Roles are created according to the corporate hierarchy of the system. Roles determine how the data is shared with the user. While profiles determine which objects can be seen by which users, roles determine which records from the object can be seen by the user. The user can be separated on the basis of their work department, territory, or company hierarchy.
The following diagram illustrates a basic sample role hierarchy:
In the preceding diagram, A, B, C, and D, are records of the same objects owned by Rep1, Rep2, Rep3, and Rep4, respectively. While all the four reps have access to the same objects, they do not have access to each other's records. Manager 1 can see the data and reports from Rep1 and Rep2 as they come under his hierarchy. He cannot, however, access the data for Rep3 and Rep4. The Super Manager can see the entire organization's data as he is topmost in the hierarchy.
Role hierarchy prevents the data from being seen by people at the same level in the hierarchy, at the same time it grants full access to the people on top of the hierarchy. In the preceding example, Manager 1 will get all access to the Rep1 data.
To achieve this, we set up a role hierarchy.
Perform the following steps to set up a role hierarchy:
The general library now wishes to install this system across multiple locations. They have branches on the East coast as well as the West coast.
The structure of the organization is as follows:
A user can have only one profile at a time but can have multiple permission sets. A permission set is a collection of settings and permissions. The permission sets are the same permissions that are found on profiles. The permission set extends the user functions without changing their profiles.
The permissions that are enabled in either the profile or the permission set are enabled for the user who has the right combination. For example, if the profile or the permission set has the API Enabled permission, the user with that combination will get the API Enabled permission.
We can use the permission set to create fuzzy grouping of users irrespective of their job roles. For example, if a few sections of users need to have the edit permission on the Media object, we can create a permission set for it and assign to it those users irrespective of their profiles or roles.
To create a permission set, perform the following steps:
–- none --
:While roles and profiles are used to determine the user-based security, the organization-wide default determines the distribution of data with the user. We use the defaults in the object to determine which people across the role hierarchy can access which objects.
To set up Organization-wide defaults, follow these steps:
The following options determine the sharing settings of the object:
Private |
The role hierarchy is observed and people cannot view their peer records. |
Public Read Only |
This is useful if we have master data that the people refer to, for example, the books info in the library. They can be kept as public read only. In this case, everyone across the hierarchy can see the data. |
Public Read/Write |
This option does not obey any role hierarchy and anyone can edit/modify or even delete the objects, depending on their profile permissions. |
To set up organization-wide defaults, follow the simple method:
3.145.206.43