Profiles
Profiles are the primary way to customize the Force.com user experience. They contain a large number of settings to control the user interface and data security of your organization. Users are assigned to profiles based on the tasks they need to perform in your system.
The two types of profiles are standard and custom. Standard profiles are provided with Force.com and cannot be renamed or deleted, although they can be reconfigured. Custom profiles have the same functionality as standard profiles but can be named. They can also be deleted if no users are assigned to them.
To manage profiles, click Setup, and in the Administration Setup area, click Manage Users, Profiles. In the realm of data security, the two primary sections to focus on are Administrative Permissions and Object Permissions.
Tip
Make sure Enhanced Profile List Views and Enhanced Profile User Interface options are enabled for your organization. The Enhanced Profile List Views feature allows up to 200 profiles at a time to be compared and modified easily, with far fewer clicks than the default user interface. The Enhanced Profile User Interface organizes profile settings by common administrative tasks and makes them searchable. To enable these features, click Setup, and in the App Setup area, click Customize, User Interface.
Administrative Permissions
Two administrative privileges in a profile trump all other security features in Force.com: Modify All Data and View All Data. Users of a profile with these permissions can modify and view all records of all objects, overriding all Force.com security measures. These permissions are powerful, so grant them with extreme care in a production environment. Developers need these permissions to work with tools such as the Force.com IDE, but this applies only in a sandbox or development environment.
Object Settings
Object permissions are divided into two sections: one for standard objects and another for custom objects. They have identical functionality. Note that object permissions cannot be edited on standard profiles. Figure 3.3 shows the section of a custom profile that defines object permissions.
Each object name is followed by a list of its permissions. The permissions are described in the following list:
Read—The Read permission allows users to view records of this object.
Create—The Create permission permits Read access and the addition of new records to the object.
Edit—The Edit permission allows records in this object to be read and modified, unless overridden by field-level permissions.
Delete—The Delete permission enables users to read, edit, and remove records from this object. Deleted records are moved to the Recycle Bin, where they can be undeleted or permanently erased.
View All—The View All permission is like the systemwide View All administrative permission but scoped to a single object. It’s designed for use in exporting data because it circumvents other security features of the platform, ensuring that all records are accessible.
Modify All—Like View All, the Modify All permission is intended for bulk data operations such as migration and cleansing. It allows users to modify all fields of all records in this object, overriding every other security measure.
New custom objects initially have all permissions disabled for all profiles, except those with View All Data or Modify All Data administrative permissions. This platform behavior of defaulting to the most secure configuration ensures that your data is not unintentionally exposed.
Licensing
Profiles are associated with a user license. Licenses are how Salesforce charges for the Force.com platform when you’re ready to go into production with an application. Salesforce has many license types to provide flexibility in pricing, including low-priced options for external customers and partners known as “portal licenses,” but the most basic licenses are Salesforce and Salesforce Platform. The Salesforce Platform license allows full use of Force.com but disables the business domain-specific functionality, such as CRM or Sales Force Automation (SFA). For example, a Salesforce license grants you the use of the Opportunity and Case objects, but a Salesforce Platform license does not. Sometimes even infrastructure features are downgraded. For example, profiles for a full Salesforce license can delegate administration on standard and custom objects. The Salesforce Platform license limits this feature to custom objects only.
Planning ahead pays in regard to licensing Force.com. If you are sure you do not need the extra features of the Salesforce license, select the Salesforce Platform license for your profiles. This cuts down on the number of objects and features you see during development and prevents you from accidentally referencing one of them. Also, in order to assign a user to a profile, that user must have a user license that matches the profile. Your custom profile cannot be associated with a different license after it has been created.