Chapter 21
IN THIS CHAPTER
Managing users over time
Planning your sharing model
Building profiles to determine access
Defining your role hierarchy
Delegating administrative duties
How can Salesforce be customized for your company so each user sees only pertinent information? You’ve come to the right chapter.
For administrators or members of your customer relationship management (CRM) project team with the right privileges, Salesforce allows you to easily configure your system so that users can access and share information according to your goals. With Salesforce, you have a variety of ways to control access and sharing of data, from system-wide sharing rules to assigning profiles. And, if you have Enterprise or Unlimited Edition, you have industrial-strength flexibility, even to the point of field-level security.
In this chapter, we show you all the steps you can take (or should consider) for configuring Salesforce to ensure that users see only what they need to see. We discuss concepts around creating the role hierarchy, assigning profiles, determining field-level security, creating users, and setting up your sharing rules.
When Salesforce.com supplies user licenses for your organization, administrators can add users into Salesforce. You don’t have to create the roles and profiles before you add users, but we recommend doing so because Role and Profile are important fields when you’re creating a user record. In this section, we discuss various ways of creating users and managing them.
To add users, click the Setup link and follow these steps:
Click the Users link under the Administer ⇒ Manage Users heading on the sidebar.
A users list page appears.
(Optional) Use the View drop-down list if you want to select from standard or custom list views of your users.
Salesforce presets your views with three standard options: All Users, Active Users, and Admin Users.
Click the New User button to add users one at a time.
A New User page appears in Edit mode.
To enter a list of users that need to be created (instead of one at a time), click the Add Multiple Users button instead.
Complete the fields, paying close attention to selecting appropriate Role and Profile values.
Select the Generate New Password and Notify User Immediately check box at the bottom of the New User page if you want the user to immediately receive an email with her username and temporary password. If you’re in the midst of an implementation, we recommend deselecting this check box and doling out passwords when you’re good and ready.
If your company is just starting out with Salesforce, be cautious and don’t give all your new users the System Administrator profile. Future generations of users at your company will thank you for taking a prudent approach to configuring things in Salesforce, as opposed to allowing too many cooks into the Salesforce kitchen.
Click Save.
The User detail page appears.
After you’ve created a new user, you can activate or deactivate him. Activation means the user is able to log in to Salesforce and start using it. Deactivation means, well, the opposite. There is no concept of deleting a user, which helps with compliance and auditing purposes, as well as avoiding a lot of complications when it comes to historical records owned by and actions performed by that user.
To activate or deactivate a user, click the Setup link and follow these steps:
Click the Users link under the Administer ⇒ Manage Users heading on the sidebar.
A users list page appears.
Click the Edit link to the left of a user’s name.
The User Edit detail page appears for that user.
Check the Active box, depending on what you want to do.
If you see a checkmark, that means the user is active. Removing the checkmark means that user is deactivated.
Click Save to save your action.
You’re returned to the user list page.
What if the user you’re trying to deactivate is associated with some special settings in Salesforce (like being a default lead or queue owner)? This may take some time as you confirm with business users who the replacement assignee should be. In the meantime, the clock is ticking and you still need to prevent this user from accessing Salesforce. That’s when you can freeze a user’s record, which disables that user’s ability to access Salesforce while you perform related system administrator duties.
To freeze a user, click the Setup link and follow these steps:
Click the Users link under the Administer ⇒ Manage Users heading on the sidebar.
A users list page appears.
Click the name of the user you want to freeze.
The user’s detail page appears.
Click the Freeze button.
You’re returned to the user detail page, and the button name changes to Unfreeze. To unfreeze that user record, click the Unfreeze button.
Before jumping into the guts of system design, take a minute to review five basic configuration elements. These will help as you begin to think about who in your company should see and edit what in Salesforce.
You use these five elements as the primary levers to deliver the proper level of access and control for your company in Salesforce.
As an administrator or member of your CRM project team, one of your biggest decisions in Salesforce is how users will share information. A sharing model controls the level of access that users have across an organization’s information, not just up and down the chain. You can use the sharing model with the role hierarchy, public groups, personal groups, and the default access for each role to get pretty specific about what you want people to view or change. You use the organization-wide sharing model and, if necessary, public groups and expanded sharing rules in Salesforce to configure your sharing model.
The organization-wide defaults (OWDs) set the default sharing access that users have to each other’s data. Sharing access determines how data created by users in a certain role or public group is viewed by users within another role or public group. For example, you many want your sales operations team to see the dollar value of won opportunities so that they can verify what was booked versus what’s listed on the signed contract, but you probably don’t want them editing the amount of that won opportunity. If any role or public group possesses data that at least one other role or group shouldn’t see, your sharing model must be private; all other levels of openness must be granted as an exception via groups (more on that later).
To configure the organization-wide defaults, click the Setup link and follow these steps:
Choose Administer ⇒ Security Controls ⇒ Sharing Settings.
The Sharing Settings page appears, showing org-wide defaults for several objects, as well as specific sharing rules for those objects.
Click the Edit button in the Organization Wide Defaults list.
The Organization Sharing Edit page appears.
Select the desired settings.
Click some picklists to see the different options. The options are typically Private, Public Read Only, and Public Read/Write. Some objects may have options specific to that object’s functionality, like the Calendar object, and the ability you have to set how much information people can see on others’ calendars. For example, if you want the most restrictive model, choose the following as your defaults: Private for the major records and Hide Details for Calendar. Some standard objects, like the Lead and Case objects, have extra-special powers and have an additional option, Public Read/Write/Transfer. This assumes that someone working heavily in leads or cases will often need to transfer a lead or case record that isn’t owned by him to someone else.
Remember what we said about role hierarchy providing “vertical access” to data? A Private sharing setting on an object still assumes that people with a role above yours in the role hierarchy can see and report on those records. Salesforce always, by default, respects the hierarchy structure — sharing settings determine only how peers and those outside your typical chain of command see your data. For more complex sharing scenarios, you can have the option to deselect the ability to grant access to records based on role hierarchy, but, you may want to consult with Salesforce support or a Salesforce Partner before making such a complex change.
Click Save.
The Sharing Settings page reappears with your settings listed under the Organization Wide Defaults list.
By using public groups, roles, or roles and subordinates, you can create sharing rules to extend access above and beyond the organization-wide defaults. For example, if your default sharing model is read-only but you want a group of call center agents to have edit privileges on account records, you could do this with a custom sharing rule.
To add a sharing rule and apply it to your data, click the Setup link and follow these steps:
Click the Sharing Settings link under the Administer ⇒ Security Controls heading on the sidebar.
The Sharing Settings page appears.
Scroll down and click the New button next to any of the standard or custom object Sharing Rules lists, as shown in Figure 21-1.
All lists operate much the same but relate to different records. A Sharing Rule setup page appears for your selected record.
Use the drop-down lists to define the data you want to share and the related roles or groups that you want to share that data with, as shown in Figure 21-2.
For example, you may want to grant your customer support team read/write privileges to account data owned by all internal users. You can apply the sharing rule based on types of users who own the record, or create other filter criteria.
Click Save.
The Sharing Settings page reappears with your new rule listed under the appropriate related list.
In Enterprise and Unlimited editions of Salesforce, you can use profiles to control a user’s permission to view and perform many functions. Roles and sharing rules determine which objects a person sees, and whether she can make changes to that object. A profile determines what details a person sees on that object. Depending on which edition you’re using, you can use profiles to
Most editions of Salesforce come with five or six standard profiles, which can’t be altered except for the tab settings. The number of standard profiles may differ depending on the types of Salesforce licenses your organization has purchased. Newer organizations can stick to standard profiles and address their company’s basic requirements related to user access. If you have Group or Professional Edition, you can’t actually view the settings on the standard profiles.
If you have Enterprise or Unlimited Edition, choose Setup ⇒ Administer ⇒ Manage Users ⇒ Profiles to see your profiles. Otherwise, here’s a brief explanation of the more common standard profiles for Salesforce license types and how they’re typically applied:
If you have Enterprise or Unlimited Edition, you can build custom profiles that provide you greater flexibility than the standard permissions granted to users and the layouts that they see. For example, you may want to create a custom profile for your finance team so that only users with that profile can edit check boxes on the opportunity that track whether certain signed forms have been submitted when you close a deal. See Chapter 17 for details on creating custom layouts and record types.
To create a custom profile, you can start from scratch, but we suggest cloning and modifying an existing profile by following these steps:
Choose Setup ⇒ Administer ⇒ Manage Users ⇒ Profiles.
The User Profiles page appears. You can see which profiles are standard or custom ones based on which ones have the Custom box checked.
Click the Standard User link in the Profile Name list.
The Profile: Standard User page appears. In practice, you can clone from any of the profiles, but by starting from the Standard User profile, you can simply add or remove permissions.
Click the Clone button.
The Clone Profile page appears.
Type a title in the Profile Name field and then click Save.
The Profile page for your new profile appears.
Click the Edit button to modify the permissions, as shown in Figure 21-3.
The Profile Edit page appears.
Salesforce packs a plethora of possible permissions into a profile page. Some of those permissions aren’t obvious; others are dependent on your selecting other permissions. If you have questions as you’re working through the Profile Edit page, click the Help for This Page link in the upper-right corner of the page to go directly to the relevant Help documentation. If you place your cursor over the i icon, located next to certain Administrative Permissions on the Profile Edit page, rollover text appears with tips on other required settings.
Under the Custom App Setting section, determine which standard and custom apps are visible for a profile and which one is the default.
This determines the content of the Force.com app drop-down list.
Under the Tab Settings section, use the drop-down lists to determine the tab settings for your new profile.
Choose from the three possible options:
Making a tab hidden in a user’s profile doesn’t prevent the user from accessing those records (in reports, for example). To prevent a user from accessing a particular type of record altogether, remove the Read permission on that type of data from the Object Permissions sections of the page.
Under the Administrative Permissions header, select or deselect check boxes to modify administrative permissions from the profile.
Most of these settings are designed for administrators, but some of these may be important, depending on your goals for a custom profile. For example, if you want to build a manager’s profile, you may want to retain permissions such as Manage Public Reports and Manage Public List Views so that managers can create public reports and list views for their teams.
Under the General User Permissions header, select or deselect check boxes to modify common user permissions from the profile.
For example, if you don’t want sales reps to be able to export customer data to a file, you could create a custom profile for reps and remove the Export Reports setting.
Under the Standard Object and Custom Object Permissions headers, select or deselect check boxes to modify standard or custom object permissions from the profile.
For example, if you don’t want support reps to be able to modify opportunities, you could create a custom profile for support reps and select only the Read check box in the row for opportunities.
Click Save.
The Profile page reappears for your new profile. Your new profile will now appear the next time you follow the instructions in Step 1.
Click the View Users button if you want to assign users to the profile.
A Custom: Custom Profile Name list page appears in which you can view, add, or reset passwords for users in the profile.
Think of a role hierarchy as the Salesforce system’s data-access trickle-down org chart: If you’re assigned to the role at the top of the chart, you have full access to your own data, and that privilege trickles down to the data of everyone below you in the hierarchy — and life is good.
You can use the role hierarchy in Salesforce as a primary method to control a user’s visibility and access to other users’ data. After you assign a role to a user, that user has ownerlike access to all records owned by or shared with subordinate users in the hierarchy. For example, if you set up a hierarchy with a Sales Rep role subordinate to a Sales Manager role, users assigned to Sales Manager would have read and write access to records owned by or shared with users in the Sales Rep role.
To set up your company’s role hierarchy, click the Setup link in the upper-right corner and follow these steps:
Choose Administer ⇒ Manage Users ⇒ Roles.
The Understanding Roles page appears, and you see a sample hierarchy, as shown in Figure 21-4.
To select a different sample hierarchy, make a selection from the View Other Sample Role Hierarchies drop-down list.
Click the Set Up Roles button.
The Creating the Role Hierarchy page appears.
(Optional) To select a different view of the hierarchy, make a selection from the drop-down list on the right side of the page.
Salesforce provides three standard views for displaying the role hierarchy: tree, list, and sorted list. For this example, we’re opting for the default, Tree view.
In Tree view, click the Add Role button at the place in the hierarchy where you’d like your new role to appear.
A Role Edit page appears for the new role.
Complete the fields.
The fields are pretty obvious, but here are some tips:
Beyond the major configuration settings (such as roles, profiles, and sharing model), as an administrator, you have other settings for managing the use and security of your data in Salesforce. You can find these features by choosing Setup ⇒ Administer ⇒ Security Controls.
In the following sections, we discuss how to manage field-level access and delegate a subset of administration to others.
If you have Enterprise or Unlimited Edition, you have three primary ways to control access to and editing of specific fields: profiles (which we discuss earlier in this chapter), page layouts (Chapter 17 covers these), and field-level settings (stay right here for the details). With field-level security, you can further restrict users’ access to fields by setting whether those fields are visible, editable, or read-only.
To view and administer field-level security, click the Setup link and follow these steps:
Choose Administer ⇒ Security Controls ⇒ Field Accessibility.
The Field Accessibility page appears, listing all objects.
Click the link for the type of record for which you want to view and manage field-level security.
A Field Accessibility page for the selected record type appears, as shown in Figure 21-6. For example, click the Account link if you want to review the security settings on account fields.
Under the Choose Your View header, click the View by Fields link.
The Field Accessibility page appears with a Field drop-down list. If you want to see a different view of this information — in which you get to see one profile and the security levels for all the fields for the selected data type — click the View by Profiles link.
Select a field from the Field drop-down list.
The page reappears with a table displaying your company’s profiles and the profiles’ accessibility to the selected field.
In the Field Accessibility table, click a link in a cell in the Field Access column to edit the profile’s field access for a specific record type.
An Access Settings page for the selected profile and selected field appears, as shown in Figure 21-7. If you want to modify access for all profiles associated with the page layout assigned to this profile, you can also adjust that here.
Select the check boxes to modify the field-level settings, and then click Save.
The Field Accessibility page for the selected record type reappears.
As an administrator for your growing world of Salesforce users within your company, you hold the key to who accesses your Salesforce instance. You shouldn’t try to cut corners by making everyone system administrators just because you’re annoyed each time people bug you to add a new user, or because they get impatient about your asking “Why?” in response to their requests.
Salesforce allows you to delegate some administrative duties to nonadministrators. Delegated administrators can help you create and edit users in roles you specify, reset passwords for those users, assign users to certain profiles, and manage certain custom objects. For example, if your marketing department is growing quickly, you may want to allow a manager in the Marketing Manager role to add new marketing users to Salesforce who need the Marketing User profile.
To delegate administration, you must first define the groups of users to whom you want to delegate these new privileges. Then you have to specify what you want those newly delegated administrators to do. To define delegated administrators, follow these steps:
Choose Setup ⇒ Administer ⇒ Security Controls ⇒ Delegated Administration.
The Manage Delegated Groups page appears.
Click New.
The Edit Delegated Group page for the new delegated group appears.
Enter the Delegated Group Name.
In our example, we selected Sales Operations.
Click Save.
The Delegated Group page for your new group appears.
Click the Add button in the Delegated Administrators related list to specify which users will belong in this group.
The Delegated Administrators page appears.
Click Save.
The Delegated Group page for your group reappears.
To specify which roles and subordinate roles a delegated administrator can manage, click the Add button in the User Administration related list.
The Roles and Subordinates page appears.
Click Save.
The Delegated Group page for your group reappears.
Click Add in the Assignable Profiles related list to specify which profiles these delegated administrators may assign to users.
The Assignable Profiles page appears.
Click Save.
The Delegated Group page for your group reappears.
Click Add in the Custom Object Administration related list to specify which custom objects and related tabs a delegated administrator may manage.
The Custom Object Administration page appears.
Click Save.
The Delegated Group page for your group reappears.