When working within Salesforce, managing data security is more than just a best practice—it’s a necessity. For Salesforce Admins and Developers, understanding the available security layers like Profiles, Permission Sets, and Field-Level Security is essential for protecting sensitive information and ensuring that users have just the right amount of access.
This guide covers everything you need to implement security measures effectively, along with real-world examples, setup instructions, best practices, and FAQs.
Why Salesforce Security Matters
Security lies at the heart of the Salesforce platform. It ensures compliance, protects privacy, and maintains data integrity. Whether you’re in a highly regulated industry or managing a fast-growing sales team, having the right access controls helps reduce risk and boost operational confidence.
Key reasons to take Salesforce security seriously:
-
Compliance with regulations like GDPR, HIPAA, etc.
-
Data integrity by preventing accidental or unauthorized changes
-
Privacy controls to safeguard sensitive business and customer information
Profiles: Setting the Foundation
Profiles determine what a user can see and do in Salesforce. Every user is assigned a profile, and this acts as the base layer of access.
Standard profiles like “System Administrator” or “Standard User” come pre-configured, while custom profiles allow tailoring access to specific departments like Sales, Marketing, or HR. Profiles include:
-
Object-level permissions (CRUD access)
-
Tab visibility
-
App access
-
System-level rights like export permissions
For example, a Sales Rep profile might allow edit access to Leads, read-only access to Opportunities, and hide tabs like Cases or Contracts.
Permission Sets: Flexibility Without Complexity
Permission Sets offer a way to grant additional permissions to users without modifying their core profile. This is ideal when only a few users need temporary or specific access.
Instead of creating a whole new profile just to grant one user edit access to Opportunities, create a “Opportunity Edit” permission set and assign it only to those who need it. You can remove it just as easily when it’s no longer required.
Use Permission Sets when:
-
You need to grant temporary access
-
You want to avoid creating many custom profiles
-
A subset of users in the same profile needs more functionality
Field-Level Security: Precision Where It Matters
Field-Level Security allows you to hide or restrict access to individual fields—even if users can see the object. You can configure fields to be:
-
Read-only: Viewable but not editable
-
Hidden: Completely invisible
For example, the Salary field on the Employee object should be visible only to HR. Using Field-Level Security, you can restrict this field while allowing the rest of the employee data to remain accessible.
One important note: page layouts can show fields, but Field-Level Security overrides them. If a field is hidden via FLS, it won’t show even if it’s on the layout.
How to Combine These Tools for Smart Security
The real power comes from using Profiles, Permission Sets, and Field-Level Security together in a layered way. For example:
-
Profiles give all Sales Reps base access to Leads and Opportunities
-
Permission Sets allow team leads to access Forecast Reports
-
Field-Level Security hides profit margin data from non-finance users
This layered approach ensures users get what they need—no more, no less.
Configuration at a Glance
To set up a Profile:
-
Go to Setup > Profiles
-
Create or edit a profile
-
Define object permissions, system access, and tab visibility
To create a Permission Set:
-
Go to Setup > Permission Sets
-
Create a new set
-
Assign users under Manage Assignments
To configure Field-Level Security:
-
Go to Object Manager > Select an Object
-
Click Fields & Relationships
-
Choose a field → Set Field-Level Security
Common Issues to Watch For
-
Conflicts between Profile and Permission Set
-
Fields on layouts that are hidden due to FLS
-
Users unable to access records despite having the object access (due to missing field access)
Use tools like the View User Permissions section and Login As feature to troubleshoot effectively.
Industry-Specific Tips
Finance: Restrict access to fields like account balances using FLS
Healthcare: Use strict field controls for patient data visibility
Sales/Marketing: Grant access to Leads while restricting financial data on Opportunities
Best Practices
-
Always start with minimum permissions and expand only as needed
-
Document what permissions are granted and why
-
Perform quarterly audits of user access
-
Use Permission Set Groups to bundle access logically
-
Stay updated with new Salesforce security features
FAQs
Q: Can Permission Sets override Profile access?
A: Yes, they can add to the access but cannot take away what a profile already grants.
Q: How can I find all access a user has?
A: Use “View User Permissions” under the user’s profile.
Q: Can I test what a user sees?
A: Yes, use “Login As” to simulate the user experience.
Q: Can I set alerts when permissions are changed?
A: Not directly, but you can monitor changes using Audit Logs.
Q: How often should I review security settings?
A: A quarterly review is recommended; more frequent for high-risk environments.