Let’s Work Together




Salesforce Data Access: Understanding Salesforce Data Security

In the world of customer relationship management (CRM), Salesforce stands tall. With its powerful collection of features, Salesforce empowers enterprises to streamline their sales, marketing, and customer service processes. At the heart of this CRM giant lies a very important aspect that governs the flow of information within the platform, which is data access.

Data access ensures that users interact with data at different levels, from the organization level to the record level. The data access model of Salesforce is structured in a hierarchical manner, which allows a controlled flow of information. Let’s break down the different levels of data access:


At the highest level, access to the organization-level is secured. We can restrict access to organization in four ways:

  • Only authorized users should be allowed to access the organization.
  • Password policies
  • IP ranges can be restricted for users.
  • Login hours can also be restricted.


At the object level, we can control who has access to a particular object. Object-level access determines whether users can interact with these objects at all. At object level in Salesforce, permissions to create, read, edit, and delete records of that object are decided. There are two ways to set object permissions:

Profiles: Profiles determine what permissions users have.

Permission sets: They provide additional access to a particular user or user group.


At the field level, we determine the permissions to view, edit, or delete the values for a particular field of an object. We can give access to fields of a particular object to profiles or use permission sets, but only if that user has access to that object.


At its core, record-level security in Salesforce revolves around the principle of making sure that users can only access records that they need. For example, in a recruitment app, only the interviewer should be allowed to provide feedback and not anybody else. We can achieve this using record-level access.

We can provide record-level access in four ways: 

  1. Org-wide Default: It determines base-level access for all records of an object. We can set the organization-wide default to any three below:
    • Public Read/Write: Every user will be able to read and write on every record of that object.
    • Public Read Only: Every user will be able to read but not edit it.
    • Private: Only record owners and users above the hierarchy will be able to view or edit the records.
  2. Role hierarchy: We can allow users who are above in hierarchy to access records of the users below in hierarchy. The hierarchy in Salesforce can be different from the actual organizational chart. To use this feature, we must enable the “Grant access using hierarchies” option.
  3. Sharing Rules: In Salesforce, sharing rules provide a powerful way to automate the sharing of records based on predefined criteria. This is useful when we need to provide access to a user or group of users for particular records without compromising overall data security.
  4. Manual Sharing: For scenarios that are not covered using role hierarchy and sharing rules, we use manual sharing. Users with the necessary permissions can manually share individual records with others, allowing for flexibility in granting access on a case-by-case basis.

Mastering data access in Salesforce plays an important role in creating flexible yet secure apps. Understanding the different levels of data access helps in leveraging the full potential of Salesforce CRM while safeguarding sensitive information.