OWD and Profiles with Real time scenarios

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone my name is Shri cult today we are going to learn or WT profiles in Salesforce we'll go through some real-time scenarios to have a better understanding this is a two-part video in Salesforce security model topic and in the second part we'll be learning about role level hierarchy sharing rules and manual sharing by end of this video you will be able to understand different ways to provide security in Salesforce you will also understand how to set up or WT and profile for any given scenario okay first things first so Salesforce is all about providing security to the data so data in the sense records sales pose differentiates records from two different space one is own records and second one is shared records owned records in the sense they calls created by us let's say I create a record that means I own that record and the second records are shared records a record can be shared by someone let's say I create a record and I can share that record to Michael Lee so that he can work on it I can give him either read access already taxes having this understanding in mind will go for that so we have multiple ways to provide security for WD row level hierarchy sharing rules and manager whatever Co file yes we'll come to that so why do we have all this security settings for so these security settings will provide a rewrite access to the records which we don't want so any record that are clear that is created by else by by default will be having read access or write access but for the records which may don't warn those records will be shared by this owt row level hierarchy sharing most managers Act so all these settings will provide rewrite access to the records wait what all of them are providing the same readwrite access then what is the difference why do we have four here okay the answer is they will provide readwrite access to the records to someone that someone is the difference here or WD will share records with readwrite access to all the people by default now whenever there is a require and where we need to share the records based on management subfloor subordinate roles with readwrite access then we need to choose row level hierarchy whenever there is a need to share records with particular groups roles and subordinates based on a particular condition then we need to go for sharing rows whenever there is a need of sharing a record to a user or to a queue that to manually with read and write access then we will choose manual sharing then what about profile again you kids are so cute without my access your access doesn't work what is exactly mean basically profiles give access to the objects let's say on account we do not have edit access but notably Dee says I will be giving read and write access to this set of accounts but if you log in with that profile and you will not be able to edit it even though order with it says readwrite so this is where whenever user wants that account to be edited by this user then even in profile he needs to give Eddie taxes on that account no worries I will be explaining with this scenario so that you will understand it clearly at this point of time you need to understand all of them has to work in conjunction with profile ok as we have four of these security settings they will be defined in this particular order Salesforce will first check the owt and then role hierarchy sharing rooms and manual sharing as per the Salesforce security design we need to provide lower level access to owt and then we need to increase the access as we go on to roller hierarchy sharing rows and manual sharing ok we'll try to understand what is or WT o ee d stands for great defaults are by default and basically the most restrictive user access which is default for all users we have four different access levels private public read-only public read/write public read/write transfer public read/write transfer applicable for only leads and cases which means all the users will have access to transfer their cases or leads to someone as simple as that before trying to understand the or WD access service we need to understand that owt and profiles on man three security settings whether it is fitting to our scenario or not we need to set the owt values and at the same time we need to have the profile as well whatever units and profiles will work together in the sense just by seeing at the row WTO profile we cannot just define what usually sing it should be the combo of both okay we'll talk about the access levels so the first one is publicly right whenever owd set to public bit rate all the users will have access to all the records which are owned by others example I logged in and I will be able to see and edit all the records owned by others but here is an assumption profile should also give me an edit access on the object only then I will be having access if owt is set to public read-only we will be able to read records owned by others but not edited it is also an assumption that profile will give read access on that object or else it will not work whenever Oda BD is set to private we will not have any axis on the records which are owned by others now we have understood three different access levels how to select one of them as owd first thing we need to find out the user who he needs least access and we need to assign that access level which matches his access level so step one out of these two users we need to find out a user who needs least access on the records so first one says should not see records owned by authors second one says should read or edit others recons in legal object so second person wants all the access and first person doesn't want any access on the records which are owned by others in the sense we found our user he says that he should not see any records owned by others step two says assign access level which matches with his access level so he says he should not be seeing any records owned by others so from our audibility access levels private public read-only and public read/write private is something which is matching with his access level so in this area we need to set private as our order Beauty as simple as that okay quiz time what should be the owd access level here if you see user one needs read-only access on the records owned by others user 2 says she needs read and edit access on the records owned by others so we'll see the answer answer is we need to set public read-only as owt why as per our first step we need to find the user who needs least access in this scenario the first user needs least access and step two says we need to match his access level with our owd access level as he wants to read all the records owned by others it is matching with covers public read-only that is the reason we set our owt as public read-only simple ok another quiz question what should be the audibility access level in this scenario first user says he should read records owned by others but there shouldn't be any write access second set of users these are all set of users who needs read and write access on all the records owned by others the answer is publicly and only again why first step says we need to find out the user who needs lesser access in this scenario the first user needs only read-only access that's the reason we selected our first user and step two says we need to find his access with the one owd access level he says read-only on the records that he doesn't own and our owd has public read-only option to match his access level so that is the reason we have selected public read-only now I will walk through the Salesforce on to see how this or WD walks let's go ok to see how to set up or WD and how it will impact a user will test with one user so this is my C segment access layer I will be setting up the owb now I have another user called sales rep so Y which will be saying how elites object will be affected when we set or W deeper lead to make a clear difference I have my test user enlightening experience and then how my as I said main in classic so that will have clear picture who is doing what so we'll set up our order beauty from C's admin access so to do that we need to go sharing settings this is where we'll have all white defaults so if you see although nationwide defaults is right here so we'll wait we need to set up that lead object access seal itself to do that we'll look on edit as you only know there are three types of access sorry for type which are private public you don't need a packet transfer transfer is something which is available only for leads and cases that will start with private so if we click on private and we can save it will take little time to save this because it will take little while to complete this operation till then it will remain the previous value I will refresh now and we'll see whether it is impacted yeah it is impacted seen it has been changed to private so what is the expectation whenever we set Lee it is equal to private records owned by others will not be shared to answer we'll see whether it is working properly or not we'll go back to - chill this is the previous view I haven't refreshed it yet will refresh and see what is the expected result so as all the leads are with my name which is this is admin name and the actual user which has chewed resales if this user should not see all the records as soon as i refresh this page so the corn refresh and I should not be saying not even one because all of them are being assigned to Shri can't see I don't see any leads why why I'm unable to see the least records is all of them belongs to Shrikant and I login with sales rep that is the reason why sales rep cannot see the records owned by sri con - now as a sales rep i wanted to see records owned by Shrikant as well so how will do it so if we want to just see it we'll go back to our WT and we'll change that to publicly Don then obviously I should be able to see the records which are owned by others now change the private to public and only click on save and ok and it will take little while I will refresh this page again and I should be seeing the result yes I see public currently now if I go back to my user the expected result is I should be able to see all 22 again wait read-only access if I try to edit it should give me an exception yeah now I see all 22 here all of them belongs to Shri can't seem top to bottom in her 22 records all of them Don's - Shrikant I am I am sales rep I am able to see his records let's see whether we can edit the records I click on a lead and click on edit button on the top menu requirement of yukon details ok we'll catch a tit from your name and I will have planned something called edited and click on save it should not allow me to yet see insufficient access rights on the object ready because we do not have edit access on that so we'll click off back cancer now I want to have 80 taxes on all the records so how will do it will go back to lead again so we'll see all the records now I want edit access to this reasons with you let me go back to all of you now we have 22 records but all of them are in read-only mode now I want to have it Texas so the answer should be I need to change that to public rewrite as sickness that you can save and ok and it will get saved and it's also change the status be very cautious I'll check this status as soon as you change into and immediately test it check HERE whether your change is affected or not only then go there and then refresh this page and click on the record to see whether you have any texts click on Andy Young and the con details and double click on the name and I will make it to edit it so I change the name click on save it should allow me to save the record see as simple as that so private is something which will not allow you to see records owned by occurs publicly it only will allow CL supposed to share others reports to you but in read-only mode public rewrite is something which will definitely make you to edit any record across the system it will share every record with everyone this is how you need to set up or WD and if you see there are well we are setting public read/write we are not giving any user here so it's like whenever you give this access it is applied to every user ID con by default and whenever you do it try to find the user who is having these taxes and then apply his access they will do this object that's how you need to do it or why defaults always remember the most restrictive access which is default to across the system or we also can called as organization and we also have something called grant access using hierarchy at this moment you only need to know that there is something called grant access using hierarchies on our great defaults so when we get in total 11 yes I will explain it to you very much better ok now we'll talk about profiles profiles are basically the set of permissions on objects applications fields record types EXO tracks atra and that permissions will be given to set of users owd will give the permissions to all the users but profiles is something which will give the acces to set of users speaking profiles in security model context we have six different develop access levels that it can provide it to user for a given object so it has create a read edit edit or write both the same and delete along with that we also have you all and modify on this profile deals with cred oppression cred which means c4 create are filleted infer edit and DD / deleted in profile we have six different axis which is read create edit delete which always click current and we also have view wall and mon-sol I categorize viola more pale as ultimate access in this scenario whenever we select a read create edit delete options on lead object the result will be apart from creating the record user will be having access to read edit delete his own records plus he will also have the same access on the records which are shared by owd roles sharing rules etc that is something which we will see with the scenario don't worry now so ultimate access is basically overrides all the sharing rules if I click on view wall then I will be able to see all the records in the system no matter what whatever you do private usually says that I cannot see the records which are owned by others but if I click on View all here it will override owt and then let me see all the records whenever I select modify all it will override all the sharing rules and will let me read edit and delete all the records in the system mine and others will talk about a scenario here so what should be the profile access level in this below scenario so we have two different set of users first user says he should only see his records that means he don't want to see records which are owned by others second set of user says all of them they should be able to read records which are there in the system which are owned by everyone now we need to first find out what is or WT here so before giving prophylaxis they will come to will try to understand what this or WT here so we need to apply a two step process step one says we need to find the user who needs least access out of this user since first one needs the least access because he says he needs to see only his records step two says we need to find the matching access table with his access levels so owd needs to be set to private as soon as owd is set to private user one will not have access to the records that are owned by others in the same way the other three users in the second set will not also have the access to other records now profile will come into picture so for first user will create one profile by giving access to lead object with read and create so that he will have create the record and he will can read the records now for the second three set of three users will create another profile with real create option along with that we also will give you wall by which he will have access to all the records in read-only mode profile access is so important to define access on our own records and shared record to confirm our access on our own records profile itself is enough to decide example if you see here we have read create ADT it option selected so as soon as you see all these things you can directly say that you can create it you can delete edit and delete your own records if you take out edit option over there you will you can understand that you will not have access to edit your own records itself if you remove delete access you will understand that you will not have a delete action on your records itself if you take out read then you will not have the access to object itself you cannot see any record in the object so we understood profile itself is enough to define access on our own records what about shared records which the records which are owned by others to confirm access on other records also Polish shared records profiles and sharing settings are required let's say or W DJ's records to us or roles shears record sharing dual share this records as I have mentioned earlier all the afore security settings will share records to us as we have only gone through owt and profile now we'll see how were WT and profile combinely will say what kind of access I will have on these shared records or others records so import ability is publicly it only which means I can see records which are owned by others and the object says read create edit delete in that case I can only read other's records why because orderly be set to public it only and them lead we have reduction as well you whenever you want read option on the others of course or deleting has to see read and couple should also say feed and if if we want to write shared records then no WD has to be public read/write and even profile should say Eddie taxes on that particular object only then it will work as I have mentioned here read or why it should be in both profile on owd roll or who roll enroll is something which we'll look into in the next video ok we'll have another scenario here in this case or WD is public read/write and lead is read create edit is if you see edit is not checked here and delete is checked in this case we can only read it record spy because profile doesn't say edit if we want to edit on shared records then write should be in both whatever you should say write and profile should also say write only then it will work ok when start where or W the example has ended at the end of the audibility example we made only owt to public read/write that is the reason this user sales abuser was able to see edit the records which are owned by others so we have all 22 so in the owt example if this whatever really has to work profile should have given access on that object now we'll see what if profile doesn't give access and how audibility will get affected when profile doesn't give access so we'll go back to our C segment page so this is this is our set menu and I will on profiles I have created profile for sales rep with custom admin profile so I shall go down and then click on custom engine this is the profile that I have assigned to sales rep now I click on edit this is the normal standard I scroll down and then I will go for this is the objects where we need to give access profiles will give multiple access also it will give access to applications it will give you access to tabs it will give access to record types it will give access to many things but in this scope of the current security model we are only interested with this object permission so I will check with litleo so if you see this little object I have given read create edit delete and know you all know modify your view all and modify all completely the ultimate access if you give view wall and modify all no matter what or wd permission gives no matter what role gives no matter what sharing rule gives no matter what epic sharing on manual sharing gives it doesn't matter you all will turn every record every record which was created by someone to be visible to us view one will make any recording system to be visible to us no matter what or WD or any sharing setting will do modify all is something which is more advanced which will not only let us see but also let us edit and delete that record clear so be very careful whenever you give you one and one file now we will check how this real create edit delete will do if I uncheck read all of them will go down and will have no access only we'll see what happens whenever user is not having access on lead and I will click on this and now you refresh this page and I should not be seeing the lead object in the first place see you don't have access to this record in the first place I don't see that Lee tab so this is what happens when we don't have access on that object so we'll go to edit and we'll just try to do only read so we'll scroll down scroll down scroll down and we'll make it lead and we'll also keep we click on create and click on save now there is no ID taxes give an odd profile now I will go here and click on refresh now as soon as click on refresh now I will be able to see all the lead records all 22 why because whatever you desist publicly right but profile says read and create so I will try to first we'll see whether create is working properly or not cell click on lead and I will change the salutation to mr. some ABC and click on save now I am able to create a lead record just because we have read access now total should be 23 records I'll go back to now as if you see I have given only read and create option but I haven't given any taxes so as soon as I don't give any taxes I shouldn't be able to edit the record I you do not have the double click option see I do not have any taxes now I will go and click on leads which are created by Shrikant and which is created by me and as well if I scroll down I will be seeing my record sales rep record so this is the record which I've created and all the other 22 so even though it is public read/write if I if you see I knew I opened this audibility Palace or W reset order to public read/write and profiles is only read and clear there is no edit axis so on the others records you cannot edit the record if profile doesn't improve edit should be there in both profile and in owd so lead in here it has given dry write read and write but here it we have only read which means we can only read it should be there in both the profile should give read/write and even though the audibility should be giving rewrite only then we can edit the records which are owned by others now I will click here and I will go to any other record so I will go to details and click on edit and it shouldn't it shouldn't have the tele taxi there is no idea but in the first place this edit icon will be displayed whenever profile has that a reach it now we will see what happens if I give edit access edit so we have owt to public read/write and we are giving ad taxes so as we are giving edit access which means profile is saying that you can edit the record and our WT is saying that edit the record which means we have full access on the records which are shared towards so we can edit our own records we can edit other Scots as well so I click on lead and then I click on my record let's see whether I can edit my record in the first place so I scroll down and I a click on company and I will change to edit it see I can change my record and click on save now I will go to any other record which is not one bind to edit a record which is not one by me profile should give Eddie taxes and at the same time the shield setting either will be so W their role in hierarchy whoever it is sharing should also queue as the Eddie taxes so here if you see it says here I will just edit it and make it edited so this is the record and I edited young is the record which is owned by Shri conques and created by Shahrukh Khan and I click on save and I should be able to edit it see now public read/write allowed us to edit the record and profile edit axis also allowed us to ADT records which are not owned by us this is really important whenever you are trying to edit a record which is not owned by us profile should also give us edit access and these sharing setting which is trying to share the records should also give us the right access now we will change I to public view Dalian will see how it affects so I will change to publicly you know nervously Khan save time click OK yeah now it got affected public it only is the Lea which means we will be able to see the records which are owned by others but cannot edit it and profile says I can edit it right so as I said two idiots records which are owned by others we should have edit in both so here we have it it but the audibility settings is only read which means we can only read we should be able to do the operation which is common in the both on the sheer recalls this is applicable only for the shared records for our records it is always based on the profile no other setting is required so I will go back to this page and click on refresh and if I open my record I should be able to edit it if I open someone's recalls I should not be able to edit it so I will test this I will open my record first and will see whether I can edit it it is and if you see there is an edit option here and I changed to edited so this is my record which is sales reps own record since I've created it so he should be able to edit it because profile has given any taxes so it doesn't require owd approval because it says record own records is completely applicable on profile now I will open and be edit and Eng which is not my record which is a shared record so as this is part of shared record if I need to edit it even the shared settings should give any taxes but our old ability has given only read-only access we should not be able to edit it so I will click here it gives even though it gives this icon it will not allow us to edit updated again and click on save should not allow us to save the record see insufficient access so the conclusion means whenever we are trying to edit a record which is being shared to us should be having access both in profile and the shell settings in the scenario disorder already so what WD should give us edit and profile should also give us a it should be common in both if it is our own record profile as access itself is enough soil profile seceded we can edit our record if it doesn't say that we cannot edit the record as simple as that it should be common in both if it is a state record now we will discuss about view wall so I go to the a date and profile and change the view wall and modify all so I will go here scroll down and make this to move on and I will click on save a view wall will gives complete visibility on all the records that we don't own so we'll change the sharing settings to private which will not let any of our records to see it in the first place so we'll see how you all works so view wall will override any sharing setting you wall and one file will always override sharing Center so sharing setting here give cells the lead object into private so view wall our view wall which we have given in profile will override this so shearing setting says we cannot see others record but profile says view wall which means I am overriding whatever your order build is telling so show me all the records so if I go here and refresh this page I should be able to see all the records click on all I should be able to see but in the same case we cannot edit it because view L has just given us the permission to view of it but not edit it so I click on details and then click on edit it but I cannot edit it we will just give us the viewer now I will go and change the profile lead object to modify on so that I will show you what kind of things that we can do with modify on and click on save so as soon as you make it modify all you are giving this particular user who is part of this profile a complete access on all the records so I flick on save again you will see whether I can do it or not see now it is allowing me to do it now you can also delete the record which is not see this record is owned by Chacon I'm sense of user I am able to delete as well so I will delete so you are trying to delete the record which is owned by someone so this is a very very dangerous permission which you should be giving only to D users who really need this permission so if you see the 22 or 23 records change to 22 so the conclusion is view all is a permission which will give you the complete access across the system but in a read-only mode modify all is something the more more advanced version which will override every sharing setting in the system which will allow you to see delete ad to recalls which are owned by anyone in this is very very simple okay we'll go through some scenarios where we'll see whenever we select some different values with owd and a particular value with profile and we'll see what the result will be in the facility or WD set to private and for file acceptor all the great options free create read edit and delete then the result will be user will be able to see all his records and he will be able to edit his accounts why as soon as owd is set to private he will leave he will not be able to see any of the records owned by others and as profile he said to thread user will be having access to all his records to create it read it edit it and delete it as simple as that now we'll go through these seconds man yo where the owd is set to private and profile is set to yeah she is creative tree and in the scenarios we are not mentioning about create and delete in the result why because there's a quite self-explanatory so as audibility is set to private here obviously user will not have access to the records not won't buying him and as profile says create and tree just read and there is no edit as a result he will be seeing only his recalls with read option very simple now these turns in and you say is private owd is equal to private and profile is equal to empty which means there is no access on that object as soon as there is no access on that profile object no matter what user will not be able to see any data you will not have any access at all now this is a different scenario which is little tricky but it is not complex now whenever user selects public read-only option as a word of duty the current logged in user will be having access to all the records on where those but it should be in read-only mode and profile says see LED as purple CSer Edie he will be having access to his records to read and delete as whoa WD is just read-only and profile is having read and edit wait how my rakaats is equal to read edit and other records to read it seems little complex but try to understand vise understanding this kind of scenario you will be able to understand the concept little better now the next scenario so publicly Don is the Odell UDN profile says yeah as it says publicly only will have access to or theory calls on by others so that's the reason in the result we have in my records we'd only access and in that that because we have read access why do you wind quite it can't be how data taxes because in their profile there is no edit option where isn't okay coming to next scenario whenever we do owt sequel to public read-only and profile is equal to empty obviously the result is no access so same applicable for the next scenario where owt said to publicly right which means he will not be having access on any record whether it's its own or any other record and they make scenario sales owd is set to public read/write and profile is set to cred where it is giving access to every recording owt which means it is trying to give share all the records which are owned by others to us and in profile we have given all CRE D which means we'll have access to all our records with read and edit action as well so in the result it will be my records rear-ended it or the records we donated simple and coming to the next scenario owd says public read/write and profile says just read that is the reason the reason says for my records we can only lead and owd even though owt has given public read/write profile has to approve there should be an edit until profile also gives ad taxes users cannot edit the records which are owned by other record this is what I was telling profile should also give permission which owd has given else it will not work coming to the next scenario or WD says public read-only and profile says just read which means in my records it is read and in the other records also it is yesterday if you see this and the previous result is same even though owt changes why because profile should also grant write permission in the previous scenario that is the reason in the previous scenario even though WT is right it didn't work and in the current scenario it has read and profile has it that is the reason we were able to read it simple if you see the last two scenarios the current scenario is selected and the previous scenario both of them are having the same profile and same result except the were WD is different why the result is same why because as I have mentioned earlier owd is providing edit profile should also have provided it only than other records will be seeing as read and edit else to non QT access to it it OWD here in the current scenario is read-only and here it's also current and this a profile also care or read-only that's the reason in result will be having read remember one thing order if portability gives headed profile should also give edit only then we can have ad taxes on t recalls which wait on gone ok with the next scenario you will try to add mod fell out also so inaudible you deep it is said to publicly it only and properly said to modify all then the result will be you can read and edit your recording other records so as soon as you see modify all you don't need to think about Odom you defy because modify all we'll all right all the sharing rules to make all the records to be read and edit one that is the reason for the next two scenarios also even though owd changes the result doesn't change man whenever you set profile to modify all then orderly doesn't matter because multi all overrides everything you make on that equals to P entry don't edit mode and that's the wrap up with this session so I will be adding another video on to level hierarchy sharing rules and manual shading in the next video I will be uploading that in next 24 hours and thank you so much if you like this video give a thumbs up if you have any questions come and down below practice practice practice happy melting and bye
Info
Channel: Salesforce Exclusive
Views: 56,937
Rating: undefined out of 5
Keywords: owd and profiles, owd and profiles in salesforce, salesforce security model, owd salesforce, profiles salesforce, salesforce owd, sharing settings salesforce, organization wide defaults salesforce, role hierarchy, sharing rules, manual sharing, data security, Organization Level Security, object level security, record level security, salesforce tutorials
Id: VgmR2x8_GUY
Channel Id: undefined
Length: 36min 27sec (2187 seconds)
Published: Fri Oct 04 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.