+ Start a Discussion
iainfarqiainfarq 

Field vs Object level security

Hi,

 

Quick question - I'm setting Read/Create/Edit/Delete custom object permissions on profiles - I'm not sure how this affects field level permissions (also set on profile).  If I set a custom object on a profile to have no R/C/E/D permissions do I also need to set the field level security to invisible for each field?

 

My assumption is that Object level security trumps field level security..is that correct?

 

Cheers.

Best Answer chosen by Admin (Salesforce Developers) 
BrendanOCBrendanOC

You are correct.  If the user does not have CRUD to the Account object, they cannot see any of the Account fields.  Field Level Security (FLS) is for fine tuning individual fields that a profile already has CRUD for.

 

Example:

Profile1 - CRUD access to Account

If Account has a custom field called secret__c, you could use FLS to make secret__c hidden, or make it Read Only.  Profile1 can read, update, or delete any other fields

 

Profile2 - R access to Account

You don't need to mark secret__c as Read Only, because Profile2 does not have Update access to Account.  Their maximum permission to all Account records is Read.  If you want to hide secret__c, you would set FLS to hidden (uncheck the Visible checkbox.)

 

Profile3 - No CRUD access to Account

Zero permissions to any account records. No need to set FLS

 

 

Hope that helps!

All Answers

BrendanOCBrendanOC

You are correct.  If the user does not have CRUD to the Account object, they cannot see any of the Account fields.  Field Level Security (FLS) is for fine tuning individual fields that a profile already has CRUD for.

 

Example:

Profile1 - CRUD access to Account

If Account has a custom field called secret__c, you could use FLS to make secret__c hidden, or make it Read Only.  Profile1 can read, update, or delete any other fields

 

Profile2 - R access to Account

You don't need to mark secret__c as Read Only, because Profile2 does not have Update access to Account.  Their maximum permission to all Account records is Read.  If you want to hide secret__c, you would set FLS to hidden (uncheck the Visible checkbox.)

 

Profile3 - No CRUD access to Account

Zero permissions to any account records. No need to set FLS

 

 

Hope that helps!

This was selected as the best answer
iainfarqiainfarq

Thanks that clarifies things a great deal!