Salesforce Record-Level Security Explained

How to Achieve Record-Level Security in Salesforce

‍

Salesforce works with a layered approach to data security. The platform deals with data protection and management, and the smallest form of data is a record. Simply put, a record in Salesforce is a row in a database table. The security architecture of Salesforce is so comprehensive that there are different layers or levels of measures to protect data. In this article, we will be looking into record-level security, what it is, and how you implement it as a Salesforce administrator.

‍

What is Record-Level Security?

‍

Record-level security in Salesforce is a system that controls user access to certain records in Salesforce. This access includes records that can be viewed, edited or deleted. It provides a way to restrict or grant access to individual records, thereby maintaining data confidentiality. In essence, you can allow certain users in your org access to certain objects but limit them from viewing certain records within that object.

‍

In some cases, view only, view and edit, or view, edit, delete, and transfer ownership access. Essentially, you can grant specific users in your organization access to particular objects but restrict their ability to view certain records within that object. In some cases, you can limit their access to view only, view and edit, or view, edit, delete, and transfer ownership. Users can have the following levels of access to records:

• View only 
• View and edit access
• View, edit, delete, and transfer of ownership access

It is important to note that a Salesforce Administrator can give object-level access to a profile created, and through this access, the owner of the profile may be able to access some records. This is done through the CRED permissions. CRED stands for Create, Read, Edit, and Delete.

A visual guide demonstrating how to access CRED permissions in Salesforce by navigating through Setup, selecting Profiles, and reviewing Standard Object Permissions.

‍

However, accessing these objects does not directly translate to full access to every record on the profile. Two things have to be considered when deciding if a profile has full access to a record or not:

1. The level of access to a record is always determined by a combination of the object-level, field-level, and record-level permission.
   
   
2. In a case where the object-level permission conflicts with the record-level permission, the most restrictive permission will win.
   

What this means is that even if the user already has object-level permission, if the record-level permission is the more restrictive in settings, then the record-level permission wins. 

‍

Strategies for Implementing Record-Level Access

‍

There are different ways through which record-level access can be implemented. Here are four major ways:

‍

1. Organization-Wide Defaults (OWD): This defines the baseline level of access to records within an object. Access includes:

• Public read-only: This grants only viewing access to users.
• Public read/write: This grants users both viewing and editing access.
• Private: This only grants access to the record owner and those above them in the role hierarchy

The above image explains how to access organization-wide defaults in Salesforce by navigating through the Setup menu, selecting Sharing Settings, and reviewing the Organization-Wide Defaults section.

‍

2. Role Hierarchies: This grants access to records based on a user’s role in the organization. This means that users higher in the hierarchy are granted access to records owned by users lower than them in the organizational hierarchy. For example, the director of an organization can have access to the records owned by the secretary of the organization. Role hierarchy is beneficial for scenarios where an organizational structure influences data visibility.

An overview of the role hierarchy settings in Salesforce, highlighting how access can be granted on specific objects to align with organizational structure and data visibility needs.

An image of the role hierarchy setup in Salesforce, highlighting how roles and permissions can be defined to manage data access and visibility within an organization.

‍

3. Sharing Rules: This provides exceptions to OWD by granting access to specific groups of users. These rules are used when specific user groups need access to records outside their usual permissions. These rules are of two types: 

• Based on criteria
• Based on record ownership

A detailed explanation of role hierarchy setup in Salesforce, highlighting how it structures roles to manage data access and visibility across an organization.

‍

4. Manual Sharing: This allows record owners to directly share records with specific users or groups. It provides control for specific collaborations.

Visualization of data visibility expansion in Salesforce, illustrating how access increases based on roles, sharing rules, or other security settings.

‍

Importance of Record-Level Security

• Ensures data security and compliance.
• Facilitates controlled record sharing among teams, enabling collaboration while ensuring users can only access data relevant to their responsibilities.
• Provides a flexible security model that scales with the organization, adapting to changing roles, hierarchies, and processes without compromising security.
• This prevents users from being overwhelmed with unnecessary data, enabling faster and more focused operations.

Conclusion

‍

Record-Level Security is an important layer of security in Salesforce. Salesforce Administrators should familiarize themselves with this feature in order to make the best of it. Whether the administrator is using the org-wide default, the role hierarchy, the sharing rule, or the manual sharing, it is important that a proper understanding of these features is taken into consideration for effective usage.