            I was under the assumption that a Role Hierarchy can open up record access (in 3 ways viz. No Access, View Only, View n Edit) when the OWD is set to anything more restrictive than Public Read/Write. So how can Role hierarchy provide full access? By full access, i Ma assuming you meant CRED.

            Regards,
            Gautam.

          3. Hello John,
            I think I found the answer to my query on Role hierarchy providing full access. Missed the concept of a user being above the record owner and thus gaining access to records under him/her in role hierarchy.
            Kindly do correct me, if my understanding is flawed.

            Regards,
            Gautam.

  8. Hi John,

    How to enable folder permissions – (view all data and Modify all data) under profile and Permission sets?

    Also, Please provide some more examples when to user Roles over other features like groups?

    Thanks

Leave a Reply