Profiles, permission sets, and object security

Profiles define how users can access data and the whole Salesforce application.

There should be one profile per user and one license type per profile  easy to remember. Also, more than one user can share the same profile.

Your organization comes with standard profiles that (there are exceptions for some Salesforce editions, such as contact manager, group edition, or essentials edition), you can customize a few permissions for on a standard profile or clone (creating a new custom profile) so that you have full access to its customization (for example, custom object access, field-level security access). The only thing you cannot change is the license type related to a profile.

Permission sets are similar to profiles with a simple difference: you can assign zero or more permission sets to a single user, thus providing additional capabilities that are not set up in the base profile. This increases permissions attribution granularity when creating simple profiles with few capabilities and granting users different powers as needed (sometimes, a Salesforce user can have both sales and service capabilities, but you don't want to create a profile with both permissions).

You may ask the following question:

"Can I use custom profiles only,  instead of permission sets?"

You definitely can, but only if your users have clear permission needs and their operative role in the CRM is well defined, which is usually not the case. The business can ask for the sales representatives to be able to access and edit cases, though some service agents may be required to edit opportunities, which are a sales representative's unique permission. If you have to take into account any exceptions when setting up permissions, you would end up with tens of custom profiles, a task that can be time-consuming. Instead, you should deliver some base and exclusive profile configuration and provide a class of permissions using permission sets to specific users when needed (a user can have only one profile but can be related to multiple permission sets).

To see what features are available in profiles and permission Sets, please refer to  https://help.salesforce.com/articleView?id=permissions_about_users_access.htm&type=5.

You can edit a profile with two different interfaces: the enhanced profile user interface and the original (or standard) profile interface.

To enable the Enhanced Profile User Interface, click on Setup | Users | User Management Settings and enable the Enhanced Profile User Interface flag:

Enabling the enhanced profile user interface

This interface is a more powerful profile editing page that supports all the settings that are provided by the original interface: the main enhancement is the capability to search for settings as opposed to the original interface, where all the main options are in a single page. To switch from a master setting to a child one, you need to browse different pages.

From now on, we'll be using the original interface.

Let's briefly look at every section on the profile editor page:

  • Profile Detail: This section contains the main details of the profile, including whether it is a standard profile or a custom one. This section is editable on custom profiles only.
A custom profile is a profile that's created upon cloning a standard profile.
  • Console Settings: Edit layout assignment in Salesforce console apps.
  • Page Layouts: This section is used to assign layouts to records (and record types if the object has at least one record type).
  • Field-Level Security: For each object, this defines which fields are visible and editable.
  • Custom App Settings: This decides which Salesforce applications are accessible by the user and which ones are the default ones.
  • Tab Settings: Like the Custom App Settings section, we can choose which tabs are enabled or hidden.Record Type Settings: For any object that supports record types, you can allow users to use them when creating a new record, thus allowing users to have access to specific business processes.
  • Administrative permissions and General User Permissions: This section contains all the administrative settings and general permissions (such as the View All Data and Modify All Data superpowers). This section can only be edited for custom profiles.
  • Standard Object Permissions, Custom Object Permissions, and Platform Event Permissions: These sections define the OLS, that is, CRUD operations and the View All and Modify All superpowers, which allow the user to view and modify all the records of a given type. Platform events can only be configured with read or create access.
  • Session Settings and Password Policies: These sections display profile-specific session settings (such as session duration and security level) and everything about password management that overrides the Setup | Security | Session Settings and Password Policies org-wide settings.
  • Login Hours: Define when a user should be able to log in to Salesforce.
  • Login IP Ranges: Defined the origin IP addresses that are considered safe to access your Salesforce organization (there's a restriction on a company's IP ranges). Within this range of IPs, users won't be asked for an activation pin (this is sent via email or SMS). You can also restrict this to org-wide login so that it's executed from within this range in Setup | Security | Session Settings.
  • Enabled Apex Classes Access and Enabled Visualforce Page Access: From here, you can enable access to Apex classes (for example, enable a user to access a specific custom Apex web service) and Visualforce pages (for example, access to a specific Visualforce wizard).
  • Other permissions:
    • External Data Source Access: Access to external records (defined in Setup | Integrations | External Data Sources).
    • Named Credential Access: Access to specific external web servers (Setup | Security | Named Credentials).
    • Service Presence status: Available presence statuses (for example, live chat operator status such as Active, Away, or Offline. Go to Setup | Features Settings | Service | Omni-Channel | Presence Statuses to do this. Note that you need Omni-Channel activation).
    • Custom Permissions: Allows profiles to have custom permissions that have been designed to modify a Visualforce or Lightning component's behavior on the developer side and validation rules on the administrator side (Setup | Custom Code | Custom Permissions).
    • Default Community: Default Salesforce community (if any).

If you want to create a new custom profile, you only have to jump to the standard profile you want to modify (or choose another custom profile that's already set up) and click the Clone button, which brings you to the following page:

Cloning a standard profile

From now on, the profile will be completely customizable and will be listed as a custom profile on the profile's Setup | Users | Profiles page:

Custom profiles on the Profiles page

Now, let's look at how we can create permission sets.

上一章目录下一章