Configuring Salesforce Security — A Step-by-Step Process

Salesforce security can seem daunting at first. It’s a robust system with many components, reflecting its flexibility in handling a wide range of data access and sharing scenarios.

For organizations using Salesforce primarily as a CRM, the default configuration typically meets most needs, with only minor adjustments to the role hierarchy. However, due to its complexity, developing a practical and comprehensive security setup can be challenging.

This post provides a clear, step-by-step guide to configuring Salesforce security in a structured manner.

Before you begin

  • Familiarize Yourself with Key Salesforce Security Concepts — Brief descriptions with documentation links are provided below.
  • Understand Your Organization’s Structure — Identify key user roles and departments, and establish high-level user stories to determine who needs access to what.
 

Salesforce Security Concepts

The table below provides an overview of key Salesforce concepts related to security configuration:

ItemDescription
Object

An object type stored in Salesforce such as an account, order, etc., including custom, user-defined objects.

An object roughly corresponds to a table in a relational database.

Record

An instance of an object, actual record in the database (e.g., ACME Corp. account).

A record corresponds to a table row in a relational database.

FieldAn individual field on an object or record (a column in a relational database).
Record Type

Optional, special field type determining sub-type of an object. For example, a case object might be a Customer case or an Internal case, each one having slightly different characteristics. Record types drive:

  • How objects are shown to the users (page layouts)
  • Visibility/access (certain record types can be made accessible only to specific users via profiles)
  • Business process flows (e.g., a Customer case may be processed differently than an Internal one)

More information about record types is available here.

Page Layout

Page layouts define how an object is presented to a user (which fields are visible, their order, available action buttons, etc.).

An object might have multiple layouts, e.g., support team may see different account details than the sales team.

Another example would be a custom ‘Network Element’ object that could have a router, switch and firewall type and display different fields for each type. Page layouts are assigned on a per record type/profile basis (a two-dimensional matrix):

Salesforce page layout assignments

More information about page layouts is available here.

Profile

Profiles define how users access objects and data, and what they can do within a Salesforce org. Each user can have only one profile.

More information about profiles is available here.

Permission SetA set of permissions (usually supplementing profiles). Unlike profiles, user can have multiple permission sets.
Permission Set GroupA collection of permission sets, so they can be assigned to users in bulk.
Role

A role describes user position in the organization hierarchy (CEO, VP Sales, VP Delivery) and is used in conjunction with Sharing Rules (see below), determining which records (not objects!) can be accessed by a user. Each user can only have one role.

More information about roles is available here.

Sharing Rule

Sharing rules define how records are ‘shared’ based on role in the organization and reporting structure. By default, users can see their own records, but sharing rules enable exceptions, e.g., a manager can see his employees’ cases, opportunities, etc.

More information about sharing rules is available here.

Lightning Experience

Salesforce Lightning is a modern user interface with mobile client support (as opposed to the former Classic interface). Lightning also adds additional functionality such as Lightning Pages and Lightning Apps (described below) that have impact on security configuration.

More information about Lightning Experience is available here.

Lightning Page

Lightning Pages extend Page Layouts for the Lightning user interface. They adapt to target device and are built out of components (Page Layout is one of them) and are highly customizable.

Object Lightning pages are assigned on a per-record type/profile/Lighting App basis (a three-dimensional matrix):

Salesforce Lightning page assignments

More information about Lightning Pages is available here.

Lightning App

A Lightning App (“app”) is a collection of menu items and a home page. It usually groups items required to perform a well-defined business function (e.g., “Sales”). Apps do not affect access to records, only what is presented to users.

Third party packages usually provide their own apps, but they can be built as needed. It is a common practice to build an app on a per-department basis.

Apps are accessible via the Salesforce app launcher:

Salesforce App Launcher

  • A user may have access to multiple apps, with only one designated as default in the Profile (Custom App Settings)
  • An app may be available to multiple profiles
  • Each app has a designated home page

More information about Lightning Apps is available here.

Lightning App Home Page

Each app has its own home page. Home pages are Lightning pages and can be designed using any components such as list views, dashboards or even completely custom ones.

Home pages are a great place for user work items such as active tasks, open orders, open cases, etc.

Salesforce Security Model

Salesforce has a two-layer security model (we recommend reading this blog for details):

  • Object and Field-Level Security: This first layer controls which objects and fields can be accessed by users (e.g., a user has access to opportunities but not to support cases).
  • Record-Level Security: The second layer determines which individual records can be accessed by a user, e.g., a sales rep can only access his opportunities, a manager can access opportunities for his entire team.

Applying Security Model to Organization Chart

An organization’s structure usually maps directly to Salesforce’s Object and Record-level security:

  • Departmental structure determines what can be seen and how it is presented to the users. In Salesforce, this corresponds to:
    • Access to objects and fields → Managed through Profiles and Permission Sets,
    • How data is displayed  → Managed through Page Layouts and Lighting Pages.
  • Employee hierarchy/reporting structure determines access to individual records controlled by Roles and Sharing Rules.
 

A Step-by-Step Approach to Salesforce Security

 
Step 1

Profiles

Profiles are the starting point for security configuration:

  1. Isolate and leave Sales profiles intact (most likely your Salesforce was initially used for sales, and these are already configured and working).
  2. Create additional profiles according to the following rules:
    • Create profiles per department or team,
    • Share profiles if possible, to minimize their number,
    • Generalize as much as possible, e.g., if a Finance department consists of Accounts Payable (1 employee), Accounts Receivable (2 employees) and Accounting (2 employees), creating a single Finance profile makes most sense.
  3. Review custom/standard object access on each profile. Keep profiles simple, and handle as much configuration as possible via permission sets and permission set groups.
Pro TipIt is unnecessary to create separate profiles for managers — a basic profile and a manager permission set or set group and sharing rules are usually sufficient.
 

Unlike permission sets and set groups, profiles cannot be deployed as part of Salesforce packages or change sets.

 
Step 2

Permission Sets and Groups

Permission sets supplement profiles. We recommend the following approach to configuring permission sets:

  1. Identify the exceptions — typically these are Delete operations or items that raised suspicions during profiles configuration (Definitely not everybody should be able to do that!). Create separate permission sets for these.
  2. When dealing with a large number of permission sets, combining them into permission set groups for departments or teams works best.
Pro TipPermission sets are a limited resource and should be used with caution (Setup → Company Information → Permission Set Licenses).
 
Step 3

Roles and Sharing Rules

  1. Configure roles — they will typically reflect the reporting structure of the organization chart, so this part is usually relatively easy.
  2. For each object review its sharing rules. This will depend on business needs; however, it is generally a good policy to start with restrictive sharing rules and opening them gradually.
Pro TipSometimes it is difficult to determine sharing rules for non-sales objects, such as cases, orders, etc. In that case one may start with a high-level ‘delivery’ or ‘support’ roles and refine them later on.
 
Step 4

Page Layouts and Lighting Record Pages

Most objects that have record types will have a per record type layout. This is a good starting point; additional, profile specific layouts can be added on an as-needed basis.

The same applies to Lightning record pages.

Pro TipMaintenance of multiple layouts gets cumbersome, so new non-record type layouts should be added with caution.
 
Step 5

Lighting apps and Home Pages

Since every profile has only one default app, it is best to define an app and home page for each.

 
Step 6

Groups

Groups are important for visibility and sharing of list views, dashboards and reports.

Unlike profiles, groups may be very granular as particular departments and sub-departments may have list views/reports specific to their activities.

 
Step 7

Queues

Queues are needed for group object assignments, e.g., a task is assigned to a departmental queue, before assignment to an individual.

Typically queues configuration closely mirrors groups configuration.

Naming Conventions

For businesses with complex organizational structures and permission systems, it is a good practice to establish a naming convention for security objects. This makes security easy to configure, maintain and understand.

For example, a fictional ACME Corp. may use the following convention:

  • Profiles: ACME Sales, ACME Orders, ACME Customer Service, … — following departmental names,
  • Permission Set Groups: ACME Sales, ACME Sales Managers, … — following departmental names with separate permission sets for regular users and managers,
  • Permission Sets: AC Contact Management, AC Order Management, … — following areas of operation.

A configuration based on these conventions may look like this:

Salesforce security configuration example

Conclusions

In today’s business landscape, cyber and data security are top priorities. While Salesforce’s security model can be complex — especially when used beyond basic CRM — configuring it in a structured way ensures both effectiveness and ease of maintenance, even as your organization evolves.

Contact us today to find out how we can help you!

    Thank you for contacting Nextian. Your request was successfully submitted, we will get back to you within two working days.

    BY INDUSTRY

    Cloud Infrastructure Providers

    Cloud Software Companies

    Managed Service Providers

    Communications Service Providers

    BY ROLE

    CEO / Owner

    CRO / VP Sales

    CFO / VP Finance

    COO / VP Operations

    CPO / VP Product

    CIO / VP IT

    Product Management

    Plan, launch and manage your product offerings throughout their entire lifecycle.

    CPQ & Sales

    Quickly create accurate quotes for complex products, subscriptions and add-ons

    Order Management

    Ensure faster, consistent order delivery with tasks, workflows and automation

    Service Management, Support & Monitoring

    Retain and upsell customers with comprehensive account intelligence, support, monitoring, analytics

    Customer Portal

    Empower your customers with 24/7 self-service, support and on-line ordering

    NEXTIAN PLATFORM

    Platform Overview

    Billing Integration

    Network Monitoring Integration

    Reporting & Analytics