salesforce_security_impl_guide

More documents

Recommendations

Info

Securing and Sharing Data Setting the Organization-Wide Sharing Defaults for User Records Organization-wide defaults for user records This setting defaults to Private for external users and Public Read Only for internal users. When the default access is set to Private, users can only read and edit their own user record. Users with subordinates in the role hierarchy maintain read access to the user records of those subordinates. User sharing rules General sharing rule considerations apply to user sharing rules. User sharing rules are based on membership to a public group, role, or territory. Each sharing rule shares members of a source group with those of the target group. You must create the appropriate public groups, roles, or territories before creating your sharing rules. Users inherit the same access as users below them in the role hierarchy. Manual sharing for user records Manual sharing can grant read or edit access on an individual user, but only if the access is greater than the default access for the target user. Users inherit the same access as users below them in the role hierarchy. Apex managed sharing is not supported. User sharing for external users Users with the “Manage External Users” permission have access to external user records for Partner Relationship Management, Customer Service, and Customer Self-Service portal users, regardless of sharing rules or organization-wide default settings for User records. The “Manage External Users” permission does not grant access to guest or Chatter External users. User Sharing Compatibility When the organization-wide default for the user object is set to Private, User Sharing does not fully support these features. • Chatter Messenger is not available for external users. It is available for internal users only when the organization-wide default for the user object is set to Public Read Only. • Customizable Forecasts—Users with the "View All Forecast" permission can see users to whom they don't have access. • Salesforce CRM Content—A user who can create libraries can see users they don't have access to when adding library members. • Standard Report Types—Some reports based on standard report types expose data of users to whom a user doesn’t have access. For more information, see Controlling Standard Report Visibility. Setting the Organization-Wide Sharing Defaults for User Records Set the organization-wide sharing defaults for the user object before opening up access. For user records, you can set the organization-wide sharing default to Private or Public Read Only. The default must be set to Private if there is at least one user who shouldn’t see a record. Let’s say that your organization has internal users (employees and sales agents) and external users (customers/portal users) under different sales agents or portal accounts, with these requirements: • Employees can see everyone. • Sales agents can see employees, other agents, and their own customer user records only. • Customers can see other customers only if they are under the same agent or portal account. To meet these requirements, set the default external access to Private, and extend access using sharing rules, manual sharing, or user permissions. When the feature is first turned on, the default access setting is Private for external users. The default for internal users is Public Read Only. To change the organization-wide defaults for external access to the user object: 1. From Setup, click Security Controls > Sharing Settings. 2. Click Edit in the Organization-Wide Defaults area. 3. Select the default internal and external access you want to use for user records. EDITIONS Available in: • Professional • Enterprise • Performance • Unlimited • Developer USER PERMISSIONS To set default sharing access: • “Manage Sharing” 70
Securing and Sharing Data Sharing User Recods The default external access must be more restrictive or equal to the default internal access. 4. Click Save. Users have Read access to those below them in the role hierarchy and full access on their own user record. Sharing User Recods Sharing your user record enables other users to see you in the organization. You can share external user records, such as external community users and customer portal or partner portal users. You can also share an internal user record with an external user. Your administrator defines your organization’s sharing model and default access levels for user records. You may want to extend sharing privileges for your own user record if the organization-wide default access is set to Private or Public Read Only. Note that you cannot restrict access below your organization’s default access levels. To view and manage sharing details, click Sharing on the user detail page. The Sharing Detail page lists the users, groups, roles, and territories that have sharing access to the user record. On this page, you can perform these tasks: • To show a filtered list of items, select a predefined list from the View drop-down list, or click Create New View to define your own custom views. To edit or delete any view you created, select it from the View drop-down list and click Edit. • Grant access to the record for other users, groups, roles, or territories by clicking Add. This method of granting access is also known as manual sharing of your user records. • Edit or delete the manual share by clicking Edit or Del next to the rule. An administrator can disable or enable manual user record sharing for all users. Restoring User Visibility Defaults User Sharing enables you to control who sees who in the organization. You can restore your defaults if you have previously used User Sharing. To restore user visibility defaults: 1. From Setup, click Security Controls > Sharing Settings. 2. Set the organization-wide defaults to Public Read Only for internal access and Private for external access. 3. Enable portal account user access. On the Sharings Settings page, select the Portal User Visibility checkbox. This option enables customer portal users to see other users under the same portal account. Additionally, partner portal users can see the portal account owner. 4. Enable network member access. On the Sharing Settings page, select the Community User Visibility checkbox. This option enables community members to be seen by all other users in their communities. EDITIONS Available in: • Professional • Enterprise • Performance • Unlimited • Developer USER PERMISSIONS To view user records: • “Read” on user records EDITIONS Available in: • Enterprise • Performance • Unlimited • Developer USER PERMISSIONS To restore user visibility defaults: • “Manage Sharing” 5. Remove user sharing rules. On the Sharing Settings page, click Del next to all available user sharing rules. 6. Remove HVPU access to user records. 71
Page 1 and 2:
Security Implementation Guide Versi
Page 3 and 4:
CONTENTS Chapter 1: Security Overvi
Page 5 and 6:
Contents Editing Lead Sharing Rules
Page 7 and 8:
CHAPTER 1 Security Overview Salesfo
Page 9 and 10:
Security Overview User Security Ove
Page 11 and 12:
Security Overview Custom Permission
Page 13 and 14:
Security Overview CAPTCHA Security
Page 15 and 16:
Security Overview Auditing • Role
Page 17 and 18:
Securing and Sharing Data Revoking
Page 19 and 20:
Securing and Sharing Data Viewing P
Page 21 and 22:
Securing and Sharing Data Cloning P
Page 23 and 24:
Securing and Sharing Data App and S
Page 25 and 26: Securing and Sharing Data Working w
Page 27 and 28: Securing and Sharing Data Enable Cu
Page 29 and 30: Securing and Sharing Data Assigning
Page 31 and 32: Securing and Sharing Data Creating
Page 33 and 34: Securing and Sharing Data Editing P
Page 35 and 36: Securing and Sharing Data Searching
Page 37 and 38: Securing and Sharing Data Enable Cu
Page 39 and 40: Securing and Sharing Data Object Pe
Page 41 and 42: Securing and Sharing Data Comparing
Page 43 and 44: Securing and Sharing Data Setting F
Page 45 and 46: Securing and Sharing Data Working w
Page 47 and 48: Securing and Sharing Data Setting L
Page 49 and 50: Securing and Sharing Data Restricti
Page 51 and 52: Securing and Sharing Data Managing
Page 53 and 54: Securing and Sharing Data External
Page 55 and 56: Securing and Sharing Data Disabling
Page 67 and 68: Securing and Sharing Data Editing L
Page 69 and 70: Securing and Sharing Data Editing C
Page 71 and 72: Securing and Sharing Data Editing C
Page 73 and 74: Securing and Sharing Data Sharing R
Page 75: Securing and Sharing Data User Shar
Page 81 and 82: Securing and Sharing Data Viewing A
Page 83 and 84: Securing and Sharing Data Granting
Page 85 and 86: Configuring Salesforce Security Fea
Page 95 and 96: CHAPTER 4 Enabling Single Sign-On S
Page 97 and 98: Enabling Single Sign-On • Before
Page 99 and 100: Monitoring Your Organization's Secu
Page 107 and 108: Security Tips for Apex and Visualfo
Page 113 and 114: INDEX A Access about 10 revoking 11
Page 115 and 116: Index Profiles (continued) object p
show all

salesforce_security_impl_guide

Create successful ePaper yourself

Delete template?

Save as template?