2) Salesforce Security Model — Detailed Explanations + Examples

Salesforce security is divided into four major layers:

1. Object Level Security (Profiles, Permission Sets)
2. Field Level Security
3. Record Level Security (Roles, Sharing Rules, OWD)
4. Login & Session Security (Login hours, IPs)

Below is the full, detailed content.

1) Profiles

What is a Profile?

A Profile defines what a user can do in Salesforce.

It controls:

1. Object permissions (Read, Create, Edit, Delete)
2. App access
3. Tab visibility
4. System permissions
5. Login hours
6. Login IP ranges

Example

Sales User Profile:

1. Can create Leads
2. Can edit Opportunities
3. Cannot delete Accounts
4. Can access Sales App

Service Agent Profile:

1. Can create Cases
2. Cannot access Opportunities

Real-Life Comparison

Profile = Your job role

Example: Salespeople can't access IT systems, IT people can’t access HR data.

2) Permission Sets

What are Permission Sets?

Permission Sets extend a user’s access without changing the profile.

Used when:

1. One user needs extra permissions
2. You don’t want to create multiple profiles

Example

A Sales user needs:

1. Access to Reports
2. Access to a Custom Object called “Training__c”

Create a Permission Set → Assign to that user.

Key Difference

3) Roles & Role Hierarchy

What is a Role?

Roles define who can see whose data.

Hierarchy Logic

People higher in hierarchy → can see all data of those below them.

Example Role Hierarchy

Sales Director can see data of all Regional Managers

CEO can see everything

Important

Roles control record visibility, not system access.

4) Sharing Rules

What are Sharing Rules?

Sharing Rules open up additional access to records automatically.

Used when:

1. OWD is private
2. Teams need to share records with each other

Types:

1. Owner-based sharing
2. Criteria-based sharing

Example

If OWD for Opportunities = Private

Create a sharing rule:

1. IF Region = “South”
2. Share with → South Team
3. Access → Read/Write

This gives cross-team access.

5) OWD (Org-Wide Defaults)

What is OWD?

OWD defines baseline access level for records.

OWD Options:

1. Private – Users see only their own records
2. Public Read Only – Everyone can see, but not edit
3. Public Read/Write – Everyone can see & edit
4. Controlled by Parent – Record visibility follows parent object

Example

OWD for "Cases" = Public Read/Write

→ All agents can edit any case

OWD for "Opportunities" = Private

→ Only owner + managers can see them

6) Field-Level Security (FLS)

What is FLS?

Controls who can see or edit specific fields.

Example

For a “Salary” field in Employee__c object:

1. HR Profile → Visible + Editable
2. Manager Profile → Visible only
3. Sales Profile → Hidden

Even if users can access the object, they may not see all fields.

7) Login Hours & IP Restrictions

Login Hours

Restrict when users can log in.

Example:

Support team can log in only 7 AM to 10 PM

After time ends → Salesforce auto logs out.

Login IP Ranges

Allows login only from specific IPs.

Example:

A company allows login only from office network:

1. Allowed IP: 103.55.18.0 – 103.55.18.255
2. If user tries at home → Login blocked.

8) Record Access Troubleshooting

When a user cannot see a record, check in order:

1. OWD?

Is OWD set to Private?

2. Role Hierarchy?

Is the user above the owner in hierarchy?

3. Sharing Rules?

Is there a sharing rule for the user’s group?

4. Manual Sharing?

Did someone share the record manually?

5. Team Access (Account/Sales Team)?

Is user added to the team?

6. Profile & Permission Sets?

Do they have “Read” permission on object?

Example Scenario

User says: “I can’t see Leads”

Check:

1. OWD for Leads = Private
2. User role is lower → can't see
3. No sharing rules
4. No permission sets

Solution:

→ Create a sharing rule, OR place them higher in hierarchy.