Custom Object Security
Learn how security settings work together so you can control access to your custom objects with great flexibility.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Tabs aren’t available in Database.com. |
Set custom object security at the following levels
- Tab—display the custom tab for the appropriate users based on their user profiles.
- Object—set the access users have to create, read, edit, and delete records for each object.
- Records—set the default sharing model for all your users. This determines the access users have to custom object records that they don’t own.
- Relationship—for objects on the detail side of a master-detail relationship, specify the sharing access that users must have to the master record in order to create, edit, or delete the associated detail records. This is specified in the Sharing Setting attribute of the master-detail relationship field on the detail object.
- Fields—set the level of access users have to fields on your custom object page layout.
These requirements apply to custom objects with no master-detail relationship.
| Action | Required Privileges |
|---|---|
| Create a record | Create permission. The user must have the tab displayed to create a record from the Create New dropdown list in the sidebar. |
| View a record | Read permission and Public Read Only or Public Read/Write sharing model if not the record owner. |
| Edit a record | Edit permission and Public Read/Write sharing model if not the record owner. |
| Delete a record | Delete permission and must be the record owner or above the record owner in the role hierarchy. |
These requirements apply to custom objects that have a master-detail relationship with a standard or custom object.
| Action | Required Privileges |
|---|---|
| Create a record | Create permission and either read or read/write access to the related master record, depending on the value of the Sharing Setting attribute of the master-detail relationship field on the detail object. |
| View a record | Read permission and read access to the related master record. If the record has two master records in a many-to-many relationship, the user must have read access to both master records. |
| Edit a record | Edit permission and either read or read/write access to the related master record, depending on the value of the Sharing Setting attribute of the master-detail relationship field on the detail object. |
| Delete a record | Delete permission and either read or read/write access to the related master record, depending on the value of the Sharing Setting attribute of the master-detail relationship field on the detail object. When a user deletes a record that has related custom object records, all related custom object records are deleted regardless of whether the user has delete permission to the custom object. |
Delegated administrators can manage nearly every aspect of specified custom objects, but they can’t create or modify relationships on the object or set organization-wide sharing defaults.
