salesforce_security_impl_guide

More documents

Recommendations

Info

CHAPTER 2 Securing and Sharing Data Review the following sections for detailed instructions and tips on securing access to your data in Salesforce. Overview of User Permissions and Access User permissions and access settings specify what users can do within an organization. For example, permissions determine a user's ability to edit an object record, view the Setup menu, empty the organizational Recycle Bin, or reset a user's password. Access settings determine other functions, such as access to Apex classes, app visibility, and the hours when users can log in. Permissions and access settings are specified in user profiles and permission sets. Every user is assigned only one profile, but can also have multiple permission sets. When determining access for your users, it's a good idea to use profiles to assign the minimum permissions and access settings for specific groups of users, then use permission sets to grant additional permissions. EDITIONS Available in: • Enterprise • Performance • Unlimited • Developer • Database.com Because you can assign many permission sets to users and permission sets are reusable, you can distribute access among more logical groupings of users, regardless of their primary job function. For example, you can create a permission set that gives read access to a custom object and assign it to a large group of users, and create another permission set that gives edit access to the object and assign it to only a few users. You can assign these permission sets to various types of users, regardless of their profiles. The following table shows the types of permissions and access settings that are specified in profiles and permission sets. Some profile settings aren't included in permission sets. Permission or Setting Type Assigned apps Tab settings Record type assignments Page layout assignments Object permissions Field permissions User permissions (app and system) Apex class access Visualforce page access External data source access Service provider access (if Salesforce is enabled as an identity provider) Custom permissions In Profiles In Permission Sets 10
Securing and Sharing Data Revoking Permissions and Access Permission or Setting Type Desktop client access Login hours Login IP ranges In Profiles In Permission Sets Revoking Permissions and Access You can use profiles and permission sets to grant access, but not to deny access. Any permission granted from either a profile or permission set is honored. For example, if “Transfer Record” isn't enabled in Jane Smith's profile, but is enabled in two of her permission sets, she can transfer records regardless of whether she owns them. To revoke a permission, you must remove all instances of the permission from the user. You can do this with the following actions—each has possible consequences. Action Disable a permission or remove an access setting in the profile and any permission sets that are assigned to the user. Consequence The permission or access setting is disabled for all other users assigned to the profile or permission sets. EDITIONS Available in: • Enterprise • Performance • Unlimited • Developer • Database.com If a permission or access setting is enabled in the user's profile, assign a different profile to the user. AND If the permission or access setting is enabled in any permission sets that are assigned to the user, remove the permission set assignments from the user. The user may lose other permissions or access settings associated with the profile or permission sets. To resolve the consequence in either case, consider all possible options. For example, you can clone the assigned profile or any assigned permission sets where the permission or access setting is enabled, disable the permission or access setting, and assign the cloned profile or permission sets to the user. Another option is to create a base profile with the least number of permissions and settings that represents the largest number of users possible, then create permission sets that layer additional access. 11
Page 1 and 2: Security Implementation Guide Versi
Page 3 and 4: CONTENTS Chapter 1: Security Overvi
Page 5 and 6: Contents Editing Lead Sharing Rules
Page 7 and 8: CHAPTER 1 Security Overview Salesfo
Page 9 and 10: Security Overview User Security Ove
Page 11 and 12: Security Overview Custom Permission
Page 13 and 14: Security Overview CAPTCHA Security
Page 15: Security Overview Auditing • Role
Page 19 and 20: Securing and Sharing Data Viewing P
Page 21 and 22: Securing and Sharing Data Cloning P
Page 23 and 24: Securing and Sharing Data App and S
Page 25 and 26: Securing and Sharing Data Working w
Page 27 and 28: Securing and Sharing Data Enable Cu
Page 29 and 30: Securing and Sharing Data Assigning
Page 31 and 32: Securing and Sharing Data Creating
Page 33 and 34: Securing and Sharing Data Editing P
Page 35 and 36: Securing and Sharing Data Searching
Page 37 and 38: Securing and Sharing Data Enable Cu
Page 39 and 40: Securing and Sharing Data Object Pe
Page 41 and 42: Securing and Sharing Data Comparing
Page 43 and 44: Securing and Sharing Data Setting F
Page 45 and 46: Securing and Sharing Data Working w
Page 47 and 48: Securing and Sharing Data Setting L
Page 49 and 50: Securing and Sharing Data Restricti
Page 51 and 52: Securing and Sharing Data Managing
Page 53 and 54: Securing and Sharing Data External
Page 55 and 56: Securing and Sharing Data Disabling
Page 67 and 68:
Securing and Sharing Data Editing L
Page 69 and 70:
Securing and Sharing Data Editing C
Page 71 and 72:
Securing and Sharing Data Editing C
Page 73 and 74:
Securing and Sharing Data Sharing R
Page 75 and 76:
Securing and Sharing Data User Shar
Page 77 and 78:
Securing and Sharing Data Sharing U
Page 79 and 80:
Securing and Sharing Data Creating
Page 81 and 82:
Securing and Sharing Data Viewing A
Page 83 and 84:
Securing and Sharing Data Granting
Page 85 and 86:
Configuring Salesforce Security Fea
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
CHAPTER 4 Enabling Single Sign-On S
Page 97 and 98:
Enabling Single Sign-On • Before
Page 99 and 100:
Monitoring Your Organization's Secu
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Security Tips for Apex and Visualfo
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
INDEX A Access about 10 revoking 11
Page 115 and 116:
Index Profiles (continued) object p
show all

salesforce_security_impl_guide

Create successful ePaper yourself

Delete template?

Save as template?