Salesforce earned its place as a market-leading customer relationship management (CRM) platform, combining a package not only for CRM but everyday operations as well.
However, with great power comes great responsibility, and given that everyday operations are often packed with sensitive data, administrators should prioritize their customers’ data security whenever possible. The overwhelming majority of data breaches come from human error, but careful permissions management can limit the chances that such mistakes happen at all.
What is Object-Level Security in Salesforce?
In Salesforce, object-level security is maintained through two main components: Profiles and Permission Sets.
Profiles: Each Salesforce user is assigned a profile that defines their role within your organization’s Salesforce instance and controls their access to data. Profiles can be customized based on job duties or needs. For example, a salesperson's profile could grant them read and write permissions for Lead and Opportunity objects while restricting access to the Product object.
Permission Sets: Profiles can have Permission Sets that expand access without changing the assigned profiles. For example, if the salesperson temporarily needs access to the Product object, a Permission Set can be created to grant this access instead of modifying the entire user's profile.
These Profiles and Permission Sets are used to control access to Salesforce Objects which is where we get the term object-level security.
Object-Level Security: The ability to restrict access to Salesforce Objects by using customized Profiles and Permission Sets.
Salesforce earned its place as a market-leading customer relationship management (CRM) platform, combining a package not only for CRM but everyday operations as well.
However, with great power comes great responsibility, and given that everyday operations are often packed with sensitive data, administrators should prioritize their customers’ data security whenever possible. The overwhelming majority of data breaches come from human error, but careful permissions management can limit the chances that such mistakes happen at all. This is why it’s important to understand what object-level security is and how to utilize it within your organization.
What are Salesforce objects?
Objects are the core components of Salesforce. They organize and store packets of data that represent customers, products, orders, and any other aspect of doing business. They can also relate to one another and have master-detail hierarchical relationships.
In turn, objects contain (and are made of) fields that define data storage types, including but not limited to plaintext, dates, and amounts, thus forming the core of a business’s day-to-day functions. Salesforce system administrators should, therefore, treat access to them with care.
Careful permissions can ensure that only the proper users can access or edit the data within. Experts call such an approach to access object-level security. In Salesforce, it acts as a fine, detailed line of defense that sits at the forefront of a business’s internal security policy.
What sets object-level security apart?
Object-level security in Salesforce and its proper implementation keeps users or groups of users away from information that is irrelevant to their job or that could pose a threat to daily operations if placed in the wrong hands.
While it might be simpler for a company to give all of its users access to every Salesforce object, it increases the chance of mistakes. A user in a different department could edit the wrong field, triggering a cascade of errors that can take weeks or even months to correct.
In addition, and as you might presume, object-level security also offers safety benefits. For instance, if a hacker manages to compromise an employee account, they would only be able to access the Salesforce objects available to that employee. As such, an object-level approach to security creates an automatic quarantine without requiring any action from cybersecurity teams.
What are salesforce Profiles?
When a Salesforce administrator creates a profile, they create a set of permissions, based on a template, that restrict the actions a user can take and upon which objects they can take said actions. Some profiles can only access certain object types, while others can access an entire object but only edit a few of its fields relevant to their job description.
Salesforce profiles create pre-built permission sets that administrators can apply to new users. They also make control easier, as instead of editing every user profile one by one, the administrator can make a few small changes to a single profile template. Thanks to Salesforce’s automatic profile control systems, the change will spread to the group of users under that template, streamlining the update and policy revision process.
What do user profiles control?
User profiles control and record the types of objects that users can access and edit, as well as their ability to access and edit certain fields within those objects. They also determine the apps the users can access and how they load them, as well as the hours, locations, and IP ranges a user can use to log in. These security measures help block hackers in different locations and time zones before they access and alter critical information.
Common salesforce profile types
While Salesforce profiles are completely customizable, common profile types include the following:
Standard users: can read, edit, and delete selected objects
Read-only users: can only access objects, not edit or delete them
System administrators: can access other profiles and all objects
These three general profile types act as the basic building blocks for customized templates. Instead of altering the built-in standard template, administrators can create a new one that better fits their organization's needs as many times as necessary.
What are Salesforce Permissions?
Administrators can only assign one profile to a user at a time, but permission sets help admins customize existing profiles for the needs of individual positions, especially since users can have as many permission sets as they need.
If a department or special team needs to access an object not available in their profile, the administrator can grant additional permissions and apply that set only to those employees. It is a case-by-case approach that provides even more of the customizability and flexibility that Salesforce is known for.
Permissions can also allow users temporary access to objects to users, and administrators can also delete permission sets once they fulfill their purpose or modify them as the needs of the situation evolve. Either way, the flexibility at hand closes up the potential threats that modifications to the entire profile set can expose.
What is Salesforce Record-level security?
In Salesforce, record access determines which individual records users can view and edit in each object they have access to in their profile.
Record-level security, as its name implies, limits user access to specific record types. For example, an enterprise that partners with many businesses won’t need each of its employees with partner-object permissions to access every record in that object.
As outlined in Salesforce’s Trailhead module, on record-level security, you can control record-level access in four ways:
- Org-wide defaults specify the default level of access users have to each other’s records.
- Role hierarchies ensure managers have access to the same records as their subordinates. Each role in the hierarchy represents a level of data access that a user or group of users needs.
- Sharing rules are automatic exceptions to org-wide defaults for particular groups of users, to give them access to records they don’t own or can’t normally see.
- Manual sharing lets record owners give read and edit permissions to users who might not have access to the record any other way.
What is salesforce Field-level security?
Last but not least, field-level permissions limit which users can access fields within the objects they can access. For example, customer representatives may only be able to edit contact and billing information and read more detailed histories, while CRM managers can access and edit everything. Setting up field limitations means your employees can change the information they need without threatening the rest.
How Does Own Help with Object-Level Security?
With Own Secure’s Who Sees What feature, you can quickly search your Salesforce data across objects, records, and user lenses to understand precisely why Salesforce users have read, edit, delete, or export permissions. Learn more here or request a demo below.
Additional Support for Salesforce Security
Salesforce has plans to change Profiles and Permission Sets to simplify object-level security. Although they said the change was to be released in 2026, we still have not heard any definitive data for this change. In the meantime, we have compiled resources to ensure you are not over-assigning permissions to your team and how to best use Profiles and Permission Sets to achieve the object-level security you’re looking for.
- Video | Profiles and Permissions: Salesforce User Management
- Learn how to manage Permission Sets to transition away from Profiles so you do not over-assign permissions
- Salesforce Permissions Management: Adapting To The Retirement Of Profile Permissions
- Learn more about this change to Profiles and how Own can help
