Salesforce is one of the most widely used Customer Relationship Management (CRM) application suites globally, dealing with large volumes of sensitive customer information. Salesforce data security is of great importance. Since companies have valuable information, such as customer contact information, financial transactions, and confidential company files, it is essential that such data be safeguarded.
Salesforce follows a layered Salesforce data security model, which secures access to data. These layers of Salesforce data security help organizations safeguard their data but without limiting the ability of their employees to access the information necessary for them to function efficiently.
We are going to study four core layers of Salesforce data security—object-level, organization-level, record-level, and field-level security—and some other factors that offer further Salesforce data security. These Salesforce data security measures ensure that only authorized users can access Salesforce data.
Object-Level Salesforce Data Security: Who Sees Which Data?
Think of Salesforce objects as various folders within a gigantic digital file cabinet. Each object has attached records, like a cabinet drawer containing files.
Object-level security prevents unauthorized users from viewing certain objects. That is, it defines:
- Which objects can be viewed by a user (e.g., Leads, Accounts, Opportunities, Contacts
- Which objects can be updated or deleted by a user
- Objects that a user never gets to see
For instance:
- A Sales Representative may have access to only Leads and Opportunities since they never need to see the HR department’s files.
- A Finance Manager may have access to Invoices and Payments but not to Customer Support cases.
- An HR Administrator may see Employee Data but not Sales Forecasts.
Real-life scenario:
If a company’s sales’ team must view a customer’s information but doesn’t need payroll information, one can set up Salesforce so one’s sales’ team may view and edit Accounts and Opportunities but doesn’t have access to financial or HR-related objects.
Organization-Level Security offers the following features for enhancing Salesforce data security:
i) Login IP Ranges
Admins can define specific IP ranges from which users are allowed to access Salesforce. If a user tries to log in from an IP outside the allowed range, they will be denied access.
Example: A company may allow Salesforce access only from their office network, preventing employees from logging in from untrusted locations.
ii) Login Hours
Admins can set specific time periods during which users are allowed to log in. If a user attempts to log in outside these hours, their session will be automatically terminated.
Example: A bank may allow employees to access Salesforce only between 9 AM – 6 PM, ensuring security after business hours.
iii) Password Policies
Salesforce enforces strong password policies to enhance security, including:
- Minimum password length
- Complexity requirements (uppercase, lowercase, numbers, special characters)
- Password expiration period
- Password history check (to prevent users from reusing old passwords)
- Account lockout after multiple failed login attempts
Example: An IT company may require users to have a password that is at least 12 characters long, includes a special character, and must be changed every 90 days.
Record-Level Salesforce Data Security: Who Gets to View Which Specific Records?
Record-level security determines which specific records a user can view, edit, or delete within an object. It’s like a filing cabinet where some employees can open every drawer, but other employees can view only their own files.
Salesforce provides various means of managing record access:
A. Organization-Wide Defaults (OWD)
This offers three main choices:
- Private – Record owners are the only ones who can view them.
- Public Read-Only – Anyone can view records but the owner is the only person who can edit them.
- Public Read/Write – All users have the ability to view and edit all records.
Example: A real estate company may set OWD to “Private” so that its agents can view only their own client records.
B. Role Hierarchy
Just as in a company where managers are able to view the work of their subordinates, Salesforce enables senior users to view the records of their subordinates.
Example: A Regional Sales Manager can view all deals generated in the region assigned to her/him, but individual sales reps can view only their own deals.
C. Sharing Rules:
Records sometimes need to be shared between departments. Sharing rules allow Salesforce to grant access automatically based on specific conditions. Following are 2 such types of sharing rules:
Owner-Based Sharing Rules
- Grants access to records owned by certain users to other groups, roles, or users.
- Example: Sales reps in a particular region can automatically share their customer records with their regional manager.
Criteria-Based Sharing Rules
- Grants access to records that meet specific field criteria.
- Example: If an Account has a “Type” field set to “Enterprise,” it can be shared with the Enterprise Sales team.
D. Manual Sharing:
In rare situations, users will sometimes need to share one particular record with an individual who would otherwise not have access. Manual sharing allows users to grant access on an ad hoc basis.
Example: For a major deal, a sales representative must share with another team member an opportunity record and can do that manually.
Field-Level Salesforce Data Security: Who Has Access to Edit or View Individual Fields?
Just because a user has access to an object and specific records doesn’t mean that he/she can view or modify specific fields in those records.
For instance, a Customer Support Representative can view a customer’s name and email address but not his/her credit card number or Social Security Number. Field-level security mandates that users view or modify only the fields to which they are allowed access.
Examples:
- A Sales Representative can view customer contact details but not discount percentages offered to high-end clients.
- A Finance Executive can view revenue data but not details of product price negotiations.
- Field access is controlled by Field-Level Security settings in Profiles and Permission Sets.
Additional Security Features:
Salesforce adds the above-mentioned three layers and provides additional features to further enhance security:
1. Role-Based Access Control (RBAC):
RBAC enables admins to assign roles to users and grant permissions according to these roles. Rather than granting permissions user-by-user, organizations can manage access in bulk.
2. Territory Management
For companies that sell across various geographies, territory rules enable assigning records to users by geography.
Example: A sales representative serving North America can only view customer records from the U.S. and Canada, not those of Europe or Asia.
3. Audit Trails and Field History Tracking
Audit trails help organizations monitor suspicious activity and ensure that the operations and processes meet regulations.
Example: If a customer’s contact details are changed, Salesforce records who did it and when.
4. IP Restriction and Login Security
Admins can restrict access to Salesforce data basis the IP address of a computer or require multi-factor authentication (MFA) for enhanced security.
Conclusion:
In conclusion, Salesforce’s multi-layered security model ensures that sensitive customer and company data remain protected while allowing employees to access the information they need to perform their roles effectively. By implementing object-level, record-level, and field-level security, along with additional security measures like role-based access control, audit trails, and IP restrictions, organizations can maintain a balance between accessibility and data protection. Understanding and correctly configuring these security features is crucial for safeguarding valuable business information and ensuring compliance with regulatory standards.
If you want to master Salesforce security and become a certified expert, Almamate offers comprehensive training programs to help you gain in-depth knowledge and hands-on experience. Enroll today and take the next step in your Salesforce career!
By
By
