Newer Version Available

This content describes an older version of this product. View Latest

Delegating Data Administration

As with nearly all Force.com apps, our Recruiting app doesn’t require tedious ongoing administration or a watchful eye monitoring its daily operation. Once the app is deployed, it just works! But from time to time, a decision or issue arises that requires human intervention, and some basic manual administration is required, like:
  • A hiring manager is retiring and has forty open positions that need to be transferred to another manager
  • A current Recruiting app user needs immediate access to private data owned by another user who happens to be on vacation
  • Duplicate records have piled up in the Recruiting app and need to be removed
  • A new employee just got hired and needs access to the Recruiting app
To handle these situations, someone might need to override the security and sharing configurations we just created. Who should have such powers within our app, and how can these powers be granted?
Obviously, your company's primary Salesforce administrator can handle just about any issue that users may encounter in Salesforce. Primary administrators are assigned to the System Administrator profile, which automatically grants several global administrative permissions, including:
  • “View All Data��—View all data owned by other users in your organization
  • “Modify All Data”—Modify all data owned by other users in your organization, mass update and mass delete records, and undelete records that other users deleted
  • “Customize Application”—Customize just about anything in Salesforce, from page layouts to the data model
  • “Manage Users”—Add and remove users, reset passwords, grant permissions, and more

For smaller companies, it makes sense to have a single administrator be the “go-to” person for all Salesforce issues. But for medium to large companies, assigning all Salesforce responsibilities to one person is not practical, especially when you consider that a company can run its entire business in the cloud using a different Force.com app to suit each of its business needs. This could add up to dozens of apps and hundreds or thousands of users! Your primary Salesforce administrator will likely go insane unless other folks can help with the administration. At the same time, every administrative privilege you grant increases the risk of exposing your company's sensitive data, so you need precise control over the amount of access you enable.

To preserve both your administrator's sanity and your company's security, the Force.com platform provides two ways to quickly delegate restricted data administration access: object-level permissions and delegated administration groups.