At the heart of all Salesforce implementations are the Salesforce licenses purchased and paid for on a monthly per user basis. There are many different types of Salesforce license. For example, there are licenses for external self-service users, internal full CRM users, just Salesforce chatter users and so on. Each license provides access to its own specific set of Salesforce features and functions. The primary route for users to access the features of a Salesforce license is through a profile. Users are not directly allocated a Salesforce user license rather the license is assigned via a profile.
Salesforce comes with a series of pre-defined profiles that can be reviewed to understand the key features made available. Some examples of the user profiles include:
System administrator, this profile allows the user to set-up, customise and configure Salesforce. In particular this profile includes the “View All Data” permission which overrides whatever data sharing rules are in place for an organisation and the “Modify All Data” permission which allows the user to edit and delete any record. Use with caution!
Marketing user, provides the user with access to the marketing features of the Saleforce CRM including campaigns, email set-up and sales leads
Standard User, provides access to the typical Salesforce CRM aspects and reporting
Although these standard “out-the-box” profiles can be assigned to users, this is not best practice as they are locked-down in areas and subject to update when Salesforce release new versions. It is better to define a small set of profiles specific to an organisation’s needs. They are created by using one of the standard profiles as a template and adjusting to suit.
Profiles are created based on the different types of users in an organisation. Each profile is related to a specific Salesforce license. The required features of that license are assigned to the profile. Each user is assigned a single profile that best matches their needs in terms of features and functionality required. Fine tuning is achieved via permissions sets where additional Salesforce license features can be made available on a per user basis.
The purpose of permission sets is to provide more flexibility in the assignment of Salesforce features and functions to users. Where a group of users may all use the same profile e.g. sales users, there may be some sales people who also require aspects of the customer services profile. As each user can only have a single profile assigned this is where permission sets can be used. A permission set can be created that provides access to specific customer services features and assigned to sales users in addition to their sales profile.
Profiles essentially provide access to the features and functionality available on the Salesforce license purchased. These, in general, split into three main categories as shown below. A note of caution, each Salesforce License carries a different set of features and should be reviewed in detail.
App Settings – the profile defines which Salesforce Apps are visible to the user. Apps being a collection of related Salesforce screens / objects. Sales is an example of an App including Accounts, Contacts, and Opportunities. Another example being Call Centre which includes Accounts, Contacts and Cases. An item contained in an App is called a Tab and can be shared across multiple Apps.
Tab Settings – abs allow you to name the Salesforce objects and fields in a form that will be familiar with your users. For example, the standard Accounts object that includes the Account Name field can be renamed as Business and Business Name in its Tab. But in the profile a decision is made on whether the actual object/tab is available to the user. The options being Hidden and not available to the user, Visible to the user automatically or available but not shown unless the user specifically makes it visible. Tab settings are set for each object.
Record Types – Record types are set-up for objects and enable different sets of picklists and page layouts to be defined for that object. This allows different users to use the same object but in different ways. The profile defines which of the available record types can be used by the user. If multiple record types are set-up on the profile then when a user creates a new record they are asked which of the record types to use.
Page Layouts – Multiple page layouts can be defined for an object and the profile defines which page layout to present to the user. If record types are being used the default page layout assigned to the record type can be changed.
User Login Hours – By default users can login at any time. The profile allows restrictions to be placed such as login only during 8am-6pm Monday to Friday.
Allowed Login IP Ranges – By default users can login from any IP address. IP addresses are typically assigned by your service provider and for security reasons Salesforce can be set to only accept logins from known and trusted service providers. The profile allows for a range of acceptable (white list) IP addresses to be defined from which a user may login.
Session Timeout Settings – The profile can define how long a Salesforce session can be inactive before the user is automatically logged out. If required login via a Two-Factor Authentication can be set. This requires the Salesforce Authenticator App to be installed on the users mobile which validates Salesforce login requests.
User Password Policies – A number of policies can be defined for the management of the users password including days till expiry, password complexity & length, and number of login attempts allowed.
User permissions – The profile defines the degree to which the user may mange the set-up and administration of Salesforce users. This includes the ability to define password policies, reset passwords, create and assign profiles and manage user accounts. Care should be taken in assigning these permissions to users.
System permissions – There are many many system permission settings which define what a user can do in Salesforce. Essentially these permissions define what the user can create, view and modify from reports and dashboards to customising the system. A future article will cover these in more detail, be careful in assignment here, review what each of the these provide.
App permissions – Each of the standard Salesforce Apps such as Sales and Call Centre has a set of permissions that may be assigned to the user. For example, for Sales this includes Import Sales Leads and View All Sales Forecasts.
Object Permissions – The profile defines at a per object level whether the user has Read, Create, Edit, or Delete access. In addition, there are View All and Modify All options that override the data sharing rules for that object.
Field permissions – For each field in an object the profile can define whether the user has Read access. If not set the field is not visible to the user, if set the field is visible but read only. If Edit Access for the field is assigned the user may change the field contents.
Profiles do not define the specific data records a user can view. This is defined through record ownership and the data sharing rules. But the profile can completely override the data sharing rules defined. Care should be taken here if data security and protection of confidential information is important.
This was a quick run through the core concepts of Profile. I will provide more details on best practice, deep-dives into the Profile settings and which Salesforce App are useful for working with Profiles. Related areas that you might wish to review include:
- Company Profile set-up
- User set-up
- Sharing Rules
- Salesforce License Types
- Organisation-wide defaults