You are here:
Permissions and Access Settings
User, object, and field permissions and access settings can be specified in profiles and permission sets. To use them effectively, understand the differences between profiles and permission sets.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| The available permissions and settings vary according to which Salesforce edition you have. |
| Permission sets available in: Essentials, Contact Manager, Professional, Group, Enterprise, Performance, Unlimited, Developer, and Database.com Editions |
Permissions and access settings specify what users can do within an organization:
- Permissions determine a user's ability to access object records and perform certain tasks, such as viewing the Setup menu, permanently deleting records in the Recycle Bin, or resetting a user's password.
- Access settings determine other functions, such as access to Apex classes, app visibility, and the hours when users can log in.
Every user is assigned only one profile, but can also have multiple permission sets. When setting up your users, use profiles to manage default settings, such as assigned apps, record types, page layouts. Then use permission sets to configure permissions and access settings.
This table shows the types of permissions and access settings that can be specified in profiles and permission sets and the recommended feature for managing them.
| Permission or Setting Type | In Profiles? | In Permission Sets? | Recommended Feature |
|---|---|---|---|
| Assigned apps |
|
|
Profiles for default assigned apps, permission sets for additional assignments |
| Tab settings |
|
|
Permission sets |
| Record type assignments |
|
|
Profiles for default record types, permission sets for additional assignments |
| Page layout assignments |
|
Profiles | |
| Object permissions |
|
|
Permission sets |
| Field permissions |
|
|
Permission sets |
| User permissions (app and system) |
|
|
Permission sets |
| Custom permissions |
|
|
Permission sets |
| Apex class access |
|
|
Permission sets |
| Visualforce page access |
|
|
Permission sets |
| External data source access |
|
|
Permission sets |
| Connected app access |
|
|
Permission sets |
| Legacy SAML service provider access (not created via connected apps) |
|
|
Permission sets |
| Login hours |
|
Profiles | |
| Login IP ranges |
|
Profiles |
- User Permissions
User permissions specify what tasks users can perform and what features users can access. For example, users with the View Setup and Configuration user permission can view Setup pages, and users with the API Enabled user permission can access any Salesforce API. - Object Permissions
Object permissions specify the base-level access users have to create, read, edit, and delete records for each object. - Field Permissions
Field permissions, or field-level security, lets you specify whether users can view or edit each field for an object. - Custom Permissions
Use custom permissions to give users access to custom processes or apps. - Permission Dependencies and Alignment
Some object and user (app and system) permissions are dependent on each other to make sure that assigned users have the correct access to related data and tasks. When needed, Salesforce automatically enables dependent permissions in profiles and permission sets to grant assigned users required object and feature access. - Revoke Permissions and Access
You can use profiles, permission sets, and permission set groups to grant access but not to deny access. Permissions granted from profiles, permission sets, and permission set groups are honored. For example, if Transfer Record isn't enabled in a profile but is enabled in a permission set, the assigned user can transfer records regardless of whether the user owns them. To revoke a permission, you must remove all instances of the permission from the user.
Did this article solve your issue?
Let us know so we can improve!
