Salesforce Certified Platform App Builder – 4 – Security Part 2
- Introducing Roles
We’re next going to get into Roles and the role hierarchy. So if you click on Setup and search for Roles on the sidebar, you’ll notice that the Roles link under Manage Users is available. So if you click that, the first screen you’ll see is the one related to understanding roles. And there’s a sample role hierarchy here at this splash screen to show show you an example. And you can see samples for a territory based sample where you’ve got a Western and Eastern and international sales director role. And then below that you’ve got sales rep roles. And all of these positions roll up to the CEO. And the concept behind roles in Salesforce are that those higher up in the role hierarchy are able to see the records of those below them. And so for instance, here we’ve got the Western sales director and that person is over these Western sales reps. And so these individual sales reps wouldn’t be able to see any records belonging to the sales director because they are above them in the role hierarchy. Then additionally, the CEO can see everyone’s records.
And so you can see other examples. So if you had a product based role hierarchy, you have the VP of hardware, the VP of Software and the VP of Networking, for instance. And then you’ve got networking sales reps, software sales reps and hardware sales reps below their respective divisions. And then another example for company size based sample. And so this would be a company that segments its different roles based on company size. So the Fortune 1000 director would handle the larger accounts, for instance, and then the mid market director would handle those that belong in the mid market. And then Soho sales director would be more of a specific region. So then you’ve got your reps below them. And so this is where Salesforce tries to mimic a traditional chart for a company, an organization chart if you will. And if you’ve seen an. org chart, you usually have a CEO or president at the top, and then you’ve got those that directly report to that CEO beneath there, and then from there can branch off quite significantly.
And so this is a way to enable or disable users from seeing other people’s records. And so Roles, an important distinction is understanding that roles have to do with the visibility of individual records and not object wide access. So for instance, what we’re talking about with Roles is that this Fortune 1000 rep would be able to see their opportunities, for instance, and they may have ten or they may have 100 or however many opportunities that they have. And then this director may have several different reps underneath her. And so those individual opportunity records would roll up and be visible to this director. Now this director wouldn’t be able to necessarily see the other director’s opportunities or see those down here in other sections. And that really depends on how the sharing settings have been set up on the object. So the roles enable those higher up in the chart to be able to see and have visibility to more individual records than those lower down.
So if we click on set up roles, we can see our own role hierarchy. And this is the default role hierarchy in our salesforce account that we signed up for. And here at the top is the company name. And I just previously used Force Developer as my company name and that’s just a fictional company name, for example, when I signed up for this account. And so yours will be different depending on what you chose. And then it looks like a pretty flat role hierarchy. But what you can do to see everything is you can click on Expand All, and now you see that every single piece of the role hierarchy has been expanded to where you have these different levels.
And so at the top level now you have the CEO, and then beneath the CEO, this next level over would be the CFO, the COO SVP of Customer Service and Support, the SVP or Senior Vice President of Human Resources and the SVP of Sales and Marketing. And then beneath those individuals, you have additional roles. Not so much for CFO or COO, but when you get into customer service and support, you have roles for International North America and installation, repair and services. And these are just good generic examples of what you might see for a company. As far as for the service department here’s, the different roles, they may have Human Resources here, and then for Sales and Marketing, we have VPs below the Senior Vice President, you have the VPs for International Sales and then the VP for Marketing, and then a Marketing team underneath the VP of Marketing, for instance. And then the North American cells. You have directors for channel sales and direct sales.
You notice as well this Director of Channel Cells would have Channel Sales Team people reporting to them. And then the Director of Direct Cells has an eastern and a western region. And so the way that you can manage these roles is that you can see who’s been assigned to a role by clicking the assign link. And I’m going to choose Marketing Team because I previously created a user and assigned him the role of Marketing Team. So you can see who’s assigned there. And as I mentioned previously, this free salesforce account is limited to just a couple of accounts, user accounts. So I’ve got my own user account. And then you see here are some other unassigned users that have not been assigned a role. And then here are users that have been assigned the Marketing Team role. So if I wanted to add other users to this role assignment, I would click on their name here on the left and click the button to add them to the right and click Save.
So now I’ve added security user there just as an example. So what I’m going to do is I’m going to click on the CEO role and you see, and this is the same with any role in the role hierarchy. When you click on it, you can see the users in the role currently zero. And that’s just the related list down here where you can assign a user to this role or create a new user from here. And you can see that the CEO reports to no one at the top of the role hierarchy. I’m going to assign myself as the CEO of my own fictional company here. So I’m going to filter the list on the left here by all unassigned active users. And I see that there’s two active users with an unassigned role. I’m going to select myself and move myself over to the Selected Users for CEO section and click Save. So now I’m the CEO of the company. So you see now that users in this role here on the related list. Now let’s go back to the role hierarchy by clicking Roles over here in the setup menu. And if you don’t want to see this message about these samples, every time you go into roles, just check don’t show this page again and click Set Up Roles. If you wanted to delete a role, you just simply delete it. Let’s say that we don’t have an installation and repair service role. Just click Delete and confirm the deletion and it’s now gone. Another thing to highlight in the role hierarchy is the different views that you can view the role hierarchy and I’m in the tree view currently, and that’s the default view you can show in a sorted list view.
And this gives a list of every role in the role hierarchy and it just gives you a different way of looking at things. You can also create new views of the role hierarchy, which is helpful. And there’s a quick links here for editing, deleting and assigning users to the different roles. It also shows who the role reports to. You can also show in a list view and this is more hierarchical in nature with the indentations. This way might be easier for you to wrap your mind around. Everyone operates a little differently. What Salesforce doesn’t provide is a traditional chart view for the role hierarchy. And so if you’re looking for that, sorry, there may be an app on the App Exchange that can do that for you.
But in standard functionality, out of the box, it’s just not there. We’re going to just return back to the tree view now. And so next we’re going to be going into profiles versus roles. We’ll be going into both a little more in depth and be able to compare and contrast the two. It’s a common source of confusion and you need to understand this distinction on the certification exam. Salesforce really does try to glean. If you understand the difference between the two and the way that they form their questions. So we’ll be going into some examples of different things related to profiles and then as well, how roles come into play with viewing individual records versus on the profile level, granting you access to do things at the object level. So stay tuned for profiles versus roles.
- Creating Roles and Assigning Users to Them
So now we’re going to create a role. So if we go to the setup menu and search for the word Roles, and then click on the link underneath the users menu for roles, that brings us to a landing page that’s called Understanding Roles. And this is helpful to wrap your mind around the concept of roles. And so if you’ve ever seen or dealt with an. org chart in business, then you want to think of roles in Salesforce the same way. And so a role hierarchy in Salesforce just establishes who reports to whom and also controls access level as far as the ability to view and edit records. And then also as well, any data will roll up as you go up the role hierarchy. And so we have a sample role hierarchy by default when you first access this page for a territory based sample. So you can click this drop down and see a product based sample and these diagrams change in the chart.
And then as well a company size based sample. And so if we looked at the product based sample, for example, you can see the executive staff. And here’s the CEO. President CFO, the VP of Sales, for example. And then the next layer below in the chart, there’s three branches going out for the VP of Hardware, the VP of Software, and the VP of Networking. And then underneath them we have networking sales reps, software sales reps, and hardware sales reps. And it gives you some details to help you understand what this all means. And at this top level, there’s notes around what these people can do such as view and edit data, roll up, forecasts, and generate reports for all users below.
So that means all users below them in this chart, and then they also can’t access data of other executive staff. So a person at this level, they don’t have lateral rights necessarily to the data of those in the same role. And the same goes for people that would be in the same role for VP of Networking or down here. But as you traverse down this branching tree or chart, you can see for this next layer it says viewing, edit data, roll up, forecast and generate reports for all users directly below. So that would be these people down here can access data of users above or at the same level. So these people here in the middle, they don’t have lateral access necessarily, they can’t get to the records of those that are above them in the chart, unless it’s been specifically set up through like a sharing role, for example. And then down here at the bottom we have view and edit data, roll up, forecasts, and generate reports only for their own data, can’t access data of users above or at the same level.
So you can check this if you don’t want to see this again when you revisit roles, but it’s good to leave that for a while until you really start to understand roles more fully. But we’re going to create a role now by clicking set up roles and we’ll see the role hierarchy. And so this brings up to creating the role hierarchy screen. And if your screen looks like this, that’s just to expand and collapse. You can collapse all by clicking here, or you can expand all by clicking there. And as well these plus minus signs you can toggle back and forth for instance. And so this is a way that you can collapse or show different branches. And so if we expand all, we can see our entire chart for our fictional company. And at the top you notice you’ll have your own company name for whatever you specify when you first set up your own salesforce account. And then you have the CEO at the top. And we’re showing this in tree view. You have the option as well to see this in a sorted list view by clicking here. And this gives you the list and it has a column for reports too, and the report display name. At the top we have the CEO and then beneath him would be the CFO and the COO and others that report to the CEO. For example, you can also view this in a list view and this gives more of the hierarchy.
And so from these screens then you can actually create new roles. So for example, if I wanted to create a new role here, I could click new Role. And what you’ll notice is that I’ve got to specify the role that this new role reports to. Now this may be hard to comprehend without being able to see where everything falls in the chart or role hierarchy. So I’m going to cancel out of here and I’m going to view from this first tree view. I’m going to show you then that you can add roles through these links here, underneath each individual role in the role hierarchy. And so for example, we have this SVP for Human Resources. If you wanted to add a new role, all you’ve got to do is click Add Role. And this will automatically have a reporting to the SVP of Human Resources. That’s the way to auto fill that is by viewing it from that tree view. So we’re going to call this HR assistant with HR standing for human resources. We’re going to tab out of that field to fill in the role name, which is the API name. And then to display this in reports, we’re going to specify that this is the HR assistant. Then you could create additional roles if you wanted to by clicking Save and New. And we’re remaining under this branch for the SVP of Human Resources. Let’s say that in the HR department they hire interns as well.
And so we want to have a role for HR intern. Click Save. And this will take us to the details page for a new role that we just created. And then you can see the users that are assigned to a role. And so for this new role for HR Intern, we could assign a user to this role by clicking the button. And so then you can specify your search criteria. So we’re going to select all users and it pulls up automatically all the different users in my organization. And so let’s say that I want to assign Jim Doe as a role of HR Intern. And so I click on his name and move him over to the selected users for HR Intern area. And then as well, here on the right, it shows me and it’s highlighted even the role that I’m currently assigning users to. So if I click save, I’ve just assigned Jim Doe to the HR intern role. So if I go back to the role hierarchy and click Set up roles to see my tree view, we now see my two new roles here underneath the SVP of Human Resources and that would be HR Assistant and HR Intern. And so, for example, you could assign people by clicking the assign link here. And so here’s all the people that don’t have a role assigned currently. So if I selected someone and moved them over and saved, I could assign them to a role that way. So we now covered how to create new roles in your role hierarchy and then as well, how to assign users to this new role. And now we’re going to delve more deeply into roles and compare them to profiles, which these two topics are often confused. And you need to understand the difference between the two in order to succeed on this exam and get certified. And so this next lecture is profiles versus roles.
- Profiles vs. Roles
Okay, so now we’re going to talk about profiles versus roles. And this is a common source of confusion in understanding the difference between the two. And it’s critical that you understand this distinction. And at a very high level, profiles dictate what you can do at an object level such as creating, editing or deleting object specific records. And then roles determine what individual records you can actually see or have access to. And so we’re on a user list view here where we have all users in my salesforce account and we’ve seen these users before. We have myself down here at the bottom, if you notice, I have the profile of system administrator and the role of CEO. And this checkbox here to show that I’m an active user. And we have our friend Jim Doe here who’s on the marketing team for his role and his profile is a custom marketing profile and he’s active as well.
And so one way that is a good way to see the different permissions for a profile and to begin to understand the difference between profiles and roles is to go into an enhanced profile list view which if I click on profiles, it would come to this list view called all profiles. And this is a list view that comes standard out of the box and should be very similar to what you see in your own free salesforce account. And what I’ve done is I’ve created an additional list view and this is called an enhanced profile list view. And so what that looks like is this. And so what I’ve done with this enhanced profile list view is I’m looking at the permissions for every profile on the account object. And so when you’re dealing with profiles, a large part have to do with read, create, edit, delete, view all, and modify all ability on an object. And so you see here which profiles have the ability to read an account record or create, edit, delete, et cetera. One thing to bear in mind with these enhanced profile list views are that you can create these at the object level. I just happen to have this created for accounts. And so you could create an enhanced profile list view for opportunities or contacts or any custom or standard object in your salesforce instance.
And these are very useful views to see just the myriad of choices that are available to the various profiles and then you can go in and lock down or open up additional ability for the profile. And so if I wanted to look at the system administrator profile, I see that I have the ability to do anything to any account. So previously we’ve talked about the ability to clone a profile. And so you see here with the system administrator profile I have the ability to recreate, edit, delete, view all, modify all and let’s say that I need to create a profile for a junior system administrator. And so this would be someone that we want to be able to do most administrative tasks, but we want to limit this individual from being able to do certain things. And so I’m going to go through the process of creating a custom profile based on the system administrator profile through cloning it. So I’m going to click on the desired profile name. Then here at the top, you see the Clone button. So we’re going to click Clone. In this new profile, we’re going to enter its name and you see that it’s based on the existing profile of system administrator. It will have associated with a salesforce user license.
So we click save. And now from here currently, this junior system administrator has all privileges. As the regular system administrator, I’m going to scroll down and limit some of their system permissions. If you recall, for profiles we have app and system permissions. And it’s very important just to remember this distinction that these are the sorts of things that you can do at the profile level as opposed to roles, which we’ll get further into here in a minute. So let’s say that this junior system administrator needs to only log in from your own network. And so I’m going to add an IP range here for this junior system administrator, which will in essence block him from being able to log in remotely and will only be able to log into our Salesforce instance if he is currently in the office and within our IP range. I’m going to enter in an IP range here and add a description and save.
Okay, so once we save, we see our IP range, and I bring up IP range as well, just to show that and remind you that at the profile level, in addition to your read and write and edit and delete ability on objects. You have these system type permissions such as locking down a user’s ability to log in outside of a certain IP range, or et cetera. Now, I want to show and contrast how roles are different than profiles. We’ve been spending a lot of time around profiles and how it gives you the ability to read, edit, delete records, as well as do system settings such as the IP ranges we just went through, et cetera. But for roles, that has to do with the role hierarchy. As a reminder, when you go into roles, you have your role hierarchy and I’m going to expand it all.
And we have the CEO and then everyone beneath the CEO role and the ability to show in these different views. And it’s hierarchical in nature. And the idea being that records owned by someone in a lower role in your chart will only be able to see records that belong to them or people that report to them. And so these records owned by these individuals would roll up to this SVP, for instance, and then in turn, those would roll up to the CEO level, the co or whoever’s at the top of the chart can see all records for like accounts or opportunities or whatever. And so the role hierarchy, the basic concept behind it is that for the security settings and the sharing model for salesforce, it has a roll up nature to it and any records roll up the chart. And so what I mean by that is if we go back to our users and you see Jim Doe here, he is beneath me in the organization chart. And so there are certain things that I may own that he’s not going to be able.