Security & Data Access

levelofaccess

User attempts to log in through browser à Has user logged in from this browser or IP address before?

- if yes, then user log in - if no, then user will be prompted to activate computer à user retrieves verification code from highest priority method chosen à user submits verification code à user log in

Path: setup | Security controls | Session Management

Enable the SMS method of identity confirmation setting cannot be turned OFF once it is enabled.

Trusted IP address & Restricted access

Path: Setup | Customize | User Interface

Object Permissions determine the kinds of records users can view, create, edit or delete, not the individual records themselves

Enhanced profile list views make it easier to work with multiple profiles at the same time

` `

  • Mass update profile permissions

` `

  • View and compare settings & permissions for multiple profiles

` `

  • Load up to 200 profiles in a single list view

Path: Setup | Manage Users | Permission Sets

` `

  • Create up to 1000 permission sets

` `

  • Assign multiple permissions sets to a user

Permission sets only grant permissions not deny them

Record Access: Record access determines which individual records users can view & edit in each object they have access to on their profile

Data Access Models:

` `

  • Public: No Restriction

` `

  • Private: Only access the record on their own

` `

  • Hybrid: records they & records of other users that are necessary for their job function

dataaccessmodels

Org-wide sharing defaults:

` `

  • Private

` `

  • Public Read Only

` `

  • Public Read/Write

` `

  • Public Read/Write/Transfer

Role Hierarchy

rolehierarchy

Sharing Rules

Path: Setup | Security Controls | Sharing Settings

Sharing rules grant additional records access to defined groups of users on an object-by-object basis

Share with records?

` `

  • Owned by certain users

` `

  • Meeting certain criteria

With which users?

` `

  • Public group

` `

  • Roles

` `

  • Roles & subordinates

Level of access

` `

  • Read-only

` `

  • Read/Write

Types of Sharing Rules

Account sharing rule:

` `

  • Based on who owns the account, or on selected criteria

` `

  • Allows you to set default sharing access for accounts & their associated cases, contests, and opportunity

Contact sharing rule:

` `

  • Is based on who owns the contact (must be associated with an account), or on selected criteria

` `

  • Allows you to set default sharing access for individual contacts and their accounts

` `

  • Cannot use with Territory Management & B2I (Person Account) enabled orgs

Opportunity Sharing rule:

` `

  • Is available in Enterprise, Performance, and unlimited edition

` `

  • Is based on who owns the opportunity, or on selected criteria

` `

  • Allows you to set default sharing access for individual opportunity and their accounts

Case Sharing Rule:

` `

  • Is available in Enterprise, Performance, and Unlimited Edition

` `

  • Is based on who owns the case or on selected criteria

` `

  • Allows you to set default sharing access for individual cases & associated accounts

Lead Sharing Rule:

` `

  • Is available in Enterprise, Performance, and Unlimited Editions

` `

  • Is based on who owns the lead or on selected criteria

` `

  • Allows you to set default sharing access for individual leads

Campaign sharing rule:

` `

  • Is available in Enterprise, Performance, and Unlimited

` `

  • Is based on who owns the campaign, or on selected criteria

` `

  • Allows you to set default sharing access for individual campaigns

Custom Object sharing rule:

` `

  • Is available in Enterprise, Performance, and Unlimited

` `

  • Is based on who owns the custom object or on selected criteria

` `

  • Allows you to set default sharing access for individual custom object records

User sharing rule:

` `

  • Is available in All 3 edition & developer edition

` `

  • For orgs that enabled user sharing

` `

  • Is based on group membership or on selected criteria

` `

  • Allows you to set default sharing access for individual user records

Criteria-Based Sharing rules:

` `

  • Determine which records to share based on field values in records

` `

  • Are ideal for companies with complex sharing requirements

` `

  • Can be used for accounts, opportunities, cases, contacts, and custom objects

Text & Text Area fields are case-sensitive in sharing rules

` `

  • A public group is an administrator-defined grouping of users that you can use to simplify the creation of sharing rules involving many users

` `

  • A public group can comprise any combination of:

groups

Manager Groups:

` `

  • Allow users to share records up or down their management chain

Users can share records through:

` `

  • Manual sharing

` `

  • Sharing rules

` `

  • Apex managed sharing

Manager Groups option needs to be enabled in orgs

Path: Setup | Security controls | Sharing Settings |Edit

Manager Groups:

` `

  • Cannot be added to other groups

` `

  • Do not include portal users

` `

  • Contain only Standard & Chatter only users

Data Exceptions:

Account Teams:

` `

  • Share roles with the sales teams

` `

  • Are used for collaborative account management

` `

  • Are used for sharing & reporting purposes

Opportunity Team Selling

Sales teams:

` `

  • Support collaborative selling & transport reporting

` `

  • Can be added by opportunity owners, their managers in the role hierarchy & administrators

` `

  • Allow opportunity owners to grant access to each team member they select

` `

  • Allow users to select a default team for each opportunity they own

Process of setting up Account Teams and Opp Team Selling:

Path:

Setup |Customize | Accounts | Account Teams

Setup | Customize | Opportunity | Opportunity Teams | Settings

Manual Sharing:

` `

  • Is used to grant access on a one-off basis

` `

  • Can be granted by the owner, any role above the owner, or the administrator

Personal Calendars: Setup | Security Controls | Sharing Setting

` `

  • Every user has a personal calendar

` `

  • The administrator sets the organization-wide level of access to personal calendars, in security controls

` `

  • Individual users then grant access to specific users

Public Calendars: Setup | Customize | Activities | Public Calendars & Resources

` `

  • Administrator & users with the “Customized Application” permission can create public calendars

` `

  • Public calendars can be shared with public groups, roles, and users

` `

  • These specified users can choose to view the public I calendar from any calendar view

Organization-wide defaults VS. Role Hierarchy VS. Sharing Models

If OWDs restrict objects to Private or Public Read-Only:Organization-wide defaults VS. Role Hierarchy VS. Sharing Models

org_wide

Determining How to Set OWD for an Object

` `

  1. Who is the most restrict user of this object? –> User?

` `

  1. Is there ever going to be an insurance of this object that this user shouldn’t be allowed to see?

    ` `

    1. If yes, sharing model = private

    ` `

    1. If no, go to #3

` `

  1. Is there ever going to be an instance of this object that this user shouldn’t be allowed to edit?

    ` `

    1. If yes, sharing model = public read-only

    ` `

    1. If no, sharing model = public read/write

` `

  • Field-Level Security:

    ` `

    • Defines user ability to view and edit fields in SFDC

    ` `

    • Help enforce data security

    ` `

    • Help ensure that users view only relevant data

Using the field-level security to hide a field from user also hides the field from list views, search results, and reports

The most restrictive security settings always apply

Viewing and setting Field-Level Security:

` `

  • Access field-level security settings through the field or the profit

    ` `

    • Set a field’s security for multiple profiles

    ` `

    • Set a profile’s access to multiple fields

Path: setup | Security Controls | Field Accessibility