The access restriction for different objects is managed by using profiles and permissions. The type of access (view, edit, create, etc.) can also customized thorough this mechanism. A user can have only one profile, but can have multiple permission sets. So through profiles the minimum basic permissions for the selected objects is granted while, through permission sets additional permissions beyond the profile can be granted.
Let us now see the details of the profiles creation and granting permission to understand how the object access is managed.
Profiles are created to address the requirements of a particular business function. For example, the HR department needs a profile which will have access to work history, medical history and attendance of employees. While the finance department will need profile which will access the attendance and remuneration details of an employee. Now depending on the user’s job role, the profile is attached to the user. Only one profile can be allocated for a user.
Go to the link path Setup Home → Users → Profiles. You can see some existing profiles which are pre-built in the salesforce platform. We can create new profiles by cloning the existing profiles and customizing them further based on our requirements.
Let us now see an existing profile named the standard user. It shows all the types of settings available to this profile. For example, we can set object permissions for both standard objects as well as custom objects. We can also set different administrative permissions and general user permissions and so on.
In order to control the permission to each of the objects through this profile, we can scroll down and find the list of both standard objects and custom objects. Here we can use the check boxes to customize the object access.
Once a new profile has been created, it can be assigned to users by going to the link path Setup Home → Users → Users. Now click on the edit to the left of the user name. You will be directed to a new window where in, you can change the profile from the dropdown.
Permission sets are additional access given to a user on some objects which are not covered through their profiles. So it just extends users access to some objects based on their profiles. For example, when a new custom object is created, we create a permission set for those objects and attach those permission sets to the users who will need access to those objects. The same logic applies when we want to grant temporary access to specific objects for a user.
We create a permission set by going to the link path Setup Home → Users → Permission Sets. Click on the New button to create a new permission set.
Once created, we can edit the permission set and choose Object Settings. Here we can see the list of objects and the level of access to these objects. We can edit the access types for each of these objects.