What is a profile?
A profile is a collection of permissions and settings that is instrumental in determining a user’s functional access (apps, tabs, object-level permissions), how information is displayed to the user (page layouts, record types, field-level security), and a wide range of other permissions. Each user must be assigned one profile.
Security |
---|
Org-Level Permissions |
Object-Level Permissions |
Field-Level Permissions |
User Permissions |
User Interface |
---|
Applications |
Tabs |
Page Layouts |
Record Types |
User Interface settings will be expanded upon in detail later in this guide.
What’s the difference between standard and custom profiles?
Standard profiles are included with Salesforce. Object-level and user permissions cannot be changed on these profiles. Standard profiles cannot be deleted.
Custom profiles are created by an administrator and can be fully customized. Custom profiles can be deleted.
When should I create custom profiles?
Generally speaking you’ll want to create custom profiles prior to assigning users to profiles. As you have limited ability to change standard profiles, it is generally a best practice to assign all users (with the exception of the system administrator) to custom profiles.
If users are assigned a standard profile and you later need to change their permissions (e.g. add read access to a custom object), you’d have to create a custom profile and then migrate all of those users to the custom profile.
Hi John can you clarify this for me please – the difference/similarities between Public Groups and Teams.
Can the use of Public Groups give the same access as Opportunity Teams do?
Could you solely use Public Groups to give user John Doe access to opportunities that he would normally not have access to?
So by adding user John Doe to an Opportunity Team isn’t that giving John Doe redundant access?
Public groups are used to put grant access to records and folders, while permission sets are used to grant permissions (object, field, etc.)
Teams are used to designate who is working on a record (e.g. who is the account manager) as well as who grant access to the record.
Hi John,
I submitted this similar question yesterday under another topic but I can seem to find it now.
So here is my question again.
What are the functional uses differences between Public Groups and Permission Sets?
How should each of these functional components be used?
If I put user Joe Doe in a public group to be able to access certain Accounts that he would normally not have access to, does including user John Doe in a Permission Set make this redundant?
In other words, can Public Groups or Permission Sets be used interchangeably to give more access for the user?
John,
What is the capability of the salesforce platform user license? I thought that users assigned this profile could have access to custom apps. However, I can’t seem to understand why my profile doesn’t have access to a custom app I have in my instance. Thank you,
The license can access custom apps yes- but you also need to configure your profile to ensure that they have access. If you are using the standard profile included for that license they probably do not…
Hi John, can the tabs settings be changed on a standard profile? For example, if I wanted to make the tab for the case object default off or hidden, can that be done on a standard profile? Thanks
Yes you can – have you tried modifying one?
Hey John,
I don’t get what the grid at the top of this page is trying to show… “Security” “User Interface”, is it just showing what Profiles include? Do profiles include Page Layouts?
Profiles set security which includes org-level permission, etc. and profiles influence the user interface which includes page layouts, apps, etc.
Hi John,
I have aquestion with regard to App access.
We have a free source app installed on our live environment that allow MERGE for various objects (incl. custom). It was not installed by me and I see that it is not limited to number of licences.
I allowed access to that app for a certain profile – successfully. However, when the user try to use that app she gets an error message that the app is not accessible for her.
What am I missing here?
Thank you,
Gil
There is probably a visualforce page or something like that contained within the app that they need access to as well- check the components in the managed package.
Also check the docs in the managed package for advice. Lastly, see if there is a permission set included in the managed package that can easily assign the permissions without having to track all that down.
John – How do you navigate to user permission on a profile
Edit the profile- any of the checkboxes under the user section (with the class profile editor enabled)
John – What is user permission on a profile regards to that they cannot be changed on standard profile. What are you referring to when you say user permissions
Edit a standard profile – if you are using the standard profile editor there is a section for user permissions (about half of the checkboxes for the profile)
Need help with setting up profiles / users
I am on a test Dev environment trying to create some users on my Org and mapping them to some Custom profiles
On None of the user records I create, I get an option to choose “Salesforce” user license. Is this a limitation on the Dev Org ?
Only Options I see are “Salesforce platform” , “Force.com-Free” …. These Licenses do not let me choosed Custom profiles I created.
Need advise please !
You are limited to only two user license in dev org as its a free account. Note that two includes your admin profile too. So ideally you can create only one more user. Either you would have already used the license and that’s why you don’t see anymore. Try to disable the active user and then create a new user and add content. That’s how we do workaround. Hope it helps.
Agree that’s a limitation.
But curious to know what’s the workable alternative to set up a test org with a few users, profiles, roles for trying a lot of scenarios / quizzes hands on
A developer org from your company is the best bet- but that’s not available to everyone
Hi Jon
I have purchased the licence .No one has replied to my queries. I hope I should get the answer to my queries as paid customer
Regards
I do try to answer all questions although it can take some time…
Hi Jon
Couple of question
1) If on profile level for the opportunity I have “Modify All Data” and on OWD it is Public Read only Only. Would I be able to edit the opportunity records I do not own ?
2) I have enabled the role hierarchy .On Sales Rep Profile for opportunity CRED is enabled and I want that Sales Manager should only view(not edit and delete) the opportunity of the subordinate. How can I achieve this.?
1. Yes
2. Not possible through standard security if they also need to edit their own opps. You can add a validation rule instead though.
Good
Hi John, Great website!
Under the first paragraph of this page, “What is a Profile?”, what are the two columns describing? For example, in the second row: is it showing that configuring the Object-Level Permissions is a way to control permissions to the Tabs in the User Interface?
Yes – this is just describing the different components that the profile influences, split up by type (UI, security).
On the salesforce video:”Who Sees What: Object Access”, they assign a custom profile to Karen Adams. They then assign it to all members on the inside sales team. I did not see how they assigned it to all the members of that sales team?
They assign the profile @ 5:22 in the video by editing the user and changing the profile from the drop down
Its mentioned as “Object-level and user permissions cannot be changed on standard profiles”. Does it mean we cannot apply sharing or field level security and override default security in standard profile? So in real life, ideally the admin will always clone standard profile and create new one instead of directly using the standard profile?
“Sharing” (meaning record sharing) is typically applied via the role not profile, minor point of clarification. But yes, the admin can only modify a small portion of the standard profile permissions (e.g. field level security and/or object level security), so it is customary to create custom profiles.
Just when I thought I was pretty good at security settings, I find out how limited my knowledge is. I can definitely eliminate some of my org’s profiles and create more permission sets to apply.
They can be pretty powerful but at the same time are harder to track than profiles – it definitely requires a balance!
Hi John,
For the statement: “If users are assigned a standard profile and you later need to change their permissions (e.g. add read access to a custom object)…” can’t we use permission sets to assign more permissions instead of having to create a custom profile and migrate all the users? Which of these two methods is more preferable?
I still like the recommendation of assigning users to custom profiles. While permission sets can add permissions, I don’t think they can remove them. And permission sets need to be applied individually to each user. Custom profiles allow you to add (or remove) a permission globally. More efficient, imho.
It is a best practice to use custom profiles because you cannot modify most of the standard profiles. Yes you could use permission sets for everything, but you would end up with a lot of overhead managing all of the permissions on a per user basis. Generally I agree with Alex- start off while a profiles that meet the majority of the users needs. Then add permission sets to handle the ad-hoc or less frequent scenarios.
Hi John,
Can a single user with one email id and different usernames be assigned to multiple profiles?
Thanks in advance,
Swetha
One user record can only be assigned to one profile. It is possible to create more than one user with the same email address – however, the username (which is typically the user’s email address) must be unique across all orgs.
To add to this, users only need one profile, while they may need multiple permission sets to gain additional access.
“User permissions” leads to a sfdc help page with no content. This is on iPad.
Thanks!
Hrm. Just tried on PC with no issues. Might be a mobile issue? Will have to investigate.
All sales force help pages do not display on iPads.
They do display on iPad if you use Safari. They don’t display on iPad in Chrome