Describe the features and capabilities available to restrict and extend object, record, and field access.
Salesforce provides several tools to control access to data. Access can be controlled on a profile, user, object, and record level. Whether a user has access to a certain object, field, or record, depends on the combination of all permission and sharing settings.
To control access to objects, object permissions can be defined on profiles or permission sets for each object. To control access to individual fields on objects, field permissions can be defined on profiles or permission sets for each field. Access to data can either be specified on objects or records. On objects, org-wide defaults, role hierarchy and sharing rules can be defined. On records, manual sharing, queues, and teams can be specified.
|Object Permissions||Field Permissions||Object Sharing||Record Sharing|
|Object Permissions||Field Permissions||Org-Wide Defaults||Manual Sharing|
Access to objects can be specified with object permissions on profiles or permission sets. For each object, the object permissions define the access users have to create, read, edit and delete (CRUD) records.
In addition, to create, read, edit and delete access levels, the object permissions View All and Modify All exist. Those permissions do not respect sharing settings, and users can access all records of the object, regardless of sharing settings.
Access to individual fields on objects can be specified with field permissions on profiles or permission sets. For each object, field permissions define the access users have to read and edit fields.
The Salesforce search does not respect field permissions. Users can search for values in fields for which they have no Read permission. However, if search terms match, the associated records will be returned without fields and values for which users have no Read permission.
Roll-up summary and formula fields can be made visible to users even if they reference fields for which users have no Read field permission.