Salesforce Security Implementation step by step from scratch | Prateek S. | Skillshare

Salesforce Security Implementation step by step from scratch

Prateek S., Cloud Computing and Big Data Consultant

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
10 Lessons (48m)
    • 1. Introduction

      3:35
    • 2. Creating New User and Active Inactive Freeze

      6:11
    • 3. Enabling Login Access for System Admin

      1:47
    • 4. Profiles - What one can do

      10:12
    • 5. Organization wide Defaults

      5:20
    • 6. Organization wide Defaults Part - 2

      1:53
    • 7. Roles - What one can see

      5:14
    • 8. OWD and Profiles Hands On

      5:23
    • 9. Roles Hands On

      3:20
    • 10. Permission Sets Hands on

      5:21

About This Class

Don't enroll just for the course but enroll for what you'll be after taking this course. Everything is explained step by step Hands on.

Securing access to your applications, data and logic is a key part of application development and system configuration. This security should not only protect data and logic from unauthorized external access, but also from unauthorized internal access for example by only granting data access to users with the appropriate authorization. Salesforce is built around a robust and flexible security architecture, providing you with a fine degree of control over the users, network, and data. Salesforce use a multi layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges of security. The Salesforce CRM suite of applications include a wide variety of security features and configuration settings.

This course is about platform security framework, which you can use to offer different access permissions to authenticated users within your organization. This security framework lets you grant security permissions to users or profiles, determine access control over a wide range of components (such as tabs or persistent objects), and configure data sharing, which limits access to individual records. Some of this security framework is administrative (only allow these user profiles access to this application), while some is also relevant to your application architecture (ensure that these records are always visible to managers).

Transcripts

1. Introduction : Hello, Friends on welcome toe This new course on working on Salesforce security features Okay, so in this course, we will be implementing or WD organization, White de force rules, profiles, permission sets and everything will be hands on, step by step. Live in front. Off you new, maybe a salesforce Administrators for developer, our salesforce user or even you want to know what Salesforce is all about or if you're using another CRM which does not have those security features. And we came to understand that how sales fourth provides better security, better access level for users then this course is for you know, we are on the salesforce dot com website. If you're not aware of what sale forces, that is the number one cloud See Adam today it has received in finite awards. It is the most growing company today. You can go to fourth start com You can go to any business magazine. You will find article on this. It'll called multiple products now still growing. They have a new relief. Every 41 They fixed their books the implement new ideas which are given by users. They always enhanced their products. So it's growing very rapidly on learning Salesforce is the best carrier decision you can take today. No, the work on salesforce We will go for a free trial. I can sign up for free tile from here as well. But this will give me a only 30 day free trial. So what I will do instead I will goto developer door sales for start com and I will sign off from here like any theory which has got different environment, developer, environment and the production environment. So, like we have sandboxes and production, it's a common term for most of the application where we develop in the development environment. We Margaret that to sandbox, protested there. Then we matter it that to production the similarly via salesforce to increase its developer community toe enhance learning they give lifetime free access to developer environment No Salesforce money purchase license for Salesforce It is subscription based or user based license. Okay, so if you have ah 10 users, your license costs will be less. If you have 50 users, your license cost will be higher. So they're pricing model Is the user beard? Okay, Even if you go to Salesforce website, let's say I go to sales cloud here. Even you can come from the area so you can watch. You have gotten a report here. You can see here See us dollars 65 per user per month, Bill. And really, all the licensing fees is very user. Okay, so here what we will do will go to develop a dot salesforce dot com. It was signer from here it is a lifetime free account. The only thing is the form is very easy. Signing up is very the the only thing that they user name which you really used to log into salesforce should be in the former off an email i d. It could be even ABC at the rate expressly dot com The only thing is the farm at so the 4 march will be in the form of female so quickly go to develop it ourselves was dot com Sign up for an account here, Logan on We will meet in the next video. Inside our salesforce ogg everything will be hands on, step by step explained in live in front, Off you Thanks a lot for taking the course meeting in the next video. Take care. Bye bye. All the best 2. Creating New User and Active Inactive Freeze : No, we have locked into myself. Was account. So I already had a freezer. It's was account. I have logged in to do that. No, when you log in to come to this screen on on the left side, this is the area where you perform all your task. Be beat coding customization or other day to day admin functionality. Okay, now, the best part here is if you don't know the navigation Hey, the search box When you can search for the time you are looking for now since we are working on security modern. So we need toe have at least two users so we can start logging in from different accounts on after changing their roles profiles. And we can see what effect that it make on their account. Okay, So to clear the new use that I need to go to user under manage users, I can see users here, so I'll click on you. This no foreign Adam and creating a new user is the day to their task. Just remember, in Salesforce you cannot believe the user. You can just be activated. For example, if I goto this account here, this is the check box, which is active. So if I deactivated, then the user does not count against your license fees. Okay, on. You will not see anywhere. Delete button on the user. Okay, on, then. Reset password. So there will be, ah, being a sales with admin. People might forget their password so they might send your request for resetting their password. Reset the password from there a lot of time. What happens is a user needs to be be activated. Maybe he has left the organization on. He's not more authorized toe access yourself source off, so you need to be activated. But what happens is that user might be being referenced somewhere in your are maybe in a custom hierarchy feel and the doctor look up. This user is being referenced there, so it will not allow you to be activated so far back for the time being, when you're working on removing the user linking from a field fourth all so you can freeze the user account. So free thing is something which you do temporary. Once you freeze the account, then you can be activated. The user you can You can remove the linking off the user from wherever there is an other. When you try to be activated, once you have removed dark linking, then you can be activated. Okay, so this frees button. Just for that, the user has left the organization, but you're not able to be activated because it's being used somewhere. So you can fleas that for the time being? No, What we will do will go here and create a new user. Okay, So you need toe. Specify the last name. First name Alias will take automatically. Emails. It will pick them. What? Mac automatically? Let's say I name it. Uh huh. No, but got artist Court is taken automatically. I need to give him an email. So I will give the email here on I think I have an email. My friend is sitting right next to me. So he allowed me to use his email. I d I will just you have his email idea. He's also learning self was with me here. Okay. So nickname is you The name? It'll autumn. If you want, you can change the email. I d It should be active user licence. We would select sail forth profile, see for the first user when you create the first user the menu that could create your account with the 1st 2 user. When you go to develop a door salesforce dot com, it will automatically assign the profile at Salesforce administrator. Okay, so here you can against select the profile as system administrator here, see the role even though it is that But it is not mandate Reto select while creating a user . And even though we have not set a little higher keeping allow so we will not fill it. Okay, you can leave it blank. Are they the check box? Noted marketing user here it was in front of me So I thought I should tell you about this as well. A lot of time. What happens when you goto campaigns? So you don't see this new button here? That means you are not allowed to create a campaign. That's because the marketing user is not checked. If you face any such problem, just remember that marketing do there needs to be check for any user to be able to create campaign on there. The other features here you can fill in the street city and all but for training purpose, we will leave it blank. So I'll click on Sue my Federalist, even email on his email i d. With a link to log in on set his password. So it says that user name already exist. So what I will do I contain the user name like this. I will keep it. Let's see. Okay, so it has taken the few. The name on email will be sent to my friend here so he will log in whenever required. Look saying this way for strictly attack counting Salesforce on. Then we come here with search for users Here we create a new user and I told you selecting a rule is not mandated by the fall First user system administrator Always another users could be given these profiles or we will also give custom profiles in the future videos and we will have a custom profile created So we'll create a profile and we will assign that profile and we'll see what gingers doesn't make so that the user access level the function I'll be the power that user have the crowd permission we call them, create lead up their belief. Okay, so meeting in the next video till then, take here 3. Enabling Login Access for System Admin : no. Ah, first ing what we will do. We will assign the log in access to system Airman for the new user I have created. I will just explain you what I'm trying to see here. See that all the users this got Robert recreated yesterday. So I know I'm into Mozilla Firefox and but this user name I have logged into group. So what I would do? I was quickly go to my settings here under the name Personal on. Then we have grant account log in excess. So your company, the administrator, Even if you installed heart party after you need sometimes if they issue in the app for this guy to troubleshoot, you might need to give access to them to yourselves. Force also, you can do that from here without sharing a password. So I will give it for one year here. Quick on sale. No, I didn't go back to my usual list. I will rephrase it once. So what? It will help me that I will be able to log in from here itself, You see, So it will make it easier for me to switch between account click on Logan. No, I'm logged in US. Roberts card. Then again, I log out, I really back to my system argument. Okay, so this helps in this manner, and it's a great feature. A lot of times in York organization need to grant blocking access to the system admin so that if you want, if you're not there, So if you want to make some changes to your account or you want to do get some work done on your side on their absence or any at any case, it could be so the system admin without knowing your password, he can log in from here on work as you. Okay, So this was about this. In the next week, you will start working on their security scenarios. 4. Profiles - What one can do : so in this video will start working with profiles first. Okay, So you can we work with roller profile? Better fighters. They both separate topics altogether. So we'll start with profiles against such for profiles here under manage users. We have profiles. I love the feature thought searching anything. If you don't know that navigation, you can simply throw it here. Now what a profile is while the page loading. Let's talk about profile. A profile is a collection off permissions and settings, Doctor. Instrumental in deter mining our users functional access like a permission tap. Permission. Object level permission on also how the information is displayed to the user like page layout. We have patiently out assignment in profiles. We have record types. Feel level security if you will discuss the people. People with family say a word called credit crud. Cut, create, read update Believe these are the primary permissions which are there in the profile Now, First of all, when we create A when we get a new accountant salesforce, we get a lot of standard profiles. Okay, so here you see custom. Only these three profiles a custom, the rest of them a standard profile and you can create your own custom profiles as well. Okay, from here, either gonna go from here, create a new profile, or you can clone a profile husband. If you like to say we go to a profile, we can clone it from here as well. So if in case I need to make minor changes to a profile instead of creating a new profile from scratch, you can simply clone it from here. So they're standard profiles and custom profiles are difference between standard and custom profiles is first off all that standard profiles. They come in beautiful sales force, an object level on the user. Permissions cannot be changed on these profiles, and neither standard profiles can really leader. Now what I'm trying to explain here in, let's say I couldn't go to next page or I go to system administrator here, Click on added for. Come down. You see these fees? The administrative permissions are not every table these general user permissions on these standard object permissions customer these these in a standard profiles, they are there by default. If you want to make any changes to these settings, you need to create a custom profile. Okay, family. What happens is that these profiles and everything whenever you implement self or somewhere and when you have your list off users on when you have the chart created that what the user will have, what access. So at that time, only you can start working on the profiles on. We can start creating custom profiles. You would have to create custom profile because every user needs a different set of permissions. Every user have got different responsibilities in the organization on their other security issues, too. So you need tohave, um, different permissions for different users. So custom profiles that almost so that said those computed by boat by you can go to new profile from their Oregon blowing a profile level. Let's see a custom profile here, see if I have another custom profile. Okay, click on add. It would be the APS custom upsetting zaps out here. So whatever x APs you give accessory attacking their be able user will be able to see only door perhaps. Okay, then we have tap settings again. Perhaps, are these so if you want to turn on off any tab or hide anytime for you so you can do that from here You just under taps under taps on nothing but the staff for standard object Custom taps for custom object. Okay, then these are demonstrating permission. We will see them later. Okay, then we have standard object permission. So let's say account for this profile can read. Create at it. Delete account. See, Here is ah tour tip as well. If you want to use this with this profile toe, have you access toe all the course off the selected object type regardless off the sharing setting for the object. So it overwrites any custom sharing rules you have defined on the objects similarly for modifying all Okay. See sector, the goddess hearing, taking hold or modify all gives more power. It overwrites of you access it row overwrites the complete current access we had created, I believe then we have these permission for custom objects that these are self explanation me that if I select read this user, the user which will have this profile will be able to read the record view those record. If I select creep so we create, he would be able to create those records. Same goes for edit and delete. Send an object permission we have during the permission. We have custom tired settings, connected app Let me do one thing. Let me go to standard System Administrator and clone a profile on Create a profile from there. Let's there my item in. I want to have a mired in profile here. I I did this from here. So perhaps I think we have administrative permissions. We have the standard object permission. Custom object permission. That's talk lines. So the the same. So whether we clone any profile, the profile settings are similar. Okay, so, uh, then we go down here. So when we were declined to add it, the profile There's one thing which we didn't saw is that feel level security. Okay, so this field level security, remember if you know, if you have taken my complete self for scores where we have designed an app step by step. So when we create a field in one of the steps, it asked, what all profile do you assign that feel too? So that will be done from here or later. It could be changed from here. Let's see, I go put this account object if I click on view here, our neck liquid added. So what? All for years off account, I want to be visible or read only said this is visible and read only we'd only visible. So this means the feel invisible but not read only, but I find Make it read only this feel is visible, but the user will not be able to change while using this. But if I uncheck visible, the usable, not at all be able to see that even if start feeling on the pain we are. But because of the profile setting, the user will not be able to see the field simple again visible. You can see that. And I did that because it's not read only if I make it read, only you can see it. But not I did it. If unchecked visible, you cannot see that feel. So what? How can he even added that when he can't even see that click on back to profile? So for individual feels, you can have feel level security from here, perhaps inaudible. See, on here we have the Clark types. So whenever we create, um, whenever we have a business, this is also explaining my color complete sales fourth course. So why nobody? We have business. Let's say if I go to account so we might have multiple type of account. So what we do? We create different record types and assigned different page layout. So those record types, so I'm clicking new. It actually asked for the record type, but record you want to create what type of required to be You want to create those record types here? No, no, it's not there. Okay, so I don't have a record type here. You can. You can see that in my complete salesforce course on you tell me where we have built a complete abstract buster. So the court accidentally, they are nothing, but they define different type of record for the same object like you. Could be a multi dimensional industry you could be doing business with. Chemical industry. Could be doing with paper industry industry. You could be doing business with a double bed sheet industry. So you have different types of accounts for you on all these industries. They have different set off fields because they have different business models. They have different tax government policies. They have different rules and regulations. There different payment terms, so you will need different types off account for that, so you need to create different the court types. Okay, let's don't see standing object permission custom of your permission. Then we have logging hours here. So if you want, you can define long enough for the user that from this time to this time only that users should be allowed to log in for daily time. These are for security purpose, generally organization into finance department and which have very sensitive data. They go this much deep to implement, even log in i P ranges. If you don't want the user to log in from outside off, your company's I peeling outside off your company prom ises. You can restrict the I P ranges as well from here. So you are. I think I will know that I believe any of the company he can specify from this. I people Desai P only if the user's Internet connection is from these two i p address ranges between these two appear everything. Just only that, then the user should be allowed to love it. If you don't want to your unionist work from home or outside from somewhere. You are secular about the data security and so you can use these features as well. The assembled okay? 5. Organization wide Defaults : the next topic. People study about his rules. But wait a minute. We're doing a mistake here. The mistake is that whenever we implement security in sales fourth, the first thing which we start with organization wide, bi fold. Okay, see, we need to understand one thing not off time in your organization. If being US system admin on, you will face this challenge that you have set the object to private. But still another user is able to see that record, even though he's not. Only off the record that could take will be several reasons for that. The other users will be above that user in the royal hierarchy. We have not seen the whole Harrogate in long, but just to understand in role hierarchy is nothing but the hierarchy in the organization. We have CEO. We have been assistant with that CEO. We can have managers below that we can have a still manages below there. Then we can have at the Q P of sales rep in all that, the person who is above someone in the whole hierarchy will always be able to see their records of someone who is in the ah role Hurricane lower to him. What, When that user's profile. Ah, the view all modify all which I showed you in the tool tip back. It overwrites all the sharing settings. Or maybe that user has been given a permission certain. First of all, let me take you to the sharing settings where we find order. Bloody so under security controls, we have sharing settings for be the organization wide the fourth. Now the sales for C sharing mechanism is permissive. It's not restrictive means what we do. Whenever we implement sales for security, we start with order Beauty. We make it a strict test one for the user than by making use of profiles, roles and permission said we actually opened the access. We do not plastic taxes. So if you had sex something already to publicly dry transfer, so then going to its profile and making changes to the lead object and are breeding them uh , removing some excess will not work because in order, blue deals already public lead, right transfer. So it doesn't work like that that if you make it public hair and in profile, you try to go and make it less You want to rest it there. It will not work like that. Okay, so we start from order. Bloody. And I said it's permissive, not restrictive. Order. Blood is said to the stick test level. It is the base level. Then, by making user profiles, rules and all those things, you open the access for different people. Okay, so what A believer defined the minimum access to a specific record as Yuming, the user has profile permissions toe that object. Okay, so on 10 days, another thing as well. Higher levels, off order, bloody also increased system performance. Because if let's say, if you return the apex class with sharing which had has to the sharing rule, then if the order bloodies accesses to public read only then it a means the queries that the the Salesforce query will learn much faster. Okay, So the first thing is that I told you that Ah, that case scenario when you will face issues these these type of issue that the objective said to private and then he was still able to see that. So you need to check those settings as well If the user is above in the royal hierarchy or not. So family there are in these four types off ah settings in order bloody when it's private, Only the record owner can see its record. Then we have public read only means everyone can see that. But only read it. See the record owner and the system argument. They always override everything or a profile which had view all modify all that will also override everything. Then again publicly, right? Anyone can access anyone can. Ah edited then publicly you'd write transfer transfer means If you want to transfer the ownership off a record, then the objects which have ah master did elation ship So there you can even set controlled by a parent. So contact the child off account If something in accounting Minto Private order Quantock This becomes controlled by parents. Let's see if I want to make it publicly right? The politically access must be private when the account accesses sector private, you see, so these things automatically get controlled from account. So because these have don't those are relationships among them. Okay, even custom object. If you have something into master detail s O that will be set to private, the child object will be automatically controlled by a parent. Okay, So, basically, or WD start with order. Bloody Then use profiles, use rolls and permission set to open that system for the user. It's not the other way around there to start creating the profile. First, you give ah most restrictive access there and then you open that sets without a body that will not work. It's not no use. Actually. You can do that, but of no use. Look at So in the next video, we'll talk about rules. 6. Organization wide Defaults Part - 2 : Actually, I was not satisfied by my explanation. My previous videos. So I was searching for something. If I can show you Ah, graphically where in weekend? In a pictorial representation where I can explain what I was trying to say when I was saying that on the salesforce sharing rules or security settings are permissive notice Last addictive. You see it? How do we define the Ow D Foreign object? First of all, who is the most restricted user off the object we have? I didn t find that user. Now if there will be any single instance that a user will not be able to see that object If yes, we would straight away make this sharing mortal private Even if there are 1000 scenarios out of which 9 99 scenario, we warn the user toe, have access to that object. But even a single scenario want that you should not have access. It will make the sharing Ruto private on. Then, for remaining scenarios, we have permission searched. We have sharing news. Similarly, we go one step forward. Will there be a single instance when that user will be allowed which I will not be allowed to edit that record. So if yes, we will make it public read only even for a single instance. Then, for instance, we already I told you. We have permission. Search hearing with another aesthetics there on even if no, then it will simply make it public. Read. Right. Okay. So here is what we started that That is what I was trying to spin. That we start from order. Beauty. So even from single rule, even from single scenario, we will make it private, then for them, for others in our youth, we will open the access. So that record by making use off other features, rules provide information, certain sitting rules and all. 7. Roles - What one can see : So in the next video now will study about rules Here again, we will go toe this search tab. We have rules set up rules now. So this is the hierarchy which we need to define. If we want to add a role below a CEO, we can add a role here. Or if you want to assign any user toe this role, we can assign the user from here. Or if we want to add a role parallel to see you. We can add something Here. Let me open this first. So these are here. If I will add a role here, the CEO is reporting toe undefined there. You think so? If I add a role here, it will be parallel to see you. If I add a role here, it will be below. See you. If I add a rule here, it will be below CFO. Here is how roll hierarchy has been built. I can get a role. So this role reports to CEO. If you want put in the reporting manager off this person, you can change it from here. Then how rules also help? Is that in order? Beauty. If the sharing setting is set to private. Even then, if the ah user is above another user in the royal hierarchy, he will be able to view the record for that user. But in case off custom object, you see, we have a check box here grant access using hierarchies. If I click on, add it, we can disable these setting for the custom object. So let's say if I ah, I have all of your grandchild here. If I disable this access from here so on this object is set to private. So someone above in the royal hierarchy about this person above that users will not be able to access grandchild record even though that person is above in the royal hierarchy. Because this grand access using hierarchy has been disabled on, the object is set to private. Okay, so this rules and order blue deeds grant access using higher cable work in parallel, the leader for actually for custom objects only the standard objects you cannot read it. So for standard objects, no matter what number the setting is, if someone above in the royal hierarchy see will be able to you view the records off the user who is below to him in the royal hierarchy. They need to ensure that if you don't want that either to see that ah, record off another object, then you should ensure that that users will either below that all in parallel toe that okay , even the people who aren't parallel to each other cannot you each of this record because we can have multiple branches. See, we can add a role here. We can create one more branch here for under department. We can start adding role here. We can create one more branch. Let me show you. Here it's like a name it see or two for another business. So okay, you can assign you this to roll here again. Go back to Rose. So now Ah, see, you're to have been assigned this CEOs also reporting toe under fight. This Sio two is also reporting to undefined these Both are in parallel now. It's the chart we have here because have similar chart below this CEO to as well we can start adding little below him. Okay, So I can are that role here would report to see your to so similarly this because the CFO I click on add it here. You see, the CFO reports to see you so I can add another CFO who will report to see or to show you here, fearful to fear its role will reports toe see or two. So let's go back to rules again. Many fish this once. So we have a CIA Fortuna who is reporting to CEO. So we have a CFO reporting to see you. Similarly, we can add one more roll here. We can have one more branch when more hierarchy here. Okay, so and when we create a user reassigned role, toe that user there and then or we can assign yourself from here by clicking on a sign Weaken believed any rule from here as well. The role, primarily function, is actually for viewing off record. Who sees what rules are for? Roles are for records, rules for record pro fires of what a user can dough rules what I user can see. So someone above role hierarchy will be able to see the cards off someone who is below to him in the royal hierarchy. If in case the object is not set to private are the object of Seto private on the grand access using hierarchy checkbook with checked 8. OWD and Profiles Hands On: So let's do some hands on in this video. And I will explain why I was saying that we should always start from Ow D on D, using profiles and rules, actually open up the access because it will become too confusing. If you will work with both in parallel, you can make order broody, private, and then give access to profile. Then order Blue Devil work. You can record a bloody public on, then remove accessed bomb profile than profile will work. So always the most restrictive settings overseas, the other. So that's why it can create a conflict. Always. We will start for more WD. Let's sealers fillers instead of talking that feeling life. So what I will do I have this user created right now. Both these have system admin profile. So I will change the profiled off this Robert, remember? I cloned the system admin profile and named admired men. I will use that profile okay on that In shaping settings, the account is set to private a concert to private. But if I goto my almond profile, my Ironman profile have got read. Create at it. Delete permission on account. Okay. A county set to private in order bloody. But the other users profile has got read Creator The deal it So what I will do. Let me go to account on. Try creating a new account. First, let's say I name of testing order, beauty, But this account has been created by critics. Ing No. Let's log in with Robert Scott and let's try accessing this account. I will leave instapage. See, you can't see it because even Door Roberts Court's profile Hard lead, create edit delete, but still Because Or the blue D was said to Private Roberts court cannot see the account. He can create a new account because of his profile, but since account was set to private, he will not be ableto add it and believe or read other people's account for that. But if you want to do that, then what we come in picture dual harder. The cable coming picture on the school Britain oppose it as well means in in ah, in order bloody you make it public. Read only are publicly right on from profile. Remove the access again. There will be same story. Let's see. Let's see that as well. Okay, I would love out from this Roberts court. So I will go to sharing settings and I was changed Account too publicly. Right? Okay. So it will give you a message on default. Update has been initiated. Now it is. It is still private. The it that salesforce is still working on the progress. Still private has to go through complete organ mixing is everywhere where the count of being used, all the records, all the court. So it takes a while So it goes into a que basically, because we are not the only user of failed Fourth, there are millions of users everywhere throughout the world. So let's give it some time. Let's go toe my arm in profile Here accounted We have changes to public read write It is not yet taken effect but still Now what I will do I will remove access from account Okay off my ironman. Even though there is public read right, But profile does not have access. Ah, let's see for work still looking Let's allow it Sometime account has now been publicly right. So let flogging with other user now And let's see if we can access that record, which, with your artistic see again the same at a even though the order blue d was publicly right , but from profile were removed Access read, create a really lead. Now let's go to account. Now the user cannot even create his own account as well. Because the profile does not have read create at it believed permission anymore. Earlier he was at least able to create its own account because in that case, the profile hard permission. But he was not able to view others account because or the blood iwas private. But now or the blue these publicly right. But the profile does not have permissions. We cannot create even his own account. Okay, well, this is clear to you. In the next video, we'll see how rules will come in picture Now when the Ow these private 9. Roles Hands On : So let's move forward In this video, we'll see how Rolls full effect are setting what you were trying to see in the previous video. So again I will go to sharing settings. I will make the account Private is private right now. Okay, So let's go to users on Let's go to roll says Well, no, let them give rules. So first of all, what we will do we will give them same role, both of them a dit on at it. This is a whole hierarchy. Let me add a role here. Let's say I give it every P or repeal etc. We don't need to check all this because we are working on account. So a VP role has been created. Which reports to see you. So first of all, what I will do I will give them both. See your role on Let's go to the Meyer Lemon profile, the account of private. But what I will do I will give, read, create added delete function on the profile for account so account has read, create added believed this is that account testing, or WT, which is the owner is protecting here, so I'll just copy the UAL from here and now I've been logging as Roberts God, Let's try and see the count. See a countess not visible. You will love out from here. Now what we will do, we will change the role of Pretty Tau Ri P means we will make Robert I heard in the role. So we people area, we're going to see you. Let's log in now. So now Robert Ng CEO and particularly Peter Robert is in above rule hierarchy. I see No Robert can see that because you see and because it has got account settings created ability, it will be ableto change that as well, you see. So as soon as someone goes ahead and roll hierarchy, he will be able to see the records of everyone who is below him in the royal hierarchy. If ah, even if sharing setting is said to private Okay, so earlier. What? What happening? Waas. Even though the profile waas having read, create and it believed but the user was not able to see the record home will be added or deleted because I can't set to private no being Robert scored being a role above in the royal hierarchy he can see the regard. I thought I expect you are able to understand what I'm trying to explain here. So the whole hierarchy work this way. So just remember, role is for record. Are are are for role are for record Role means what? Anyone can see a profile. It's for what anyone can do. Create, Read, update Delete, Kurt Permission. Okay, so this was about role in the next video, we'll talk about permission. Sex. 10. Permission Sets Hands on : No. Let's talk about permission sets permission certain, basically, a usedto enhance any profiles. Permission? What I mean to say what was happening earlier? That let's say, 10 users have got the same profile, incidentally, the requirement that throughout off, those 10 users need a permission, which is not required by other eight users. So what you will do, you will go ahead and create a new profile assigned that profiled toe those to users with that one single teens permission. So right now, we're talking about 10 users. But think of a scenario where there will be hundreds off users. A lot of companies having hundreds of Salesforce users on on daily basis. People's profiles change the rose Jim. They're given new responsibilities. They are the responsibility that are teens, remember, decrease or increase. So every time you need to go ahead and make changes to their profiles. But you cannot make changes to a profile which is being used by 10 different users because that will impact all the users. So for every change, you will need to go ahead and create a new profile. Now, slowly is really what will happen that you will have hundreds and hundreds of profiling to yourselves. Fourth, which will hamper and overburden your system. Admin to manage so many profiles, Not not only managing every time when I would be my great We need to moderate the profile setting says. Well, the a lot of other issues which can come into picture having lots and lots of profiles. A small conflict can take hours to solve. So what happened then? Permission Search came into picture. So let's see this. Ah, sympathetic and Robert Court predicting Robert Court. They have same profile, etc. Okay, No, What happens is let's go to system are in profile. Let's look at it on. Let's say I don't want to give them well, let me give both the custom profile because costume profile will give us more opportunities to make changes and all of standard system Marma profile. Tirlea allows us to change anything. Okay, so it has got my admin profile. No, let's say that my admit profile is being used by 10 different users. Let me edit it, huh? Everyone no one can believe giants object. Okay, But the more what happens is I'll save it tomorrow. What happens is let's say they like watching the requirement. And Robert, God should be allowed to believe child object. Only Robert court should be allowed to delete child object. So if I will change this profile here so it will impact all the users having this profile, they will all be able to do the child object. So instead, what we will do, we will go ahead and create a permission set. Okay, here we are. We're going to get permission set. No, let's say we name it the lead child. AP. An image will take it automatically if you want this permission, said Toby of level toe. Only a set off users who have a particular license. You can do that here. Otherwise leave it blank. So only people who certain license if you go to user So they sailed for you. The license you see. So if you want this to for available only for certain either than you can do that, then what I will do. I will goto object settings on every boat with child. Okay, let's look at it. Let me select Delete. Now this profile has been assigned. So either I can go to manage assignments on Agatha Cinnamon Roberts court the same. Okay, so this permission set had been assigned to Albert Court. So even though his profile does not allow him to believe this but because this permission said has been assigned so he will be able to delete that child record. No. So whenever they the small change in any settings on any requirement on when you need don't want to go ahead and create a new profile for small, small changes on a daily basis. So what you can do, you can create these permissions sets and assign them to a particular profile. And always use permission, sir, just to open the access. Okay, earlier that profile does not have read access. No, the permission said gave that user delete access as well. Okay, So as simple as that, all the profile settings are here. Information search, but it's only required, but you want to make change to a profile. But that profile will impact multiple users. But you want to change only for couple of users so you can get a permission certain assigned that commission set with those guys. Okay,