Unraveling the Layers: Understanding Salesforce Data Security Model

Prakul Sharma   |  

January 25, 2024

In the vast realm of business data management, ensuring robust security measures is paramount. Salesforce, a leading CRM platform, recognizes the diversity of real-world business scenarios and provides a comprehensive and flexible data security model to meet these varied needs. In this blog post, we delve into the intricacies of the Salesforce Data Security Model, exploring how its security features harmonize to create a secure environment for users. Through a real-world scenario featuring Maria, a sales executive at ABC Corp, we'll demystify the layers of object-level, field-level, and record-level security.

The Basics: Objects, Fields, and Records

Salesforce structures data into three key elements: objects, fields, and records. Objects are akin to tables in databases, fields resemble columns, and records are individual rows of data. Salesforce employs object-level, field-level, and record-level security to control access at these fundamental levels.

Layer 1: Object-Level Security

Before granting access, Salesforce validates a user's permissions to view objects of a specific type. Object-level access is managed through profiles and permission sets.


⦁ Traditionally used for controlling access, profiles define object and field permissions. However, it's recommended to use permission sets and permission set groups for configuring object and field permissions.

Permission Sets and Permission Set Groups:

⦁ Permission sets offer greater flexibility, packaging, and upgradeability. They allow for a more granular approach to organizing functionalities. Permission set groups simplify management by grouping multiple permission sets into one, streamlining the assignment process for users like Maria'

Layer 2: Field-Level Security

⦁ Even with object-level access, users like Maria need access to individual fields within objects. Profiles and permission sets also govern field-level access.

Layer 3: Record-Level Security

⦁ Object-level and field-level access only go so far. Record-level security, often referred to as the Salesforce sharing model, comes into play to control access to records owned by different users.

Record-Level-Security: Organization-Wide Sharing Defaults:

Ownership of records is a critical aspect. Organization-wide defaults (OWD) determine the default access level for all records of a specific object. It can range from Private to Public Read/Write, affecting who can view, edit, or delete records.

Record-Level-Security: Role Hierarchies:

Reflecting the hierarchical nature of job roles within an organization, role hierarchies grant access based on the user's role. It ensures that users in higher roles have access to records owned by users in lower roles.

Record-Level-Security: Sharing Rules:

Sharing rules provide flexibility in sharing records laterally. Ownership-based sharing rules and criteria-based sharing rules allow admins to configure sharing based on roles, groups, or specific field criteria.

Record-Level-Security: Manual Sharing:

For a more personalized touch, manual sharing allows end-users to share individual records. This is especially useful when OWD is private or public read-only.

Record-Level-Security: Apex Managed Sharing:

⦁ In cases where standard UI or settings fall short, Apex managed sharing comes into play. It involves writing Apex code to automate sharing, offering a customized solution for complex scenarios.


Salesforce's data security model operates on three layers, providing unparalleled flexibility to cater to diverse business needs. Profiles and permission sets control object and field access, with permission sets being the recommended tool. The five types of record-level security - org-wide defaults, role hierarchies, sharing rules, manual sharing, and Apex-based sharing - collectively ensure that data access is precisely tailored to meet the demands of different organizational structures and workflows.

Keep the conversation going

Connect with us on Medium, Instagram and the LinkedIn. Have questions or stories to share? We're all ears!