Salesforce Certified Platform App Builder – 4 – Security
- Security Introduction
Hi guys and welcome to the security section of this course. And so you’ve just made it through the data modeling and management section which was a large section. And the data modeling and management accounted for 20% of the exam. Now security is weighted at 10% and this is a much smaller section of the course, but security can be a complex and confusing concept. Now, I must admit that security is not as large of a piece of this particular exam and certification, it is more heavily weighted on the administrator certification.
But still it’s important that you understand the difference between profiles and roles. And so I’m going to take you through both of those. I talk about profiles and how those work and how users can be assigned to only one profile. And as well we address the role hierarchy and roles and how the nature of the role hierarchy is that different records roll up to managers in an. org chart, for instance. And so by the end of this section you should be able to differentiate between profiles and roles and be able to know how to address the various questions you will encounter on the exam.
Additionally, I cover permission sets and permission sets are like a secondary profile and so they’re very useful and can extend the access to records and the ability to do certain things on the system by way of permission sets. And so I also cover scenarios where you would want to use a permission set because you will be tested on certain scenario based questions on the exam.
You’ll be faced with needing to decide do I need to create a profile or a role or permission set or what would I do here? Also in this section we delve deeply into organization and wide defaults and then as well sharing settings and manually sharing of records as well. Then we also talk about what is referred to as Crud that’s create, read, update and delete. This is the ability to do things to records and how that is controlled on the salesforce platform. And so let’s get started in this section with first talking about profiles.
- Introducing Profiles
We’re going to be getting into quite a bit here as far as how profiles impact the various security settings in your Salesforce instance. And so if we go into the profiles section of setup and once again I’m typing profiles here on the left and you’ll see that the profiles link is under Manage Users. So we click the profiles link and we see a list of all profiles that are currently in my Salesforce instance and I have these sorted by profile name. And then you see as well this custom column. You see that these that are checked are custom profiles and then the ones that are not checked are standard profiles. For the most part you want to use custom profiles instead of standard ones. And so we have a lot here in our Salesforce instance and this gives you an example of pretty much every conceivable standard profile that Salesforce provides. And so the best practice is to create custom profiles using these standard profiles as a template. And so we’ll go into that more here in a moment.
But for now, if you scroll down you see that we have more than 25 profiles listed and so to see the remainder I’m going to click next here and the one that I’m interested in right now is my own profile which is System Administrator. And as an administrator on the Salesforce platform, this will usually be the profile that you’re assigned and it is a standard profile. You’ll notice that custom is not checked here. To view the system administrator profile or any of these profiles for that matter, you just click on the name of the profile and I’m going to go into the System administrator profile. So for this search box here, if you’re looking for specific profile settings, you can just do a search here in this box to pull it up rather than navigating to these individual links if you wish. So I’m going to type up account because I want to adjust the object settings for accounts and so that would take me directly to the object settings for accounts for the system administrator profile.
And these sort of object settings get into what permissions this profile has and you notice here that as a system administrator I have full privileges here along the bottom. These are the object permissions to where I can read, create, edit, delete, view all and modify all. And I’m not going to go real in depth into those things right now, but just to show how you can quickly go in through this search box to find what you’re looking for, if you wanted to make changes you would click Edit and that sort of thing. And then as well, I wanted to highlight these breadcrumbs that are here and it shows that we’re currently in the accounts object settings and if we wanted to go one level up we could click here to go to object settings or if we wanted to go all the way back up to the Profile overview. For the system administrator we would click here. Also I want to show these down arrows here as well. You can switch from Object to Object by clicking the down arrow.
If we wanted to see Object settings for cases we would just select it from the down arrow. And now we have our permissions as a system administrator profile for cases and then as well the down arrow here for object settings we can go into other sections for this profile such as Assigned Apps. You notice here we’re in Object settings right now but if we wanted to go to Assigned Apps or assign connected apps, app permissions, et cetera, we could hit those. From here I’m going to return back to the profile overview from where we came and then as well we can see who has been assigned the system administrator profile by clicking Assigned Users. So you see here that I’m the only system administrator currently assigned the system administrator profile in my organization. Okay, so now we get into the meat of the actual profile and keeping in mind that I’m on the system administrator profile, currently we have various settings for the profile such as Assigned apps. And so here is where the application dropped down on the right and what is visible to me as the system administrator is controlled. And so you notice that I do not have Sample Console visible to me.
If you look here, you don’t see Sample Console as an application available to me and that’s because it’s not set as visible here. And so what I’m going to do is I’m going to edit this to select Sample Console is also visible and then I’ll show how that will then display in the application drop down. So I’m going to click Edit now and you see as well, in addition to the Sample Console not being selected, which I’ll now check that I have a default application highlighted or selected through this radio button, you can have one default application per profile. And so for the system administrator profile, my default application is Sales. And what that means is when I first log into Salesforce, the default application that appears here is the Cells application and the drop down. So I’m going to click Save and then we’re going to look for the Sample Console and the application dropdown.
So clicking save. And now if I click here I have the Sample Console now available to me in the application drop down. So we’ve covered Assigned apps and so Object Settings is one that’s really important. And so we’re going to spend some time here and this relates to permissions to access objects and fields and then settings that specify which record types and page layouts and tabs are visible. So for a system administrator you see that these are all the object settings and it shows the object permissions, the total number fields, the tab settings and the page layouts for this profile. And so we’re not going to go into each one of these, but we are going to touch on some of this. So we looked previously at the object settings for accounts and briefly looked at cases and so let’s look at a different object. And so I’m going to scroll down to Opportunities and you see that I’ve got full permissions here on Opportunities, the number of fields the tab setting is default on. And this is the name of the page layout for the system administrator profile for Opportunities. And so if I click on Opportunities, we get the object settings for this object, which is the Opportunity object.
So if I click on this, I can make changes to the various settings for this object, such as if we wanted the tab to be hidden for the system administrator profile, we could check tab hidden and that would cause this tab to disappear. We have page layout assignments here and so there’s four different page layouts available on the Opportunity object. There’s a marketing related page layout, a sales related page layout and a support related page layout. This Opportunity layout has all three of them combined and it’s more of an administrator view which has been assigned to us then the object permissions. We have full permissions to this object and since we’re system administrator, we don’t want any of those to be removed. So we’re blocked from being able to change those because as an admin you need to be able to administer this object and be able to read, create, edit, delete, et cetera.
Then for the field level permissions, this is where on an Opportunity, these are all the different fields that are on that object. And these columns give you read and or edit ability for these various fields. So if you wanted to go in and make a field read only, such as I did here for current generators, then you would deselect this edit checkbox. And so I’m going to return that back to its original state so that we’re able to edit this particular field which I’ve just picked at random. So don’t worry so much at this point about individual fields. We’ll get into fields more later. But this is where at a profile level you grant or deny access for users to be able to either view a field or edit it.
And so some of these fields are visible to a user, but aren’t editable such as Last modified by this is a field that is system generated and therefore it’s not something that we want even administrators to be able to change. And so it is read only and not selectable to be editable. So I did previously hide the Opportunities tab for this profile. So I’m going to go ahead and click Save and show how now the Opportunities tab has now disappeared from the sales application. So I’m going to edit that again and change the tab settings to default on for the system administrator profile and click Save and you’ll notice that opportunities have now returned to the tabs. So let’s go back to the profile overview. And moving downward, we’ve got app permissions for the profile that you’re working on and so there’s various app permissions that you can grant or deny for a profile. And these different apps you’ll recognize potentially as being those that are in the drop down.
On the top right, you see we have Call Center and Content and Knowledge Management. And so as a system administrator we have the ability, for instance, to manage cases and to manage call centers and manage just about everything as you can see transfer cases, et cetera. And then for content and for all of these apps we have pretty much everything enabled. And so if you wanted to go in and grant someone app permissions at the profile level, you would do that through the app permissions section for the profile. So moving downward we get into the system permissions. And the designation here between the app permissions and the system permissions is you’ll notice here that it says that the system permissions have to do with settings that apply across all apps such as Record and User Management. And you can click Learn More to learn more in addition to what we’re getting ready to cover here, which would be for system permissions and there’s simply probably 100 different options here. As an admin we have most of these checked as you can tell. And so we’re not going to go into each of these in detail. But then as well you see user settings here where as a system administrator you can assign permission sets to a user.
You can manage internal users, IP addresses, et cetera. You can even view all users and reset user passwords and unlock users. These are all things that will be checked for you by default. And it’s more when you get into other profiles other than system administrator where you need to give more granular access or deny certain ability to users where you’ll set or deny these things. So I’m scrolling back up, I’m going to go back to the profile overview and back down to the system settings for this profile. You have desktop client access that gives permission to access desktop clients such as Connect for office login hours is something to where you may see that on the exam and that has to do with the hours that someone can actually log in. So by default users have access 24 hours a day to log in.
But if you wanted to set business hours, you can do that to where if your business is closed on weekends and you don’t want your users to be able to log into salesforce, you can have those times be blocked. You can set default begin times and end times by day, that sort of thing. And Save, I’m not going to do that right now so that we leave it wide open. But you may have a question on the exam related to how do you or where do you set the login hours? And that would be at the profile level.
We have password policies. And so here’s where you can set how frequently the passwords expire for a profile, and then as well the password history as far as how many previous passwords are remembered so that they can’t reuse the previous password, the minimum length, the password complexity requirement, and then even the password question requirement cannot contain the password itself.
Then also the maximum invalid login attempts and this would be before someone’s locked out and then the lockout effective period, which we have 15 minutes here. And then also settings for obscuring secret answer for password resets and then requiring a minimum one day password lifetime, which would prevent someone from changing their password multiple times in a day, which is deselected by default.
- Creating Custom Profiles
So now we’re going to create a custom profile and I’m in the setup menu and Lightning Experience. And so if I search for profiles and click on profiles from the menu on the left, it brings up all of the profiles currently in my own salesforce organization. And so you can page through to the next page of profiles by clicking Next. And it’s important to keep in mind that when you’re working in Salesforce you usually want to avoid assigning users to standard profiles. And what I mean by standard profile is anything that doesn’t have a check mark in this column, this denotes a custom profile if they’re checked here, let me go to a previous page and show you the custom ones. And so Salesforce makes these readily apparent by having this check in this column and as well out of the gates when you sign up for a free Salesforce account, they have these profiles and they even have the word custom in the title.
And so there’s a lot of limitations around standard profiles. So it’s a good idea to just use the standard profiles as a template to then create new custom profiles because then you can extend them further. And so the only standard profile that usually you will have users assigned in a real salesforce organization is the system administrator profile. In our example here, let’s create a custom profile based off of the system administrator profile and this will be intended for what we’ll call junior administrator. This would be someone that is a salesforce administrator and is learning when we want to take away certain abilities. And so we’re going to use the system administrator profile as a starting point or a template and we’re going to clone this and name it something different and make some adjustments along the way. So we’re going to click the clone link next to System administrator that brings up the clone profile screen and we’re going to name this junior administrator. Then we’re going to click Save. And so now we have this long view here.
For this profile we need to enable the enhanced profile display in our organization. But as you can see there’s a lot of data all in one long page. And so Salesforce has provided what I think is a better or more enhanced view of the profile. So we’re going to do that next. Okay, so what I’m trying to enable in order to improve this user interface for this profile page, it’s called the Enhanced Profile User interface. And so if you search for user interface this will bring you to a page that deals with improving or adjusting the user interface in Salesforce. So I’m going to click on User interface. And so there’s a lot of selections here that I want to adjust now. So one would be enabling separate loading of related lists and that means that pages will go ahead and display and then it will load any related list separately so that the load will be quicker. It’ll just segment the page load more quickly.
But what we came here for is enabling the Enhanced Profile User interface. So a lot of times it’s hard to find what you’re looking for in these pages that are really long. So you could always do a search in your browser, but I found it here. So you want to check enable enhanced profile user interface and then click Save. And so we have set the Related list to load separately and we’ve enabled the Enhanced Profile User Interface. So now if we go back to our Junior Administrator Custom Profile that we just created by cloning the System Administrator profile, you’ll see that this profile looks differently. We have the welcome screen here to the enhanced profile user interface. If you click the Start tour, it will show you some details around how to navigate this. And it’s a five step tour and I want to run through this to explain a few things really quickly.
And then we’ll move on to finishing up setting up this custom profile. And so it’s showing that there’s this search box here where you can easily find permissions and settings. Rather than having to find it through the various links here, you could just do a search in this box up here. And then next you can edit properties. This would be the name or description of a profile by clicking Edit Properties. And then you can see who belongs to this profile by clicking on the Assigned Users button, very helpful button that you’ll come to use quite a bit. You can then browse App Permissions and Settings and it’s all of these links here. And then finally you can also browse the System Permissions and Settings. So let’s click Enter and you can replay that if you want. I’m going to click close. As you recall, we’re in our junior administrator custom profile. And so to start off with, when you clone a profile, it has all of the permissions that the originating profile has as well.
So if you wanted to make some changes to this profile in order to make it unique and justify its existence, you need to make some edits. And so I’m going to go into System Permissions and I’m going to show you what some of those settings are. And we’re going to decide to take away some abilities from this junior administrator that we don’t want them to have. And so you could find a setting, let’s say we wanted to search for something related chatter. You can see that under System Permissions, there’s settings for accessing chatter, for SharePoint chatter, internal user, create and own new chatter groups, insert system fill values for chatter feeds, and much more. So let’s say that we want to take away the rights of this new profile from creating and owning new chatter groups. And so it brought us right to that highlighted field there.
And so the way to make Edits here is we can actually this isn’t clickable at this point. We need to go into Edit mode, but we know where to find this now and this list is alphabetized, at least sometimes salesforce doesn’t alphabetize lists and don’t make columns sortable, which I don’t understand, but that’s beside the point. Let’s click Edit, let’s scroll back down to create and own new chatter groups. Let’s click save. So we’ve just adjusted this new custom profile that we cloned from the system administrator profile to disable their ability to create and own new chatter groups. And this would be a system permission. We are dealing with system wide permissions here, but if we go back to the profile overview, I’m going to click this link here in the breadcrumbs. We’re back to the screen that’s segmented by the app settings and the system settings.
And we were just in the system settings. We could do additional system settings for setting login hours, for instance, or controlling the login IP ranges or session settings or password policies for this particular profile and even set desktop client access. And as you saw in the system permissions, revisiting that again, there’s just a lot of settings that you can either enable or disable that have to do with system permissions. But I’m going to go back and show you some more profile specific changes you can do on the app side of things. And so for example, we could go into object settings and you can get really specific on what a profile can and can’t do with specific objects and even certain fields. So I could tour this, but I would say no thanks, and just show you quickly that for example, if you wanted, for whatever reason to not enable your users to see this custom object called People that we created previously, you could click on that. And so for now the tab setting for the People tab is default to on.
So let’s say we wanted to set the tab setting to default off. You could do that. So for the junior administrator the People tab would be set to default of off. So if we go back to object settings so there’s a lot you can do from here. So for an example, we’re going to restrict anyone that’s assigned to this profile from being able to delete accounts. So I’m going to click on the accounts link and then I’m going to click Edit. And for the object permissions now I’m going to take away the ability to delete an account and that also by default takes away their ability to modify all. And then as well under the field permissions for this profile, I can actually start to hide fields. So let’s say for whatever reason I didn’t want anyone in the junior administrator profile from being able to see the duns number for an account. You could uncheck the read access and that way that field is hidden from users assigned to this profile.
And then let’s say as well that we didn’t want the Junior administrator editing the billing address for an account. You just simply uncheck the checkbox and the Edit Access column for the corresponding fields that you want to take away the Edit rights to. This gives you the ability then to not only set the object permissions, which are commonly known as Crud, that stands for Create, Read, Update, and Delete, but also for field specific settings for either Read Access or Edit Access. So once you’re done making your changes on the object settings for the object that you’re working with, for the profile that you’re working with, click Save. And so you may want to change to another object.
You can do that from here by clicking the down arrow next to Accounts. And let’s say we want to make adjustments on opportunities. So I’ve selected opportunities from the drop down and you see here that there’s the one Record type and we’ll get into Record types and page layout assignments later. But if you had multiple Record types on an object, they would appear here and you can assign different Record types and specify the default Record type for an object from the screen as well. So for opportunities as well for the Junior admin, we don’t want them deleting those either. Let’s take away the Edit ability for the next step field. We don’t want them adjusted or changing the next step field. So we uncheck that and then we click Save. And so let’s go back to the Profile Overview screen as we conclude this lecture.
And so the main thing to bear in mind, and we’ll be getting into more of these later in this course, but the main thing to bear in mind is that when you create a new profile, you can clone from an existing or you can create a new profile from scratch. And one of the main screens you’ll be dealing with is the Profile Overview screen and that’s divided into App settings and then as well system settings. And that’s where you can control app assignments, connected apps, object settings, and a lot of customization as well, where you’ll specify security around Apex classes and VisualForce page access and external data source access and much more, and even custom permissions.
And then the system side of things, we have a lot of control around what you can and can’t do at the system level. So next we’re going to be getting into roles and profiles and roles are often confused. And so we’re going to be delving into roles more deeply. And then on the other side of that, we’re going to create roles, and then we’re going to finally discuss the difference between profiles and roles. And so this will begin to make sense as you progress through the next three or four lectures and we dive more deeply into Role.