Salesforce Developer Security Authorization


// Salesforce - Developer - Security - Authorization:

Authorization dictates what a user is permitted to access. On the Salesforce 
platform, administrators can define an authorization model to enforce their 
businesses data access requirements. There are several key features built into 
the platform that will help us accomplish this:

1. Profiles
2. Sharing Rules
3. Permission Sets

Guiding Principle: 

1. Least Privilege Definition: A person should only have access to the minimum 
   amount of information required to accomplish their duties ensuring that 
   their ability to take advantage of excess privilege purposefully or 
   accidentally is minimzed.

Configuring the authorization model such that every user can do their job, but 
no more.

On the Salesforce platform, profile is a standard object that contains user 
permissions and access controls. Every user record is linked to a profile.  
Profiles control:

1. Which apps and tabs a user can see

2. What object permissions a user has

3. Which fields within objects a user can view

4. Which Apex classes and Visualforce pages users can access

5. Permitted login hours and IP addresses

The primary component of authorization that exists outside of the profile is 
record visibility, which is controlled by sharing. Sharing in Salesforce 
consides of several components:

1. User role
2. Sharing rules
3. Organization wide defaults

CRUD, Sharing, and FLS can be confusing concepts to keep clear. Our favorite 
analogy for keeping it all straight is an excel spreadsheet.

1. CRUD dictates which tabs, or objects you can read / edit / delete.

2. FLS (Field-level security) dictates which columns, or fields you can read 
   / edit / delete.

3. Sharing dictates which rows, or records, in the spreadsheet are visible.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License