Salesforce Developer Security Authorization
// Salesforce - Developer - Security - Authorization:
Authorization dictates what a user is permitted to access. On the Salesforce
platform, administrators can define an authorization model to enforce their
businesses data access requirements. There are several key features built into
the platform that will help us accomplish this:
1. Profiles
2. Sharing Rules
3. Permission Sets
Guiding Principle:
1. Least Privilege Definition: A person should only have access to the minimum
amount of information required to accomplish their duties ensuring that
their ability to take advantage of excess privilege purposefully or
accidentally is minimzed.
Configuring the authorization model such that every user can do their job, but
no more.
On the Salesforce platform, profile is a standard object that contains user
permissions and access controls. Every user record is linked to a profile.
Profiles control:
1. Which apps and tabs a user can see
2. What object permissions a user has
3. Which fields within objects a user can view
4. Which Apex classes and Visualforce pages users can access
5. Permitted login hours and IP addresses
The primary component of authorization that exists outside of the profile is
record visibility, which is controlled by sharing. Sharing in Salesforce
consides of several components:
1. User role
2. Sharing rules
3. Organization wide defaults
CRUD, Sharing, and FLS can be confusing concepts to keep clear. Our favorite
analogy for keeping it all straight is an excel spreadsheet.
1. CRUD dictates which tabs, or objects you can read / edit / delete.
2. FLS (Field-level security) dictates which columns, or fields you can read
/ edit / delete.
3. Sharing dictates which rows, or records, in the spreadsheet are visible.
page revision: 0, last edited: 01 Jan 2017 23:33