A company or organization has ample employees (Users) and all employees have different designation and role to play. Data or records play an important role in any organization. If each user in the firm has access to all the data, then important data can be misused. It is necessary to hide some data from different users. Salesforce provides multiple options with which one can secure data in different ways. In this blog post I will share possible scenarios in which one can secure data in an organization perspective.
Below are different ways in which we can secure data
- Organization wide default (OWD).
- Permission Set.
- Role Hierarchy
- Manual Sharing
- Sharing Rules
- Apex Sharing
Organization wide default (OWD).
Organization wide default (OWD) is the very basic level of sharing data with all users. Here you can restrict the level of data sharing. You can grant access using other means like role hierarchy, manual sharing, apex sharing etc.
In simple terms, in Organization wide default (OWD) is like defining default level of access users will have across all object and its records.
Profile defines what kind of access a user has on an object and what they can do within salesforce application. Profile also defines the access on fields, custom pages, record types and much more.
Your org includes multiple standard profiles, predefined by salesforce. Users can use existing standard profiles or can build a new custom profile and assign those to users.
Permission Sets are like extension to profiles. If a user in a specific profile need some additional permission other than what permission has been provided to the user, then you can create a permission set and assign the same to users who need similar extended permission.
- A user can have only one Profile.
- A User can have multiple Permission Sets.
- A permission set can be assigned to multiple users who need similar extended permission.
- You can extended the access(Give additional access) of a user, You cannot restrict access of a user using permission set.
In Salesforce there is a concept called Role Hierarchy. We can define the role of individual users in org. Roles are like designation of a company. Just like Jr. Engineers, Sr. Engineers, Leads, Tech Leads, managers etc. We can assign individual roles to a user and know who is in higher designation.
Bases of the hierarchy, The person above the role hierarchy can view records owned by a user who are below their role. Role hierarchies don’t have to match your organization chart exactly. Instead, each role in the hierarchy should represent a level of data access that a user or group of users needs.
Allows owners of particular records to share them with other users. Although manual sharing isn’t automated like org-wide sharing settings, role hierarchies, or sharing rules, it can be useful in some situations.
Even though OWD restrict data access of a particular object, You can give additional access to such objects, based on some criteria to a user or a group. You can share records with Individual User, A specific role and Subordinates, Public Group.
If there is a complex business rule which defines how the data is to be shares with users or groups, And when such complex scenarios could not be handles by standard sharing rule, then we can share record via Apex code.