Salesforce Certified Platform App Builder – 4 – Security Part 3
- Introducing Permission Sets
Introducing permission sets. And so we’ve talked about profiles and roles and now we’re getting more deeply into security and all the different settings that you can do that control visibility and access and read, write, update, delete, Writes and Salesforce. And so Permission Sets, I want you to consider those as secondary profiles. And so if you just recall, a profile can be assigned to a user and a user can only have one profile permission Sets. Users can be assigned to multiple Permission sets. And so if I click on the users drop down here and select Permission Sets, you’ll notice that there’s none set up by default in our new salesforce organization. And so in order to understand Permission sets, I want to spend a moment in the profile section. And if you recall previously we created a new custom profile by cloning the system administrator profile and it was called Junior Administrator. And so you have now 37 profiles in your salesforce organization.
Now, I’ve worked in some organizations that have had literally hundreds of profiles created and those are usually older salesforce organizations that existed before Permission Sets came along. And so what permission sets allow you to do? For example, let’s say you had ten users in this junior administrator profile, and you needed the ability for one of these junior administrators to have a broader range of IP addresses and a broader time of login hours or some sort of system settings that you wanted to extend to them, but not to the other junior administrators. In the old way of doing things. Before permission sets, users would have to create yet another profile and call it Junior Administrator Two, for example, or Junior Administrator All Access if they wanted to give them full access from any IP range or IP address and being able to log in at any time during the day or night, for example. And so instead of doing that, you can now create permission Sets and assign those to individual users. And then what makes these so powerful as well when you’re dealing with Permission sets is let’s say, for example, you wanted specific users to have the ability to create and maintain chatter groups.
And let’s say that you only had one person identified in the Junior Administrator profile, one user in the system administrator profile, and then as well you had a couple of users in the custom marketing profile, for example. Now, how would you handle that if you had people from three different profiles that need to be able to own and manage chatter groups? You could create a profile called Chatter Group Owner, but then these people that you would then assign to that would lose their abilities that they had set up in their own individualized profiles. And so it is a way that you can extend or further extend rights in Salesforce Is through Permission Sets.
And so let’s show you an example by creating one. So if I click on permission sets. One thing to note here is that you can also assign permission sets to users through the Salesforce A mobile app. So you can check that out off of the itunes or Google Play app stores. And the Salesforce a mobile App gives you administrative privileges and you can access release notes and you can assign users to permission sets. But I’m going to click New to create a permission set. And so for this permission set, I’m going to call this Manage Chatter Groups.
Then I’m going to give a description for this permission set and then you need to select the type of users who will use this permission set. So you select the license type and there’s a lot here that are available. I’m going to select Salesforce for the license type and then click Save. And so now I’m on the Permission set detail page for this new permission set that we just created. So now that we’ve created this permission set, in the next lecture, we’re going to customize the permission set and then assign users to it as well.
- Creating Permission Sets
So now we’re going to customize this permission set and then assign users to this permission set. And so you notice that this page for the permission set Detail screen looks a lot like a profile Detail screen and that’s because it’s divided into the two sections of apps. And then down here below the system permissions. And so if you want to set system permissions on a permission set, just click on the System Permission Missions link. Let’s do a search for chatter. And so here we’re going to select this create and known new chatter group setting. And so you notice that all of these checkboxes are unchecked by default. That’s because people are assigned their individualized profiles and they’re part of their profile that have a lot of these settings.
And so the idea behind Salesforce Security is you start at the base with the most restrictive security model and then you open up additional access as you layer other permission sets on top of users profiles, for example, by adding additional access. And so you can tell that you won’t be able to accomplish anything in a permission set by unchecking a checkbox because there’s nothing checked by default, you can check something. And so in order to do so, we will need to click Edit. But if I try and click here, I’m not able to check that. So if I go back up to the top here and click Edit, I’m looking for Create and Own new chatter groups. If I check that and click Save, I’ve now have given the ability of anyone that’s assigned to this permission set, the ability to create and own new chatter groups. So that’s the only check mark that’s checked in this permission set. I’m just going to keep this really simple and not extend a lot of functionality beyond that. I want to now assign users to this permission set. If you click on Manage Assignments and so your users that you assign to a permission set, they may or may not have these specific rights just based on their profile, but you can go ahead and add users from this screen. And so myself, as a system administrator, I probably have the ability to create an own new chatter groups. But just in case, I could go ahead and add myself.
And so I’m going to select myself and I’m going to select Jim Doe and I’m going to select the Integration user and then click Assign. Okay, one thing that I didn’t think about is that for this permission set, I previously, if you recall, specified that this permission set is tied into the user license of salesforce. And so this integration user has a user license out of the box of analytics cloud Integration user. So one thing that’s important to note as you deal with your own free Salesforce developer account as we work through this course and beyond is that you’re limited to two salesforce licenses in your developer. org. And so you’ll be really limited in what you can do here and that’s to prevent people from using these accounts for their own business and not paying licensing fees that are owed to Salesforce. And so we have this informational message and then the check marks in that was assigned to the two users. So I’m going to click Done and I’ve assigned this new permission set to Jim Doe and myself. I can go back to the permission set and then other things I could do is I could access some of these other settings.
Now the system settings are more limited in a permission set than a profile. There’s less options here down at the bottom, but for the most part on the app side of things here at the top, these are the same sort of settings that you’ll find on profile. The main thing to bear in mind is that and to think about is that I’ve just assigned and I’ll go back to manage assignments. I’ve just assigned this permission set to two users, myself and Jim Doe that have different profiles. Jim Doe is in the marketing profile and I’m in the system administrator profile. But we both share now the ability to own and create new chatter groups thanks to this permission set. So that prevents us from needing to have these highly granular profiles and end up with hundreds or thousands of profiles as your organization grows. And that’s how Salesforce is justified or come to realize that they need permission sets is it was clamored for by the user community and the developer and admin community especially and they’ve made that a reality. Now back to the details of this new permission set that we created. We can adjust some of these app settings, for example, and so let’s go into assigned apps.
So currently we have no assigned apps assigned to this managed chatter group’s permission set. So if I were to click Edit, so then here you can give people in this permission set access to these various apps. So for example, if you wanted to open up the call center app to users that are signed to this permission set, you simply select the app from the available apps list and move it over to the enabled apps and click Save. When I’m referring to apps, I’m referring to these items here in the App launcher. By clicking here in the App Launcher, you can see the call center for instance. And so that’s a way that you could open up access to apps is through permission sets as well.
So we see the call center assigned apps, you can hop over to other app settings by selecting them from the down arrow here. And so for example, if you wanted to give access to specific users to a VisualForce page, you could click VisualForce Page Access and click Edit. And right now we’ve got just these four VisualForce pages that have to do with that app that we installed previously for our currency exchange rates. And so let’s say I wanted to give them access to these VisualForce pages. I can move these over to the enabled VisualForce pages and click Save. And so you can see now as we start to customize the permission set, now that we’ve assigned it to users as well, that you can open up additional access to people that span multiple profiles. And so you notice you can open up access to external data sources as well through permission sets.
You can handle named Credential access, you can do custom permissions, you can even open up additional rights on object settings. So I’m going to go ahead and click on that. By default, these permission sets have no access to these objects. And so in order to open that up further, for example, on Accounts, let’s click on Accounts and that brings up the object settings for the Account object. And so now we can click Edit. And once again, you notice hardly any of these are checked. And really the only things that are checked for read access or even edit access are some of the standard fields that are on all records. Some of these are system fields such as created by the account owner, the name field, and the currency field. Those are all system fields. But beyond that, nothing else is checked. And so we click edit. So if we want to say, hey, we want to make the Accounts Tab available to users in this permission set, we could check therefore available. We can make it visible as well.
And so you can hover over here to see as well more information so that when visible is enabled, the tab appears in the Visible tab sports for its associated app. The Accounts Tab is usually visible in the Sales app and you can tell that I can already see the Accounts Tab. Users may already have access to rights for some of these things, but since you can have users across multiple profiles, you want to have this permission set fully realized to extend all of the rights that you intend for people in a permission set. And so you want to not think about individual users, but the group as a whole in the permission set. And so then you can extend further rights here. Let’s say that anyone in the Managed Chatter Groups permission set, we’re going to give them modify all access, which enables them to also delete account records because we’re in the account object right now. And then we can additionally give them additional access to fields as well.
There’s no way to select all here, which would be nice, but that’s not available. So you get the idea though, as far as you can get to the object settings in a permission set and that allows you as well to get to the field permissions as well on an object. So if I click Save, we’ve now customized this permission set pretty fully. And so if I go back to the permission sets, we see our one permission set that we have. You can clone permission sets. And so I’m just going to name this and click Save to show you how quickly you can create an additional permission set. And then you could make adjustments here in order to delineate or make changes and differences between the two. You could manage assignments on this as well. And you can add assignments for users to additional permission sets. And so now we see that Jim Doe and Mike Wheeler have two different permission sets that were assigned to. So if I go into Jim DOE’s user record, for example, you can click on the User Detail button and that gives me more details around his user record. And we see that he belongs to the one profile, he belongs to the one role.
And now if we scroll down, we see that he belongs to two permission sets under the Permission set assignment. So I’m in the user record for Jim Doe and I can edit assignments by clicking Edit Assignments. Or I could delete a permission set assignment by just clicking Delete here from his user record. That will not delete the permission set. It’ll simply remove Jim from this permission set assignment. So I can click Edit Assignments, for example, and I could move this over and remove that assignment that way if I so chose and click Save. So, you know, we’ve been dealing a lot with security. We’ve talked about at length profiles and roles and permission sets. And in the next lecture, we’re going to be diving even more deeply into the security settings that you can do in salesforce as we talk about organization wide defaults. And that will be accessed through the Sharing Settings link in Setup. So stay tuned as we talk about organization wide default. Defaults coming.
- Organization Wide Defaults
So now we’re going to talk about organizationwide defaults. And I’ve got a diagram here that I’ve seen on several different websites. So I’m not sure who to attribute this to, but if you just do a search for salesforce organization wide defaults, you’ll find something similar if you do an image search. And I have made this image available in the resources section of this particular lecture. And so we’re now dealing with the organization, organization wide defaults. One thing to bear in mind is that this is often referred to as Owd. That’s just an acronym to stand for organization wide defaults. The main thing to bear in mind is that the Owd or orgwide defaults is the base level at which you set all access to records. And so here it says that this is where you set your restrictions around different objects to make them either public read, write or public read only or set to private. And then as you progress up to the right here, you open up access.
And this would be vertical access in the role. Hierarchies. And we talked before in previous lectures as we were talking about the role hierarchy that you can open up access vertically in the way that records will roll up to the manager and then up to the executive level in like an. org chart, if you will. So the role hierarchy is where you open up access vertically. And then next we have sharing rules. Now in the next lecture we’re going to be talking about sharing settings and that’s where we’ll open up lateral access. And I’ll demonstrate all this around some of our custom objects that we created previously and we’ll populate some records and show you how all this works so this will start to make better sense. So in the next lecture we’ll be looking at sharing settings and this is the lateral access, meaning that people in the same role, not people above you in the chart, but people beside you in the chart, can then access through sharing rules.
And then finally, the most flexible way to open up access is through manual sharing. And we’ll be covering that in the following lecture. After sharing settings is manually sharing records. And so as you can see, as we’re thinking about the orgwide defaults, this is the base level to where we set the public read, write or public read only or private on an object. So let’s go over to our schema builder and let’s remind ourselves of the schema we set up for our application and where we’re at currently. And so we really want to hone in on this production object. This is where the different films or TV shows, video games reside. And if you recall in a previous lecture I had you delete records. We had previously created a record for the wizard of Oz and the Cheers TV show.
In order to create these junction objects, we needed to delete those and then as well, we deleted a production position as well. What I want to do now is I want to go into the setup menu and show you where the organization wide defaults are set. And we’ll be looking at those settings as it relates to the production object. So if you click on set up now if you try and search for Owd or Wide or organization wide, you have organization wide addresses but not wide defaults. And so the thing to bear in mind and to remember is that orgwide defaults are set under the screen that has to do with sharing settings. And so it’s a little confusing because if we go back to this diagram we see we have sharing rules here and that has to do with the sharing settings actually, and that’ll be in the next lecture. But to get to the orgwide defaults in salesforce, you’ve got to go under sharing settings, which is under security controls. So we’ve got our sharing settings and that’s where the orgwide defaults are set. You notice here we have these orgwide defaults at the top of the screen and then down below on the sharing settings screen we have other settings and then the sharing settings that can be set individually for different objects.
We’ll be going into that in the next lecture. So now for this lecture, we want to focus on the top of the screen. But you notice however, that as we scroll down, some of our custom objects that we’ve created are down here towards the bottom. So we have the production object, this is the custom object that we created and I want to scroll back up to see what these column headers are where it’s showing the public read write. So if I scroll up, we notice that this is the default internal access and this is the default external access. Now we’ve not enabled the external sharing model and we’re not going to go into that quite yet. So we want to focus on just the default internal access level and then as well, bearing in mind this column is grant access using Hierarchies. If we look at the production object, it’s currently at public read Write.
And so what I want to do is I want to repopulate the wizard of Oz production record. Now and you may have have that in your recycle bin if you didn’t clear it out, but if you didn’t and need to manually enter it, go ahead and do so. Now I’m going to click on the all tabs and go to productions and then verify that I don’t have any production records at this point. I’m going to create a new one and then I’m just going to enter in wizard of Oz. I’m going to leave the rest blank and click Save. So now I have the wizard of Oz record and so I am the owner of this record and this production object has an orgwide default of public read Write and so that means that anyone in my organization can see this record. So what I want to do is I want to log in as Jim Doe. Let me show you how to do that quickly. So I’m going to click on his name in order to go to his user record. And actually this is his user home screen. And so I can click on this down arrow here and go to user detail.
And so I need to enable the ability to log in as another user in my own organization. And then a login button will appear here on his user record. So to do so you just search for the term login and set up and then it’s under the security control section. We have this link for login access policies. Click on that link and it is here that we can enable administrators the ability to log in as any user. So I’m going to click this checkbox in order to enable that feature and then click save. And now probably the quickest way to get back to where I was would be to click on setup and then hit this recently accessed items list and click Jim Doe and I return back to his user record. And now we see the login button has displayed. So now what I’m going to do is I’m going to log in as Jim Doe so that I will see salesforce as he would see it under his current profile of custom marketing profile and in the role of HR intern. So I’m going to click log in. And so now I’m logged in as Jim Doe.
And you notice this black box here towards the top says logged in as Jim doe. This is a reminder that you’re not logged in as yourself. It’s really easy if you log in as another user to troubleshoot to forget that and start trying to do development work and you no longer have the full access to the setup menu for instance. And so I’m going to click the plus sign to go to productions now and I see that Jim Doe does not have access to the productions object. Okay, so that is a profile setting that we need to set. So I’m going to open up Jim DOE’s object access on the productions object for his profile and then we’ll be able to explain how the orgwide defaults work more fully. So to log out as Jim Doe and return as myself, I need to click his name in the drop down and select log out. And so this has logged me all the way out of salesforce. Sometimes it’ll just toggle you between user accounts, but I’m just going to go ahead and log in again. So go ahead and log back in and this will log you back in as yourself.
And so we were looking at Jim Doe and specifically his profile, which is the custom profile of marketing profile. So I’m going to click on that and then I’m going to go to Object Settings and look at what his settings are for the Productions custom object. So if we find Productions in the list, it says that there’s no access. So that explains why Jim was not able to see the Productions tab, for example. So I’m going to click on Productions and I want to open up access to the Productions object for the custom marketing profile. So I’m going to click Edit and it is here that we grant access to the object. None of these are checked, so he has no access.
And so I’m going to give him Read, create, Edit and view all capability and then leave these field level access or field permissions at their defaults and click Save. So now if I log back in his gym, I should be able to see the Productions object. So let’s do that now by going back to his User account and I’ll show you how to do that. Now from his User home screen is that we click this down arrow once again and hit User Detail and then we have our Login button.
So then click login. And so now I’m once again logged in as Jim Doe. So now when I click the plus sign for all tabs, I now am able to see Productions. So that was a profile setting. Okay, now I know you’re wondering, well, why are we going into all? This is because we’re trying to get to the point of being able to address organization wide defaults. And so I’m going to click on Productions and let’s see if Jim Doe can see the wizard of Oz record that I created previously. So if I click on the Go button next to the all list view, that will pull up any production records that Jim Doe has access to and can see. And because the Productions object is set to public read Write on the organization wide defaults, he has the ability to see this production record that I entered as an admin.
So the thing to bear in mind is that for public Read Write, which we have right here, when objects are set to that, then anyone that has access to that object at the profile level will be able to see the individual records. Not only that, they’ll be able to edit them if it’s set to public. Not only that, they’ll be able to create new records themselves. If you bear in mind that not only can Jim see this record, but he should be able to create production records as well. So I’m going to go ahead and reenter the Cheers TV show and have Jim dobby the owner of that particular record. We’ll leave the rest blank for now and click Save. And then bearing his mind, and also bearing in mind that we’ll get into record types here and not too much longer, and we’ll be able to designate this as a TV show. But for now, we now currently have two records in the production object.
One is Cheers and one is wizard of Oz. One is owned by me and one is owned by Jim. And so if I click on the Productions tab and click Go again under the All List view, we now see that Jim has the ability to see two records. I’m going to log out as Jim Doe and log in as myself and I’m going to visit the Productions tab and see if I can see Jim’s record. So I’m going to click Go next to the All List view and I can see both records as well. And that’s because the orgy defaults are set to public read Write. Now what I’m going to do is I’m going to revisit the orgwide defaults and remember again that you get there by searching for sharing, for sharing settings and we’re going to change the orgwide defaults on Productions now. So we’ve got the production and it’s set to public read write. We’re going to edit that and we’re going to change this to public read only and click Save.
And so now it’s saying that an orgwide default update has been initiated by me and then you can’t submit any changes prior to the completion of the operation. I’ll receive an email when the operation finishes, so Salesforce goes through and recalculates all of the sharing settings and sharing rules and either restricts or opens up access based on the changes that you’ve made. So once I receive an email, then we can make further changes to the sharing settings and orgwide defaults in our organization. I’m going to refresh this screen and so let’s scroll down to production. Now it’s set to public read only. So now if I go to Productions as an admin, I’m able to create new productions. So let’s do Gone with the Wind, another classic film, and click Save.
And bearing in mind that productions are public read only, let’s log in as Jim Doe and see if he can see this and then see if he can create productions of his own. So revisiting his user home screen, clicking the down arrow, selecting User Detail to get to his user account, and clicking Login. We’re going to go to the Productions tab and then click Go on the List View. Now he can see Gone with the Wind and he can also create a new production. So let’s have him go ahead and create a new production and then I’ll explain why he is able to create a new production. Although the orgwide defaults on the object are set to public read only. So we’ll have Jim, he’s more of a TV person, so we’ll say that he’s going to enter in the Andy Griffith Show.
So I’m showing you examples of how we can compare and contrast orgwide defaults with profiles specifically because these are layered on top of each other and so it’s hard sometimes to troubleshoot security and figure out why people are able to create records when you think they shouldn’t be able to. In this example, it’s like, well, the orgwide defaults say public read only. And so if you bear in mind, as we talked about in this diagram here, that this is the base level with the most restrictions and then we open up access as we traverse to the right. And then as well, in addition to the role hierarchy, you can open up access and ability through profiles as well. So I’m going to log back in as myself as the admin in my organization and if we go back to his marketing profile that he has under Object settings and then for Productions, he also has create rights on this object.
So that’s why he’s able to create new productions records, although the Productions orgwide defaults are set to read only. And so you can begin to understand and just bearing in mind that the orgwide defaults are at the very base level and then you can open up further access through role hierarchy sharing rules, manual sharing, and also profile settings as well. As far as the ability to perform actions on a record, one thing that’s important to note as we’re talking about profiles is that profiles have to do with what are known as the crud actions that’s create, read, update and delete. And that’s designated here as like read, create, edit and then view all as well. And so then things around the role hierarchy have to do with what records you can see.
And so we’re going to change the orgawide defaults next on the Productions object to show you how once we set this to Private, that will impact what individual records Jim will be able to see. So bear with me. I know that this is probably one of the more complex topics on the exam and on the platform is the ability to figure out who can see what and who can do what and why on the platform, because that deals with profiles, roles, organization wide, defaults permission, sets, sharing settings, manual sharing. There’s a lot of options and as you progress on the platform and get more experience, this will all begin to gel more and you’ll be able to pinpoint what settings you need to do in order to really hone in on the security settings that will meet the requirements in your own particular application. And so let’s revisit the productions. So bear in mind that we’re in the profile here for Jim Doe of the Custom Marketing profile. I want to go back to the sharing settings, however, to address the orgwide defaults on the Productions object. And so we see here that the production is Public Read only and so we want to edit this to set it to Private. So now we’re going to click Save and then Salesforce is going to need to calculate and update those sharing settings. And then once that’s done, I’ll receive an email and this will then say that this is private on the production object.
And so now let’s return to Jim DOE’s user record and log in as him again. And remember as well that repetition is how you learn. So you want to click on User Detail from the drop down here and then click on Login. And now you’re viewing Jim DOE’s user experience in salesforce. We’re going to click the plus sign here and select Productions from the list of all tabs. And now if we click Go, as you can obviously see, Jim still has access to all of the production records. And it took me a moment to remember one thing that I’d set previously that was tripping me up here. And so this is a good example as well as how to troubleshoot on the platform. So I’m going to log out as Jim and go back to myself as the admin and then I’m going to go into Jim’s profile.
So if you recall, Jim Doe has the custom marketing profile and if I go into Object settings and select Productions, you notice that he has View All Access on the profile level. So I’m going to adjust this to remove the View All settings on this particular object and then click Save. And so now that he doesn’t have View All rights on the Productions object records, now the organization wide default will be respected and he shouldn’t be able to see all of the productions that are in the, but just those that he should have access to. So if I log back in as Jim and then let’s go back to the Productions tab once again and we click on the Go button next to all for the list view.
Now Jim can only see the two records that he has access to as an owner. So as you can see the organization wide defaults, you can set object records to public Read, write public Read Only or Private. But as we demonstrated, the settings on the profile also have an impact on what users can see as well as what they can do to object records on the platform. And so next we’re going to be getting into sharing settings which has to do with the sharing rules which are are found in the setup menu and by searching for the word sharing once again. And so before doing so, let’s log out as Jim and I’ll see you in the next lecture as we address sharing settings on the platform.