Record Level Security Posts

A friend of mind, @ca_peterson asked me to put together my posts on Record Level Security for some folks, so here’s the list below:


Real time / Near Real Time Salesforce Resources

Today, some folks at my local User Group Meeting, were discussing the lack of real time Salesforce help for admins and developers.  Wait, what? While it’s true, there are a boat load of static resources that you probably use regularly- like  Google, the Help and Training Section documentation of SF, and Trailhead, there are also  a number of Real Time/ Near Real time resources out there as well that  you can leverage to have a dialogue on aspects of the platform with experts.  Here’s the main list of resources that you might want to check out

Real Time Help

IRC:  IRC is effectively a chat room, and there are a couple of them that are dedicated to Salesforce ( #Salesforce and ##Salesforce. You can chat with/listen to the entire room, and you can chat with people in private too. The crowd there is pretty approachable and friendly. To learn more about the IRC community check out last year’s Dreamforce talk given by Amber Boaz: Salesforce IRC: A Lighter Way to Get Real-Time Help.

To check out IRC you can use this light weight client:  and follow these easy steps:

  1. Make up a Username
  2. Under Channels, enter #Salesforce
  3. Enter the Captcha
  4. Click Connect!


Near Real Time Resources:

  1. Tweet questions and include #askforce in your message. Questions are answered by folks in the community who do their best to answer it fully or point you to resources to help. Here’s some recent activity.
  2. The Success Community: This is a great community for help on the declarative aspect of the platform.
  3. For programmatic resources, my two favorites are: The Developer Forums and Salesforce Stack Exchange

What resources do you use?

Maintaining Your Salesforce Org’s Setup for Optimal Efficiency

This year at Dreamforce, I co-presented a session with Launa Saunders on Maintaining your Org’s Setup for Optimal Efficiency, We gave some tips and best practices for admins in setting up their org, and  maintaining it’s metadata over time.   The topics we covered were:

  1. Metadata- What is it , and why is maintaining it important
  2. Field Considerations
  3. Naming Conventions
  4. Field Sets
  5. Defining Standards
  6. Documentation
  7. Maintenance Schedules
  8. Communication Policies
  9. Analysis Strategies
  10. Change Management


Here are the slides from the talk



Video :

My ideas for Trailhead 2.0

Trailhead  is a new, free, and interactive learning platform where students can blaze their own trail by exploring different modules of Salesforce. In my last article, I wrote about the societal impact of making technology more accessible to non-technical students.  The post got some twitter love, and I was asked to add some ideas to it.

I’m a big fan of the platform, but in the vein of making it more accessible to others, here are a couple of changes I’d like to suggest. I think changes like these improves the chances new students stay interested in the platform as an admin / developer.

Teach more Debugging!

According to a University of Cambridge Study, Developers spend 50% of their programming time finding and fixing bugs, and anecdotally, bugs were a big reason why students dropped out of Computer Science classes. The Trailhead  modules are awesome, because a number of them have challenge exercises at the end, however it would be  a welcome addition  if they taught students how to debug, and some debugging patterns.  There are a number of opportunities to do this-  for example in the formulas and validation rule sections. In a Record Level Security Section they  could teach students like this.

Comprehension is king!

I love that they integrate different approaches to appeal to different learning styles. Another  suggestion would be place a larger emphasis on  comprehension. For example:

  1. Add a lot of  multiple choice questions to each module, and some explanations if the student gets it wrong.   The more feedback you give students, the more you’re ensuring their comprehension, and improving the likelihood that they’ll stay with the platform when things get difficult.
  2. Add some real world application scenarios, on how students would use this topic .The idea here is creating an anchor for these ideas.
  3. Integrate these new comprehension questions with previous Trailhead modules – Building on previous modules would help students see thier progression. Also, if a student gets the question wrong that relates to a previous module, let them know!
  4. Give additional exercises with locked answers, like Project Euler. This would be a win on the Validation Rules, formulas, and the workflows section.

Integrate it with other Salesforce Materials!

My favorite aspect of Salesforce is the rich and giving community that we have.  There are Rock Stars like SteveMo, Jeff May, Adam Marks, and Jesse Altman  who give to the community regularly. I’d suggest integrating Trailhead more intimately with the community.  It’s great that there’s a link at the top of the page to the forums, but I’d like to see something like top viewed/ rated questions that are relevant to the specific modules.

This  way students see that there’s a vibrant community that can support them when they have questions, and it shows them technical problems that other developers and admins are thinking about.

Salesforce and Trailhead – Helping to transform lives

At Dreamforce, Salesforce announced a lot of amazing features that admins, developers, and architects can add to their toolbox. There are new analytics technologies highlighted by Wave and a wealth of new toys highlighted by Lightening.  However, by far my favorite new Salesforce initiative is Trailhead; a learning platform designed by the organization that makes more accessible to new admins and developers.  This is a powerful new addition for someone looking to transform or enhance their career path.

Check out the announcement from the Developer Keynote at this year’s Dreamforce:



What’s Trailhead?





Trailhead  is a new, free, and interactive learning platform where students can blaze their own trail by exploring different modules of Salesforce. Each module provides a highly structured approach geared towards all learning styles, providing text, visuals, and videos.  Additionally, it’s socialized and linked to the developer forums so students can take a deeper dive on particular topics if they need support. Perhaps best of all, they provide challenge exercises to reinforce learning, and they’re committed to growing this and adding more components.


So What?

Salesforce is a transformative technology for many in that it allows people without an IT background to build some pretty powerful applications.  This appeals to a broad range of folks, including those who use learn Salesforce to lift themselves up. With the right community outreach and mentorship, Trailhead can be a powerful tool to teach individuals the platform and have an impact on people who need it the most.


In the Greater Philadelphia Area alone, only 60% of students finish high school , leaving drop outs with limited career choices. However at the same time, the job market is seeking those with STEM talent, particularly those with a Salesforce background.  Initiatives like Trailhead that make Salesforce easier to learn, potentially create career paths, and better yet, opens up a long term interest in technology and STEM careers. This is transformative since the IT sector is projected to have double digit growth over the next 5 years.



Community Outreach

Salesforce has a number of programs to help with community outreach. At a national level, they sponsor a Veterans program with Veterans2Work that helps returning military veterans transition into their civilian careers.  In addition, Salesforce sponsors local organizations that teach Salesforce; such as Hopeworks ‘N Camden. Hopeworks offers several technology training programs for adults and youths, including a program to certify youths as Salesforce Admins.  Salesforce also sponsors events such as Hackathons , like the upcoming MBKHACK -My Brother’s Keeper Hackathon November 14th, 2014 weekend. Youths in this Hackathon will spend three days working alongside professionals to  build websites and mobile apps that will positively impact society. To learn more about these initiatives or how you can get involved in your region, check out events at the Salesforce Foundation.

A review of Record Level Security for Admins and Developers: Part 1

Security in Salesforce is a broad topic and the platform gives you the power so you can configure your system with a high degree of precision. As an Advanced Administrator and as a Developer, Salesforce lets you control permissions and access settings for users and groups of users. For example, you can control:

  1. System security: Such as When users login and where they can login from
  2. The sObjects they can see and the fields in each sObject
  3. The records a user can access in an SObject table.

And so much more! For the context of this series, I’ll focus on Record Level Security (RLS) which in the world of salesforce is known as Sharing, the last question. It allows you to define if a user should have access to a record, and their level of access, if any.

So, why should you care about RLS/Sharing? It allows you to control the access to records in your sObject table and provide users the  correct rights they need (i.e. Read/Write) to the records that they should see. Additionally, it hides from them the records that they shouldn’t see. The latter is important because the records represent your company’s assets, knowledge, and relationships that they have invested in. With flimsy RLS, those assets are at risk. Why is this important? According to the Wall Street Journal, Sales people in the US have one of the highest turnover rates for all professions in the US.  So, imagine if your rep jumped ship to a competitor, and your Salesforce Implementation had lax RLS.  That’s a problem!Still not scared? Check out what MVP Chris Peterson said on the subject.

Salesforce gives you a number of tools and approaches to address this  issue and the common use cases. Additionally, it gives you the power to expand to more sophisticated rules via Apex.

This series will be broken down into the following parts:

  1. The introduction and  background components
  2. The tools to implement Record Level Security.
  3. Common use cases & Debugging problems.
  4. Sharing in Apex
  5. Pitfalls of restrictive Record Level Security and some approaches to handle it.

If you’re interested in learning more about Salesforce Security, the kind folks at Salesforce wrote a thorough reference on the topic


Background: sObjects, Profiles, Permission Sets, Roles, and Types of Access


sObjects: What are they and how do they influence Sharing and Record Level Security?

sObjects have a lot of functionality in Salesforce, however for the context of this discussion, you can think of them as database tables, where each table is a collections of rows and columns. If we were to picture these in a table, the columns would represent your fields, and your rows the records of actual data. Getting back to Security in a table, I might want to control the following:

  • Who can access the table?
  • Who can access the columns?
  • Who can access which rows?

Record Level Security / Sharing addresses the 3rd question and is the focus of this article.  The main driver of this is Roles, and a lesser extent Profile and Permission Sets.

Profiles/Roles/Permission Sets

Profiles and Roles represent two different groupings that each user is part of with different applications. For the context of this article, you should already be familiar with them however, I want to highlight a few key points on each.

Profiles  and Permission Sets  control object access; that is, can the user Create/Read/Update/Delete records on this object? They also control if the user can automatically view/edit all records on an object, or view/edit any records on every object.  From a security perspective, these permissions allow bypass your RLS, and are easy to set up as an Administrator. However, these should be used judiciously, as it can expose records that shouldn’t be exposed.  Additionally, every user needs to be assigned a profile.

OK, so say I grant a user Read and Write privileges on an object, what does that mean? That means he can read and edit records that he has access to. This is where Roles come in.

Roles in Salesforce control access to records. You want to see, and are analogous to users job roles. Roles are important because they drive much of the Record Sharing logic in Salesforce. Additionally, Roles can form public groups . As an implementation note, roles are optional in Salesforce, Profiles on the other hand are required.

Types of Access

On the platform, Salesforce provides four types of access when it comes to records. The access ranges from hiding the record from the user, to making it read only, to making it editable, to giving him full access.  In Salesforce terminology, here’s the types of access:

  1. Private. This means that  the record is hidden to the user, and he can’t access a record in any way. In Database terms, he can’t Read /Edit/ Delete it.
  2. Read Only –  This means that the user can Read the record, and Create related records to it.
  3. Read/Write – The user can Read and Update  the record, and add related records to it
  4. Full Access – The user can Read, Update, Delete the record. Also, he can transfer it, and  and manually share the record. This is typically the record owner and the person above them in the Role Hierarchy. More on this in the next article.

That’s a lot to chew on. In my next article, I’ll cover the tools to implement a successful sharing model.

A review of Record Level Security for Admins and Developers: Part 3

In the previous blog entries of this series, I wrote about the background impacting Record Sharing & Security and the components that make it work. In this section I’ll discuss common sharing use cases & how to solve them, and prove the results. By no means is this list of use cases comprehensive, as there are similar scenarios that you can encounter in Territories and Teams, however, if you’d like those discussed, let me know, and I can cover them in another blog. Also I’ll give you a great troubleshooting approach to resolve access issues that arise!

Sharing Use Cases

Use Case #1: Ensure a Manager in the Role Hierarchy can access his subordinate’s records on an object.

CaptureSuppose we want to ensure that the Regional Sales Director – East has the same access that his subordinates have. You can grant this via the Org Wide Defaults settings on Custom Objects, using the “Grant Access Using Hierarchies” check box. To modify it go to Security Controls | Sharing Settings and Edit in the Organization Wide Defaults for that object. What about standard objects ? Access is automatically granted using hierarchies on standard objects and cannot be changed.



How do you verify this?

  • Log in as the subordinate, and run a report on the object. For example on opportunities, run an opportunity report, showing all opportunities, created since the beginning of time. Only extract the record ID. This will be a single column


  • Log in as the Manager and run the same report as the Subordinate’s Manager in the Role Hierarchy. Again, only extract the record ID. This will be a single column
  • In Excel, Create a report comparing the record columns, and ensure that the Manager can see all the records that the Subordinate can see using this formula. All of the subordinate’s visible records should be listed in the Manager’s column.

Use Case #2: Ensure a Manager in the Role Hierarchy CANNOT access his subordinate’s records on an object.

This is only possible on custom objects, and not standard objects, as discussed above. To do this, use the “Grant Access Using Hierarchies” check box. To modify it go to Security Controls | Sharing Settings and Edit in the Organization Wide Defaults for that object. then uncheck the box. However, the story is a little more complicated because the manager might have access to some of those records by existing sharing rules! Doh!

How do you verify this, and debug?

  • Run the same two reports discussed above in Salesforce.
  • In Excel, Create a report comparing the record columns, and check if the Manager can see any of the records that the subordinate can see using this formula. If so continue to the next step.
  • In Salesforce, login as a System Admin,and open up one of those records in Salesforce. Click on the Sharing button


  • Find the Manager’s name and then click on the Why? link. This will give you the Reasons why the Manager has access to the record (for more info on this functionality, check out this link). At this point, you’ll need to work with your Stakeholder to see if your sharing rules should be changed.

Use Case #3: Sharing across Branches in the Role Hierarchy

sharing - branches In the scenario say that the Regional Sales Director – East and Regional Sales Director – West need access to each other’s records. The issue here is that they are in different branches in the Role Hierarchy, so to address this, you can create a Sharing Rule. In this case, I chose to make an owner based sharing rule, and share the opportunities This Rule shares the Opportunities owned by the Regional Sales Director – West and his subordinates with the Regional Sales Director – East. After you set up this rule, you’ll have have to do another sharing rule where the opportunities owned by the Roles and Subordinates aof the Regional Sales Director East are shared with the Regional Sales Director – West.


How do you verify this?

We’ll use the same trick as Use Case #1

  • Log in as the Regional Sales Director – West, and run a report on the object. For example on opportunities, run an opportunity report, showing all opportunities, created since the beginning of time. Only extract the record ID. This will be a single column


  • Log in as the Regional Sales Director – East and run the same report. Again, only extract the record ID. This will be a single column
  • In Excel, Create a report comparing the record columns, and ensure that the records match up using this formula.

Use Case #4: Criteria Based Sharing with Public Groups

In this case, some criteria is met in a criteria based sharing rule, and you’re sharing the records with a public group in your organization. groups First, set up a Public Group. As a recap, Public Groups are a set of users, roles, roles and subordinates, or other groups who have something in common. In this case, I want to share the Closed Won Opportunities with Sales so they can see all the sold cases, and with Customer Support. To do that, I add those Roles and their Subordinates to my Public Group. To do this go to Setup | Public Groups. Next, define the members of your group.




criteria based  rulesNext, you’ll have to set up your Sharing rule. In this case you’ll use Criteria Based Sharing rules. Set the criteria up accordingly (here Stage = Closed Won), and the people to share it with are in the above Public Group. You can adjust the access to Read or Read/Write accordingly.   And there it is! You’re done.


How do you verify this?

  • To verify that the correct people are in the Public Group. You can work with Business to ensure that your list of people in the public group matches the right people.
  • To verify that the people in the public group have the right access, run a report similar to Use Case #3, but add the criteria to the report that you have in the sharing rule.
  • You can run the same report as an individual from each role that’s part of the Public Group. in each case, ensure that the columns in Excel are equal.

Use Case #5: Adding a new Role

Say in this case, you’re company has added a CFO under the CEO. In this case, the CFO shouldn’t see CEO’s records but should see everything else, Also, the CEO should be able to see the CFO records. To accommodate a situation, you’ll have to create a new role in the Role Heiarchy for the CFO, and adjust your Sharing Rules. Based on what I’ve shown in the previous 4 use cases, you should be able to get this, if not, contact me.

Troubleshooting Sharing in Salesforce

Typically, you’ll have two troubleshooting scenarios in Salesforce

  1. Why can access a record?
  2. Why can’t a user access a record?

We’ve discussed #1, a bit, but to summarize, you can answer this using the Sharing Button. Capture   Go to the record in question, and click the Sharing Button. Find the User’s name and then click on the Why? link. This will give you the Reasons why the User has access to the record, and you can reevaluate your sharing rules accordingly. (for more info on this functionality, check out this link).     The harder troubleshooting case to answer is why can’t a user access a record? Sadly, this is more complicated, but there’s a diagram to help you out.   troubleshooting Sharing Rules

If these don’t get you anywhere, there is another thing to consideration. Since Roles are optional in Salesforce, it’s possible that a User is not assigned a role. Since the bulk of Sharing is Role Based, the model potentially breaks down when the either the record owner or the user in context isn’t assigned a role. To verify this check out the User’s Detail Page


no role



And there it is! Subscribe to my blog, and in the next post, I’ll discuss Sharing in Apex!