One more blog on Salesforce

Monday, August 14, 2017

Salesforce Security: Concepts

System Level Security

1. Authentication: Single Sign-ON
  • Federated authentication: SAML is the standard. User security credentials are communicated from one system to another system through XML. This XML is called SAML. There is an Identity Store which is the 'master' of user identity (LDAP, Active directory). Identity Provider (IdP) generates SAML assertion and sends to a Service provider (salesforce.com). The service provider validates SAML and generates session.
a. IdP initiated SAML
b. SP initiated SAML
  • Delegated Authentication
2. Authorization: OAuth
3. Social Sign On

Application Level Security

1. a. Profiles: 

Profile settings and permissions determine what users can see (control the visibility of objects, tabs, CRUD, fields) and do with objects. Profiles are typically defined by a job function. Each profile is associated with a license type.

What do profile controls?
1. User interface: Tabs, page layouts, record types, applications
2. Access to data: Field level security
3. Login hours and login IP ranges
4. Permissions: App, System, Standard/Custom object CRUD

A user with API Only User permission can not login from salesforce.com.
Password Never Expires permission is often used for integration users.
Tab Settings: Default on, Default off(+), Tab hidden

1. b. Permission Sets: 

They grant additional access settings to individual users. They provide a flexible way to make exceptions to the profile structure.

How to use Permission Sets with Profiles?
Use profiles to assign the most restrictive permissions and access settings. Use permission sets to grant additional permissions.

2. Organization Wide Defaults:

Defines the baseline access to data records.
  • Private: access records they own
  • Public Read Only: + records of other users needed
  • Public Read/Write: view and edit any record that their profile permissions allow.

3. Role Hierarchy:

Record visibility by hierarchy. Role hierarchy settings control record visibility in reports and forecasts. It allows to have full ownership privileges over records the user inherits.

4. Sharing Rules:

They can be thought of more lateral access, share between groups that are in parallel branches of hierarchy. Consider these questions for sharing rules

A. Share which records?
  • Owned by certain users
  • Meeting certain criteria: Criteria based sharing rules determine what records you share based on field values rather than ownership. Examples, share all accounts in a certian region, share all opportunities involving a particular product

B. With which users?
  • Public groups
  • Roles
  • Roles and subordinates

C. What level of access?
  • Read-only
  • Read/Write

It doesn't allows to have full ownership privileges over records the user inherits. Simplify total number of sharing rules by using public groups.

5. Manual Sharing:

There is a sharing button on every record that allows record owner to share. 3 types of users can perform manual sharing: admins, record owners and their managers in hierarchy.

6. Team Sharing and territory management:

They provide record access based on organization's needs.

Field Level Security

Restrict users' access to view and edit fields. The fields that users see on detail and edit pages are a combination of page layouts and field-level security settings. The most restrictive field access settings of the two always apply.
  • Field level security Page:
Visible
Read-only
  • Page layout:
Visible/Hidden
Read-only
Required

On any field information page, there are 2 buttons.
  1. Set Field-level Security
  2. View Field Accessibility


Organization Wide Defaults

  • OWD is the most restrictive setting. Role hierarchy and sharing rules can only grant more access and not deny access provided by OWD. All of these provide record level access, the records which I don't own.
  • Profiles and permission sets provide the object level access. There is nothing that can grant more access than profiles.
  • OWD can be accessed in Sharing Settings under Security Controls.


Record types

Record types are used to tailor user interaction experience to specific business needs. Record types let you offer different business processes, picklist values, and page layouts to different users. Record types only affect the way that data is displayed in the UI. Record types available in the picklist are determined by the user profile or permission set.
Share This:    Facebook Twitter

1 comment:

Total Pageviews

My Linkedin profile

View Sonal's profile on LinkedIn

Follow by Email

Tags

__proto__ $Browser Accessor properties Admin Ajax AllowsCallouts Apex Arrow function AssignmentRuleHeader AsyncApexJob Asynchronous Auth Provider Callbacks Connected app constructor Cookie CRUD CSP Trusted Sites CSS Custom settings CustomLabels Data properties Database.Batchable Database.BatchableContext Database.query Describe Result Dynamic Apex Dynamic SOQL Einstein Analytics enqueueJob Enterprise Territory Management Enumeration escapeSingleQuotes executeAnonymous featured FLS geolocation getGlobalDescribe getOrgDefaults() getPicklistValues getRecordTypeId() getRecordTypeInfosByName() getURLParameters Google Maps Governor Limits hasOwnProperty() Heap IIFE Immediately Invoked Function Expression Interview questions isAccessible isCreateable isCustom() isDeletable isUpdateable Javascript Javascript Array Javascript Object Lightning Lightning Components Lightning Events lightning:combobox lightning:icon lightning:input lightning:select LockerService Lookup LWC Manual Sharing Map Modal Module Pattern Named Credentials OAuth Object.defineProperties() Object.defineProperty() Object.freeze() Object.getOwnPropertyDescriptor() Object.keys() Object.preventExtensions() Object.seal() Organization Wide Defaults Override PDF Reader performance.now() Permission Sets Picklist Popup Postman Primitive Types Profiles propertyIsEnumerable() prototype Queueable Record types Reference Types Regex Regular Expressions Relationships Rest API Revealing Module Pattern Role Hierarchy Salesforce Salesforce Communities SAML Schema.DescribeFieldResult Schema.DescribeSObjectResult Schema.PicklistEntry Schema.SObjectField Schema.SObjectType Security Service Components Shadow DOM Sharing Rules Single Sign-ON Singleton Slots SOAP API SOAP Web Services SOQL Star Rating svg svgIcon System.QueryException this Token Triggers uiObjectInfoApi Upload Files VSCode Web Services with sharing without sharing XHR
Scroll To Top