When working within Salesforce, managing data security is more than just a best practice—it’s a necessity. For Salesforce Admins and Developers, understanding the available layers of security like Profiles, Permission Sets, and Field-Level Security is essential for protecting sensitive data and ensuring users have just the right amount of access.
This guide explains these core concepts with practical examples, setup instructions, troubleshooting tips, and frequently asked questions to help you implement smart security in your Salesforce org.
Why Salesforce Security Matters
Salesforce puts security at the heart of its architecture. Whether you’re handling customer records, financial details, or healthcare data, it’s critical to ensure access is granted only to the right people. Key reasons include:
-
Compliance: Regulations like GDPR or HIPAA require tight control over data access.
-
Data Integrity: Limiting access reduces errors and unauthorized edits.
-
Privacy: Sensitive data stays protected from unintended viewers.
Profiles: Setting the Foundation
Profiles are the base layer of access control. Every Salesforce user is assigned one, and it defines what they can view and do across the platform. This includes object-level CRUD access, tab visibility, system permissions, and app access.
There are standard profiles like System Administrator, Standard User, and Read Only, as well as custom profiles tailored to your business roles.
For example, you might configure a Sales Rep profile to:
-
Allow Read/Edit access on Leads
-
Allow Read-only access on Opportunities
-
Hide tabs unrelated to sales, like Cases or Campaigns
Profiles are great for applying consistent access rules across departments, but when individual users need exceptions, Permission Sets come into play.
Permission Sets: Granting Extra Access Without a New Profile
Permission Sets allow you to extend access without changing the user’s profile. They’re useful when only certain users within a role need additional access.
Let’s say your Sales Reps can view Opportunities but can’t edit them. If a few team members temporarily need edit access, create a Permission Set named “Opportunity Edit,” assign it to those users, and revoke it later as needed. This is far easier than creating a new profile.
Use Profiles for general access and Permission Sets for fine-tuned, case-specific access.
Field-Level Security: Lock Down Individual Fields
Field-Level Security (FLS) lets you control who can view or edit specific fields on a record—even if the user has access to the object. It overrides visibility on page layouts, so a hidden field won’t appear even if added to the layout.
For example, the “Salary” field on an Employee object should be visible only to HR users. By setting FLS, you ensure only HR profiles can see it, while it stays hidden from everyone else.
FLS can be configured through both Profiles and Permission Sets, offering a powerful way to protect sensitive data like financials, personal details, or system fields.
Combining the Three: Smart Security in Layers
When combined thoughtfully, Profiles, Permission Sets, and Field-Level Security offer a flexible and secure access model.
Imagine a Sales Team setup:
-
Profile gives all sales reps access to Leads and Opportunities
-
Permission Set allows team leads to view Sales Reports
-
Field-Level Security hides Cost of Goods Sold and Margin fields from all but the finance team
This layered approach ensures access is tailored to user needs without over-permissioning.
Quick Setup Guide
-
Create/Modify a Profile:
Go to Setup → Profiles → Select or create → Set Object Settings (CRUD) → Configure Tabs and System Permissions -
Create a Permission Set:
Go to Setup → Permission Sets → New → Add permissions → Assign users from Manage Assignments -
Set Field-Level Security:
Object Manager → Fields & Relationships → Select a field → Set Field-Level Security → Choose who can see/edit
Troubleshooting Access Issues
-
Permission Conflicts: Double-check both Profiles and assigned Permission Sets
-
Fields not visible: Check Field-Level Security, not just the page layout
-
General access issues: Use tools like “View User Permissions” or “Login As” to simulate the user experience
-
Security Health Check: Run this in Setup to identify risky settings or weak access configurations
Industry-Specific Scenarios
-
Finance: Restrict fields like Revenue or Account Balance using FLS. Profiles limit broader access, while Permission Sets handle edge cases.
-
Healthcare: Keep fields like Medical History or Test Results visible only to authorized users.
-
Marketing: Grant access to Campaign and Lead data while limiting view of closed deals and revenue numbers.
Best Practices to Follow
-
Start with minimum permissions and expand only when necessary
-
Document all permission configurations to track changes and prevent errors
-
Review security quarterly (or monthly for high-sensitivity environments)
-
Use Permission Set Groups to assign collections of permissions instead of managing them one by one
-
Stay updated with Salesforce releases to make use of newer security tools
Frequently Asked Questions
Q1: Can Permission Sets override Profile access?
Yes. They can grant more access but cannot restrict what a Profile already provides.
Q2: How can I find out what permissions a user has?
Use “View User Permissions” on the user record to see both profile and permission set access.
Q3: What’s the best way to troubleshoot access issues?
Use the “Login As” feature to test, and double-check FLS, Profile, and Permission Set configurations.
Q4: Can I be notified of permission changes?
Not natively, but you can track permission changes using Audit Logs and manual reviews.
Q5: How often should we review permissions?
At least quarterly. For regulated industries, monthly reviews are a better choice.