Object-Level Security (OLS)

Posted on by zeusexam

Object-Level Security (OLS)

The first level of access type is Object-Level Security (OLS), as we saw previously on the profile edit page:

These kinds of operations are usually referred to as CRUD operations:

  • Create
  • Read
  • Update (or Edit)
  • Delete

Some of them respect sharing configurations while some do not:

  • Read: Users can view records of this type if the sharing settings allow them to (sharing respected).
  • Create: Users can create and view records (sharing respected regarding the read operation); that is, you cannot have Create without Read enabled.
  • Edit: Users can edit and read records (sharing respected); there can be no Edit without Read.
  • Delete: Users can read, edit, and delete records (sharing respected); there can be no Delete without Read and Edit.
  • View All: Users can see all the records of this object and thus sharing is not respected.
  • Modify All: Users can read, edit, delete, transfer, and run approval on all the records of this object, thereby overriding the sharing settings.

View All and Modify All work like the View All Data and Modify All Data user permissions on profiles, but there should be a better alternative to convey better access granularity to records.

Object accessibility causes the object’s tab to be visible to a given user.

View All Data and Modify All Data permissions should be granted to administrators only as they should be the only ones who can view every record in your organization.

Field-Level Security (FLS)

The concept of Field-Level Security (FLS) is easily pictured in the FLS settings for a given profile’s access to an object:

You can define Read Access and Edit Access on fields (Edit Access requires Read Access). If you remove Read Access from a given field, the user won’t be able to see that field on the object layout, even if the field has been added on that layout.

The same applies to Edit Access. If the record is in edit mode but the current user doesn’t have Edit Access to that field, the field won’t be writable.

Required fields (marked as required or master-detail fields) will always have read and edit access, while system fields (such as Created By or Created Date) will always be read-only.

You can enable editing for audit fields for imported records only. Go to https://help.salesforce.com/articleView?id=000171151 for more details.
 
 You should prefer FLS to layout-specific field configurations since it reduces the number of required layouts and makes field access coherent across profiles and record types.

If you want to see what determines field access, jump to Setup | Object Manager, look for any object, click on Fields & Relations, select any field, and click on the View Field Accessibility button to see the following display:

For every record type (if any) and profile, you will have a picture of field accessibility (Hidden, Read-Only, or Editable) on the assigned profile.

Leave a Reply

Your email address will not be published. Required fields are marked *