ADM-201 Security and Data Access
Security and Data Access
Detailed list of ADM-201 knowledge points
Security and Data Access Detailed Explanation
Salesforce's security model is designed to ensure data protection while enabling appropriate access for users to perform their work. Understanding and managing security settings is one of the most important responsibilities of a Salesforce administrator.
4.1 Security Model
The security model in Salesforce operates at three levels: object, field, and record. These levels work together to provide comprehensive control over who can access what data.
Object-Level Security
What It Does
- Object-level security determines whether a user can create, read, edit, or delete records for a particular object (e.g., Accounts, Opportunities).
How It Works
- Configured through Profiles and Permission Sets.
- Profiles: Provide baseline access to objects for a group of users.
- Permission Sets: Grant additional object access without changing the user's profile.
Example Use Case
- Sales Reps: Can create, read, and edit Leads but cannot delete them.
- Managers: Have full CRUD (Create, Read, Update, Delete) access to Leads.
Field-Level Security
What It Does
- Controls visibility of specific fields within an object, even if the user has access to the object itself.
- For example, users can view a Contact but may be restricted from seeing the "Salary" field.
How It Works
- Configured via Profiles or Field Accessibility Settings.
- Admins can make fields:
- Visible: Field appears in the user interface.
- Read-Only: Users can see the field but cannot edit it.
- Hidden: Field is completely invisible.
Example Use Case
- Sales Reps: Can see basic contact details but not "Social Security Number."
- HR Team: Can access sensitive fields like "Salary."
Record-Level Security
What It Does
- Controls access to individual records within an object. Even if users have access to the object, they may only see or edit specific records based on record-level security settings.
Key Mechanisms
Org-Wide Defaults (OWD):
- What It Is: Sets the baseline level of record access for the organization.
- Access Levels:
- Public Read/Write: All users can view and edit all records.
- Public Read-Only: All users can view but not edit records.
- Private: Users can only see their own records unless shared.
- Use Case:
- For Opportunities, OWD might be set to "Private" so that sales reps can only see their own deals.
Role Hierarchy:
- What It Is: Automatically grants record access to users higher in the hierarchy.
- Use Case:
- A Sales Manager can view records owned by their Sales Reps without additional sharing.
Sharing Rules:
- What It Is: Grant record access based on conditions.
- Types:
- Owner-Based Sharing Rules: Share records owned by specific roles or groups.
- Criteria-Based Sharing Rules: Share records that meet specific criteria.
- Use Case:
- Share all Opportunities where the "Region" is "Europe" with the European Sales Team.
Manual Sharing:
- What It Is: Users can manually share individual records with others.
- Use Case:
- A sales rep shares a critical Opportunity with another rep for collaboration.
4.2 Login Access Control
Login access controls ensure that users can only access Salesforce under secure conditions. These settings add an extra layer of protection for sensitive data.
Login IP Restrictions
What It Does
- Restricts logins to specific IP ranges, such as a company’s internal network or VPN.
- Users outside the defined IP range cannot log in.
How It Works
- Configured at the Profile Level:
- Navigate to Setup > Profiles.
- Select the profile you want to restrict.
- Define the Start IP and End IP for the allowed range.
Example Use Case
- Only allow logins from the company’s office network:
- Start IP:
192.168.1.0 - End IP:
192.168.1.255
- Start IP:
Login Time Restrictions
What It Does
- Limits the time periods during which users can log in.
- Useful for preventing unauthorized access outside of working hours.
How It Works
- Configured at the Profile Level:
- Navigate to Setup > Profiles.
- Select the profile you want to restrict.
- Define the allowed login hours for each day of the week.
Example Use Case
- Call center agents can log in only during working hours (9:00 AM to 6:00 PM, Monday to Friday).
Step-by-Step Summary
1. Set Up Object-Level Security
- Use Profiles and Permission Sets to control access to entire objects (e.g., Accounts, Contacts).
2. Define Field-Level Security
- Restrict access to sensitive fields using Field Accessibility Settings.
3. Configure Record-Level Security
- Use Org-Wide Defaults (OWD) to set baseline record access.
- Apply Role Hierarchy for automatic access to higher roles.
- Use Sharing Rules for conditional access.
- Allow Manual Sharing for case-by-case scenarios.
4. Implement Login Access Controls
- Restrict logins to specific IP ranges and time frames for added security.
Key Takeaways for Beginners
- Object-Level Security: Focus on profiles and permission sets to grant access to objects.
- Field-Level Security: Protect sensitive data by hiding or restricting fields.
- Record-Level Security: Combine OWD, roles, and sharing rules for granular record control.
- Login Controls: Limit when and where users can access Salesforce to enhance security.
Security and Data Access (Additional Content)
1. Profiles vs. Permission Sets (Managing User Access with Profiles and Permission Sets)
Why is it important?
- Profiles and Permission Sets control user access to objects, fields, and system permissions in Salesforce.
- Profiles define baseline permissions for a group of users, while Permission Sets grant additional permissions to specific individuals without modifying their profile.
Key Differences Between Profiles and Permission Sets
| Feature | Profiles | Permission Sets |
|---|---|---|
| Function | Define basic permissions | Grant additional permissions |
| Scope | Applied to a group of users | Applied to individual users |
| Modification | Users must be assigned a new profile to get new permissions | Users can be granted multiple permission sets dynamically |
| User Limit | One profile per user | Users can have multiple permission sets |
Example Scenario
- A Sales Representative Profile does not allow access to Cases (Customer Support).
- Instead of modifying the entire profile, the admin assigns a Permission Set granting "Read" access to Cases to a single Sales Rep without affecting others.
How to Configure Profiles and Permission Sets
- Navigate to Setup → Search for Profiles or Permission Sets.
- To modify a Profile:
- Select a Profile (e.g., "Sales Rep").
- Adjust object permissions, field-level security, and system settings.
- To create a Permission Set:
- Click New Permission Set.
- Define additional permissions (e.g., "Read Access to Cases").
- Assign the Permission Set to specific users.
2. Muting Permission Sets (Restricting Specific Permissions in Permission Set Groups)
Why is it important?
- Muting Permission Sets allow administrators to disable specific permissions within a Permission Set Group, preventing users from gaining unwanted access.
Use Case
- A company creates a Permission Set Group for Marketing users, which includes access to:
- Campaigns
- Leads
- Reports
- However, some Marketing users should NOT have access to Reports.
- Solution: Use Muting Permission Sets to disable Report access without modifying the entire group.
How to Configure a Muting Permission Set
- Navigate to Setup → Search for Permission Set Groups.
- Select an existing Permission Set Group or create a new one.
- Click Muting Permission Set → Select permissions to disable.
- Assign the Muting Permission Set to affected users.
3. Session Settings (Managing User Login and Session Security)
Why is it important?
- Salesforce Session Settings control how users log in, how long their sessions last, and whether multiple logins are allowed.
- These settings help enhance security, prevent unauthorized access, and enforce Multi-Factor Authentication (MFA).
Key Features in Session Settings
| Setting | Description |
|---|---|
| Session Timeout | Logs out inactive users after a set period (e.g., 30 minutes) |
| Prevent Concurrent Logins | Blocks users from logging in from multiple locations at the same time |
| MFA Requirement | Enforces multi-factor authentication for sensitive data access |
| High Assurance Session | Requires additional verification before accessing critical data |
How to Configure Session Settings
- Navigate to Setup → Search for Session Settings.
- Adjust:
- Session Timeout (e.g., 30 min, 1 hour).
- High Assurance Session Required for Sensitive Data.
- Lockout Policy (e.g., disable multiple logins from different devices).
- Save changes.
Example Scenario
- A finance team handling confidential data is required to log in using MFA and their session automatically expires after 15 minutes of inactivity.
4. Event Monitoring (Tracking User Activities for Security & Compliance)
Why is it important?
- Event Monitoring tracks user login behaviors, data exports, and large-scale record access to detect security threats.
Key Use Cases
| Event | Risk Prevention |
|---|---|
| Multiple Failed Login Attempts | Detects brute-force login attacks |
| Unusual IP Address Logins | Identifies logins from unauthorized locations |
| Large Data Exports | Prevents internal data leaks |
| Mass Record Views | Detects unauthorized access to sensitive information |
How to Enable Event Monitoring
- Navigate to Setup → Search for Event Monitoring.
- View Login Event Logs to track:
- Successful vs. Failed logins.
- IP addresses of login attempts.
- Unusual login times.
- Use Transaction Security Policies to restrict:
- Mass downloads of customer data.
- Unauthorized record exports.
Example Scenario
- An employee logs in from multiple countries within a short time frame.
- The system triggers an alert and requires additional authentication before allowing access.
5. Shield Security (Advanced Data Protection Features)
Why is it important?
- Salesforce Shield provides enhanced security controls, including:
- Field Audit Trail (Stores field change history for up to 10 years).
- Platform Encryption (Encrypts data at rest).
- Event Monitoring (Tracks user activities and potential security threats).
Key Features
| Feature | Function |
|---|---|
| Field Audit Trail | Logs historical changes to fields for compliance tracking |
| Platform Encryption | Encrypts stored data to protect against breaches |
| Event Monitoring | Tracks user logins, downloads, and access attempts |
How to Enable Salesforce Shield
- Navigate to Setup → Search for Shield Security.
- Enable:
- Encryption at Rest (to protect stored data).
- Field Audit Trail (for tracking field history beyond 6 months).
- Configure Transaction Security Policies to monitor suspicious activity.
Example Scenario
- A financial services company encrypts customer financial records to prevent data breaches and enable secure storage.
Final Summary
| Feature | Description | Best Use Cases |
|---|---|---|
| Profiles vs. Permission Sets | Defines base permissions (Profiles) and adds extra permissions (Permission Sets) | Grants temporary or additional access to users without changing their Profile |
| Muting Permission Sets | Restricts specific permissions within a Permission Set Group | Disables Report access for certain Marketing users |
| Session Settings | Controls login security, session timeouts, and MFA enforcement | Enhances user authentication and data protection |
| Event Monitoring | Tracks user activities, data exports, and unauthorized access | Detects security threats and login anomalies |
| Shield Security | Provides advanced encryption and field audit tracking | Protects sensitive financial and healthcare data |
Frequently Asked Questions
What are Organization-Wide Defaults (OWD) in Salesforce?
OWD define the baseline level of record access for all users in the organization.
Organization-Wide Defaults establish the most restrictive record access level before other sharing mechanisms apply. For example, if OWD for Accounts is set to Private, users can only see their own records unless access is extended through role hierarchy, sharing rules, or manual sharing. Salesforce security follows a layered model: start with restrictive OWD settings and then selectively grant access where needed. This principle ensures data protection while maintaining collaboration. The ADM-201 exam frequently tests whether administrators understand that OWD is the foundation of record-level security.
Demand Score: 92
Exam Relevance Score: 95
When should an administrator create a Sharing Rule?
When users need access to records they do not own and are outside the role hierarchy.
Sharing rules automatically extend record access to groups of users based on defined criteria. For example, a rule might share all Accounts in a specific region with a regional sales team. Sharing rules work best when access requirements apply broadly across many records. They should not be used for one-off sharing scenarios, where manual sharing is more appropriate. On the exam, administrators are expected to understand that sharing rules expand access beyond the default OWD settings while still maintaining security controls.
Demand Score: 85
Exam Relevance Score: 92
What is Field-Level Security?
Field-Level Security controls whether users can view or edit specific fields within an object.
Even if a user has access to a record, Salesforce administrators can restrict visibility of individual fields. Field-Level Security allows fields to be hidden, read-only, or editable depending on the user’s profile or permission set. This is commonly used to protect sensitive information such as salary data, personal identifiers, or financial metrics. For example, a sales representative may view account details but not financial risk scores stored in a restricted field. The ADM-201 exam often includes scenarios requiring administrators to determine the correct security level to control field access.
Demand Score: 80
Exam Relevance Score: 90
What is the purpose of the Role Hierarchy in Salesforce security?
The role hierarchy allows users higher in the hierarchy to access records owned by users below them.
Role hierarchy is used to mirror an organization's reporting structure. For example, sales representatives may belong to a lower role while sales managers belong to a higher role. If the hierarchy is enabled for an object, managers automatically gain access to records owned by their subordinates. This helps organizations maintain visibility across teams without manually sharing records. It is important to remember that roles do not grant object permissions; those permissions are still controlled by profiles and permission sets. Instead, roles influence record visibility through hierarchical sharing.
Demand Score: 83
Exam Relevance Score: 92
What is the difference between Field-Level Security and Page Layout settings?
Field-Level Security controls data visibility, while Page Layout controls field placement on the UI.
Field-Level Security determines whether users can see or edit a field anywhere in Salesforce, including reports, APIs, and page layouts. If a field is hidden through field-level security, the user cannot access it at all. Page Layout settings, however, only control how fields appear on a specific page for certain profiles. A field can exist on a page layout but still be invisible if field-level security hides it. For the exam, administrators must understand that Field-Level Security overrides page layout visibility, making it the stronger security control.
Demand Score: 79
Exam Relevance Score: 91
