Why back to basics ? well I was explaining to someone, How data is accessed in Salesforce ? What is the security model and levels ? etc. So I thought of how easy, and in plain english, with a very simple approach I can explain this. As a result I came up with this..
In this blog I will explain only about data access neither metadata nor other features of Salesforce.
I came up with two terms access and view. Which means first, do I have access to the data ? second if yes, then how can I view it ? For example :- I need to read some alien files of a country. So first I need to get access/permission from the government. If I am allowed, then how will I read it, from pictures of files, recorded videos of files or directly from files.
Similarly data in applications are stored in databases in form of tables, rows and columns. Where tables are objects, rows are records and columns are fields in salesforce . And each of this things has different ways to access and view. So how do we access it ? Like in any other application you need to first get access of the database, then tables then rows and then columns. I came up with similar diagram for salesforce first you need to get access to your salesforce org, then objects then records and then fields.
|Access||User||You will have access to your salesforce org only if you are an active user in your org|
|View||Browser||You can view content of your org in browser, it can be mobile or desktop|
|API||You can also view data by API also, REST, SOAP or API based tools like Data loader etc.|
|Access||Profile||Every user have one profile tagged by which object access is granted. The minimun access on an object is read and maximum is Modify All permission. This you can set up in object setting section of profile|
|License||Licenses are not common for this kind of access it is just placed here because sometime, some object access are not allowed by certain type of licenses|
|View||App/Tab||You can view the object by tab,which is standard way to view an object in Salesforce, and tab access is also set in App and profile|
|Custom UI||Custom UI, is something you create like visualforce page, lightning component etc on which using programing (APEX, SOQL etc) you fetch the data and display in the way you need|
This one is the tricky and most of the users gets confused in this because of different ways Salesforce provide access to individual records. Some of the items mentioned in the below tables can be interdependent the reason I specified them separately because they might somewhere be the reason you have access or you don’t.
|Access||Profile||Extending the above section you need to have minimum read access on profile to see any object record.|
|OWD||Org wide defaults, here we can defined whether records will be public (means anyone in the org can access) or private (Only records owner has access). OWD have other values to which is not important for now|
|Role||If record is private in OWD, then manager or user who is above in same role hierarchy of the record owner can see the record. For example :- I am owner or Account with name “Marvel” then all my superiors can see that record. Note :- Access via role hierarchy can be disabled from Sharing Settings.|
|Controlled By Parent||If record is private in OWD, In custom objects, master detail relationship if you have access to the parent record then automatically you will have same level of access to child object records. For certain standard object which act as both Master Detail and lookup (Like account and contact). Their access can be set to Controlled By Parent in OWD so that they inherit parent permission.|
|Sharing||If record is private in OWD, Then access to the record can be provided by Manual Sharing (User can click the Sharing button on record details page and share it to anyone), Criteria based sharing (Set rules in Sharing setting to share records to certain users based on condition), Apex Sharing (create entry in sharing object via code to allow record access, from trigger, controller, batch etc.)|
|Territory||If record is private in OWD, Territory only provide access to Account, Opportunities and Cases and child objects whose parent are any of this object. Enterprise Territory Management you can set rules to provide access to records based on condition.|
|Queue||Queues are group of users created for specific reasons. Queues can be owner of records and if you are part of the Queue you will have access to the record. You can also take ownership of record. Queues are only available for certain objects please check.|
|Public Group||If record is private in OWD, And if record is shared by Sharing (Manual, Criteria or Apex) you can share it to a pubic group it is also group of users and if you are part of the group you will have access to the record|
|Apex||If record is private in OWD, In apex controllers you can query records which you don’t have access to. To impose salesforce security rules always create your class with “with sharing” annotation. It will make sure user will see only data which he/she have access to. Access in this case means owned records and shared records.|
|Permission Set||In backend Permission Sets are similar to profile they are also tagged to a user. But unlike profile a single user can be tagged to multiple permission sets. For example :- If users of a profile does not have read permission to an object, you can create a permission set add read permission to the object and assign to one or multiple users.|
|View||Search||Global search is where you can search your records and see them, for example if you search “John” it will show contacts, leads, custom object etc who have John in their fields. If no records found then there is no John ;). Record shown in search result also depend on other settings which you need to check it out. It also supports wild cards.|
|Page Layouts||What all information you see on a record is completely dependent on page layouts assigned to your profile and object. A record might have 100+ information but you see only 10 that is because of page layouts. You click on record link from search, related list, list view, report etc it will always open the assigned page layout. Want to see more contact admin.|
|Related Lists||In case any object does not have a tab assigned for it, related list is where you will be able to see it, if it is child of any object. For example :- If you hide the contact tab, you will be able to see contact on account page layout as related list but only child contacts of that account. If will only show few information.|
|Reports||If there is no tab, no related list, no search enabled for an object, then the only standard way to see it is in reports. That to, if allow reports checkbox is checked on an object detail page.|
|List Views||List views are only visible under tab of an object. No tab means no list views. List view can only display limited information, 15 fields I guess and if you need to see more then you will need to click the record link and open detail page. You can create multiple list view of same object with different information with filters.|
|Custom UI||Custom UI, is something you create like visualforce page, lightning component etc on which using programming (APEX, SOQL etc) you fetch the data and display in the way you need. For example, if there is no tab, no report enabled, no related lists, no search enabled then you and use code to fetch the data and display it.|
|Access||Profile||You have record access but that does not mean you will be able to see all information of a particular record, that is again dependent on field permission in profile, if you don’t have read permission of a field then you will not be able to see it in page layouts or even in custom UI.|
|Apex||If a particular field is not added to page layouts, list views or related list you will be able to access it view Apex. Provided you have at least read permission for that field in profile. With apex you can even update fields which you don’t have permission to. To avoid that use “with sharing” annotation. It will make sure user will manipulate information which he/she have access to.|
|Field Accessibility||Field Accessibility is just another way of setting field security, if you don’t want to do it in profile. For example :- if you want to set different field security of Salary field in employee object. With profile you need to go and change in every profile. On the other hand in Field Accessibility you can select that field and change to all profile at once.|
|View||Page Layouts||Same info as record view. What all information you see on a record is completely dependent on page layouts assigned to your profile and object. A record might have 100+ information but you see only 10 that is because of page layouts. You click on record link from search, related list, list view, report etc it will always open the assigned page layout. Want to see more contact admin.|
|List Views||Same info as record view. List views are only visible under tab of an object. No tab means no list views. List view can only display limited information, 15 fields I guess and if you need to see more then you will need to click the record link and open detail page. You can create multiple list view of same object with different information with filters.|
|Reports||If there is no tab, no related list, no search enabled for an object, then the only standard way to see it is in reports. That to, if allow reports checkbox is checked on an object detail page. You need to add fields to see there data on the report.|
|Custom UI||Unlike records fields cannot be seen on custom UI unless you have access to them, with sharing, without sharing does not matter|
I might have missed out few things, please feel free to suggest. Thank you