Further Reading: Understand the Security Hierarchy

Salesforce security is built in layers. Understanding this hierarchy helps you start with the most restrictive settings and open access intentionally, rather than reactively.

Here's the hierarchy of Salesforce security and Field-Level Security (FLS) permissions, ordered from the most restrictive foundational settings to the most granular and flexible extensions.

1. Organization-Wide Defaults (OWD)

• The Foundation: This defines the default visibility for records that a user does not own.
• The Rule: Always start with the most restrictive setting here (like "Private"). All other layers can only open access — they cannot take it away.

2. Profiles

• The "Home Base": Every user must have exactly one profile. It defines the basic requirements for their job function.
• The Role: It grants standard Object permissions (Create, Read, Edit, Delete) and establishes the initial Field-Level Security — which fields they can see.

3. Permission Sets

• The Additive Layer: These grant additional permissions to specific users without changing their profile.
• The Role: If a profile doesn't allow access to a specific field or object, a Permission Set can give that access to a subset of users who need it for a special project or task.

4. Permission Set Groups

• The Administrative Bundle: Allows admins to bundle several Permission Sets into a single package.
• The Role: Instead of assigning 10 individual permission sets to a new hire, you assign one Group that contains all of them. This ensures consistency and simplifies user management.

---

These layers allow an admin to follow the Principle of Least Privilege by starting with the least permissive foundation (Org-Wide Defaults) and layering in new functionality and access on top of profiles, organized into permission set groups.