概览
Org Access
控制措施:IP Range (Security Control -> Network -> Trusted IP Range),Login Hour
IP Range
IP Range (Company Level): users outside the range are sent an activation code
IP Range (Profile Level): users outside the range are denied access
Login Hour
Login hour is set at profile level. Specific hours are enforced.
Org-wide Defaults
Org-wide defaults (Security controls->Sharing Settings) determine what access and permissions user have to records they don't own.
Available org-wide default levels:
1. Public Read/Write/Transfer
2. Public Read/Write
3. Public Read Only
4. Private
Org wide defaults 只能赋予用户比其所属profile赋予的接入权限更小的自己。如果profile 中object permission不允许用户access某个特定的object,那么无论org wide default里面的设定如何,该用户都无法访问该制定对象。
Object Access
控制措施:Profile (Manage Users -> Profiles and then Manager Users->Users to assign profile to a specific user)
Profile
Besides object access and permission (create, read, edit, delete), profile also defines which tabs are visible and which apps are available.
Standard profiles
Standard profiles cannot be modified.
Standard Users: Create, Read, Edit and Delete on records they can access
Solution Manager: Standard Users + manage published solutions
Marketing Users: Standard Users + import leads
Contract Manager: Standard Users + manage contracts
Read Only: Only view records they can access
System Administrator: View all data, modify all data
Record Access
控制措施:Role Hierarchy (Manage Users -> Roles), Sharing Rules (Security Control -> Sharing Settings -> Sharing session)
Role Hierarchy不能赋予用户超过profile和OWD所定义的权限。Role Hierachy所赋予的用户权限只能是profile和OWD所定义的权限的子集。
Role Hierarchy 解决了组织内部垂直方向上的数据共享,Sharing rules则用来解决组织内部的任意方向数据共享场景。
Sharing rules可以基于数据的拥有者也可以基于符合某种特定条件的数据集合
Permission Settings
给一个用户组里某些特定用户额外的权限
一个用户有一个对应的profile加上0到多个permission settings。
Manager Users->Permission Settings->创建新的permission setting,permission setting的license类型要和将要赋予这个permission setting的用户所拥有的license一致。
创建好permission setting以后点击manage assignments然后add assignments,然后讲这个permission settings赋予指定的用户。
你也可以从指定user的界面的permission settings去去除permission settings。
Record Types
Record Types可以对以下三个方面进行差别化处理:
1. Business Processes
2. Page Layouts
3. Picklist Values
操作顺序:
1. 创建不同的business processes备用
2.确保各种record type所需的custom fields设置完毕
3.创建不同的page layouts备用
4.在指定的object下面创建所需的record types
对每个record type:
4a.指定对应的business process
4b.设置对应的descripiton
4c.确保active这个record type
4d.设置可以访问这种record type的profile
4e.绑定对应的page layout
5.创建所需的picklists
可以把一个picklist的不同的values划分给不同的record type
6.如果一个profile可以访问多种record types,建议在对应的page layout上都添加record type1以便于区分
⚠️:
1.可以在manager users->profiles里面修改record types assignment
2.在record type 创建之前的同种对象记录需手动分配record type,可以使用data loader来简化这个工作
Field Access
控制措施:Field Security (Security Controls -> Field Accessibility -> A specific object-> A specific field 或者 某个特定的object->fields->set field security)
Field Security Access可以限制用户访问某个特定数据片段,这个设定是基于profile的。
Field Security Access 会覆盖 view all data 和modify all data的用户权限
网友评论