Salesforce Admin – Security, Access & Sharing Questions

Security, Access & Sharing - Q&A

1. Q1. How does Salesforce handle security at different levels?
   Salesforce uses a multi-layered security model: Object-level via Profiles & Permission Sets, Field-level via Field-Level Security (FLS), Record-level via Organization-Wide Defaults (OWD), Role Hierarchy, Sharing Rules, and Manual Sharing.
2. Q2. What are Organization-Wide Defaults (OWD)?
   OWD is the baseline level of access for records in an object. It defines whether records are Public Read/Write, Public Read Only, Private, or Controlled by Parent, and ensures that access is restricted unless explicitly granted.
3. Q3. How does Role Hierarchy work in Salesforce?
   Role Hierarchy automatically grants access to records owned by users below you in the hierarchy. It's primarily used to enable record-level access upward, supporting visibility for managers or executives.
4. Q4. What's the difference between Profile and Permission Set?
   Profiles are mandatory and define baseline access, whereas Permission Sets are optional and used to grant additional access without changing the profile. They provide flexibility and are reusable across users.
5. Q5. When do you use Sharing Rules?
   I use Sharing Rules when users need access to records they don't own and can't access through role hierarchy. For example, sharing Opportunities owned by one team with another team based on criteria or ownership.
6. Q6. What is Manual Sharing and when do you use it?
   Manual Sharing lets users share individual records with specific users or groups. It's used in edge cases when automated rules don't cover the requirement. However, it's available only when OWD is Private or Read Only.
7. Q7. Can a user access a record if their profile doesn't have object permission?
   No, if the profile doesn't grant object-level access (like Read or Create), then the user cannot access any record of that object, regardless of sharing or ownership.
8. Q8. What is the purpose of Login IP Ranges and Login Hours in Salesforce?
   These are Profile-level settings used to control login security. Login IP Ranges restrict login attempts to specific IP addresses, and Login Hours define when users can log in.
9. Q9. What is the difference between 'View All' and 'Modify All'?
   'View All' gives read access to all records of an object, ignoring sharing rules. 'Modify All' grants full access (read, edit, delete) to all records of the object. They should be used with caution as they override sharing.
10. Q10. What are Permission Set Groups?
    Permission Set Groups allow us to bundle multiple permission sets and assign them together. It helps when users need a combination of permissions from various sets, making user management easier.
11. Q11. Can we restrict access to a field using a Profile?
    Yes, we can use Field-Level Security in the profile to hide or make a field read-only for users. This ensures sensitive data isn't visible to unauthorized users.
12. Q12. What is the purpose of a Public Group in sharing settings?
    Public Groups are collections of users, roles, and other groups. We use them in Sharing Rules, Folder Access, and Manual Sharing to control record visibility efficiently.
13. Q13. What is the difference between Role and Public Group?
    A Role defines record-level access through the hierarchy, while a Public Group is a flexible set of users used for sharing, folder access, and process ownership but doesn't follow a hierarchy.
14. Q14. What are Queues used for in Salesforce Security?
    Queues are used to hold records (like Leads or Cases) that are yet to be assigned. Multiple users can access the queue and take ownership of records from it.