Data secure? Check.
Good security is all about giving the right access to the right Users. Not only does it secure the information within Salesforce org, but it also declutters the amount of information your Users see for a better & streamlined experience.
Salesforce platform’s flexible, layered sharing model makes it easy to assign different data sets to different sets of users. Choose the data set each User or group can see to ensure good security of your Salesforce org or app. This best practice reduces the risk of stolen or misused data!
In the Talent Stacker project that Abby and I created, the client told us there were 4 User groups at The Giving Tree Foundation and each one had a very specific job. ( Lead Generator, Volunteer Project Manager, Donation Manager and Program Manager) There was no overlap in tasks and the information they wanted each group to have access was well defined. So we just needed to figure out the Profiles and their data access.
What is a Profile? Profile is a group/collection of settings and permissions that define what a User can DO in Salesforce. Let me repeat — it controls what Users can DO in Salesforce. This can be referred to as CRED (or CRUD). CRED enables you to mix and match what a User can do on each object.
We determined that we only had to create 3 profiles to meet the requirement:
Lead Generator — full access CRED to Leads, but cannot convert Lead
Donation Manager — full access CRED to Accounts, Contacts, Donations
Program Manager — full access CRED to all objects
Wait, what happened to the Volunteer Project Manager? The VPM is like a Lead Generator with some added permissions so it doesn’t need it’s own Profile. We can just add a Permission Set to layer onto this User so they can access the Accounts, Contacts and Opportunities object. I’ll explain later. So let’s start by creating the Profiles.
To create a new Profile, you’re really cloning an existing one. We cloned the Standard User and named it Lead Generator:
Then you want to define the permission this Profile gets. Click on Object Settings and start taking away the CRED access to the objects that the Profile should NOT have access to. It’s a tedious process, but it’s got to be done.
For Lead Generator, all objects should have No Access except for Leads.
For Leads object [the only object they have access to], make sure the Leads Tab Settings = Default On and CRED is all Enabled. Enabled CRED to an object means the User can Create, Read, Edit, and Delete records on this object.
For all other objects the Profile has No Access, make sure the Tab Settings = Tab Hidden and CRED boxes are NOT checked. Tab Hidden is important so the User can’t access the fields to the object through Reports. No CRED to an object means the User can’t Create, Read, Edit, nor Delete records on this object. Tab Hidden + No CRED = ZILCH, NADA, 0 access to the object.
Now, follow the same process for the other 2 Profiles and edit the object access accordingly. All 3 Profiles have been created and edited to meet the requirements.
So let’s get back to the VPM who has the Lead Generator profile, but needs a Permission Set. What’s a Permission Set? It’s an added permission that extends a Users’ functionality, allowing flexibility by giving certain permissions (objects, field-level security, page layouts, record types, apps, tabs) to assigned Users — basically, you’re tagging an individual User with an added superpower. Now, if there are a lot of Users that need this power, then yeah, go ahead and create a Profile for them.
Recap, the VPM’s job is to convert the Leads so they need access to Accounts, Contacts and Opportunities objects. To create a Permission Set that gives access to these objects, go to Setup/Home/Permission Sets/New:
In the next screen, click on Object Settings and add the appropriate permissions to the objects you want to add for this User.
For each object (Accounts, Contacts, Opportunties), we want to add the Tab Setting (Default On) and enable CRED.
When the Permission Set is done, then you assign it to the specific User.
If you need to edit the Users, go to the Permission Set and click on Manage Assignments, where you can Add or Remove a User.
Now how do you check what you’ve done? As a System Admin, you have the ability to login as a User. Go to Setup/Users/Login (for the User you want to login as). Let’s test our Lead Generator.
Looky, looky! We only see Potential Donors! Remember, we renamed Leads to Potential Donors. Notice at the top of the screen, it’s telling you that you’re logged in as the Lead Generator and you can log out by clicking on the far right, “log out as Test Lead Generator.”
As the System Admin, it’s important to login as each User to make sure their security setting is correct. So let’s do it! Don’t assume if one is right, then they’re all are right. You know the saying: ass.u.me. Don’t do it!
Security all done here! I can relax now.