Newer Version Available

This content describes an older version of this product. View Latest

Data Access Concepts

Before we get started implementing our security and sharing rules, let's quickly take a look at all the ways that we can control data on the platform:
Object-Level Security
The bluntest way that we can control data is by preventing a user from seeing, creating, editing, or deleting any instance of a particular type of object, like a position or review. Object-level access allows us to hide whole tabs and objects from particular users, so they don't even know that type of data exists.
On the platform, we set object-level access with object permissions in user profiles and permission sets. We'll learn more about them in a little bit.
Field-Level Security
A variation on object-level access is field-level access, in which a user can be prevented from seeing, editing, or deleting the value for a particular field on an object. Field-level access allows us to hide sensitive information like the maximum salary for a position or a candidate's social security number without having to hide the whole object.
On the platform, we set field-level access with field permissions, also in profiles and permission sets. We'll also learn more about them shortly.
Record-Level Security
To control data with a little more finesse, we can allow particular users to view an object, but then restrict the individual object records that they're allowed to see. For example, record-level access allows an interviewer like Melissa Lee to see and edit her own reviews, without exposing the reviews of everyone else on her team.
On the platform, we actually have several ways of setting record-level access rules:
  • Organization-wide defaults allow us to specify the baseline level of access that a user has in your organization. For example, we can make it so that any user can see any record of a particular object to which their object permissions give them access, but so that they'll need extra permissions to actually edit one.
  • Role hierarchies allow us to make sure that a manager will always have access to the same records as his or her subordinates.
  • Sharing rules allow us to make automatic exceptions to organization-wide defaults for particular groups of users.
  • Manual sharing allows record owners to give read and edit permissions to folks who might not have access to the record any other way.
Controlling Data with the Force.com Platform A diagram of the sharing and security settings available for different types of users

The combination of all of these sharing and security settings in the platform means that we can easily specify user permissions for an organization of thousands of users without having to manually configure the permissions for each individual. Pretty neat! Now let's get started learning more about each of these methods for controlling data, and actually implementing the security and sharing rules for our app.