After controlling object-level access, defining field-level security for sensitive fields is the second piece of the security game. Field Level Security is about protecting the write or read access on the fields of any object, now say there is a field which is specifically enabled for a profile who can make updates on it let’s assume a contact’s role, the field name is “support relationship” and is only editable by CSM(Customer support manager) profile no one else, only that profile’s user will be able to access the contact’s role field and manage it. Guys “Field level security” is the utmost importance, it does not only mean that you cannot access from front end but also when you do bulk loads let's say, and if you don't have access, it will hit error, also you will not be able to report on it if there is no access means read/write is completely debarred🚫. Apart from this, the field visibility will also be affected on related lists, list views and search results.
After configuring the field-level security for users, you can do the following:
1. Create page layouts to organize the fields on detail and edit pages.
2. Verify users’ access to fields by checking the field accessibility.
3. Customize search layouts to set the fields that display in search results, in lookup dialog search results, and in the key lists on tab home pages.
Let’s see how one can restrict access at the field stage.
Restricting the field access from PROFILE
It's very easy to control the field accessibility from profile through object settings, it's exactly like handling object access from profile. If its enhanced profile user interface then go to object settings, also please note if the profile layout is not enhanced then quickly reach out to your admin and ask him to turn it on from user management settings. OK! Let's continue
1. From setup in salesforce go to profile say-Candidate whose object’s FLS you want to set
2. If its the enhanced profile UI then click on object settings
3. Select the appropriate object, say - Position and set the field access to edit on which the candidate will enter data in and disable read or edit access on salary that is available for the position.
4. All set!!, Now go to the recruiter profile and following the similar steps as mentioned above, set edit access on salary under position object.
5. Did you just observe how easily you have just adjusted the field accesses according to the profile? Interesting, like this you can adjust the field accesses on “n” no of objects for “n” no of profiles and you can control the data insertion on any field. Likewise there are multiple ways that one can control the field security. Let's continue to check on that as well.
Restricting the field access from Field Level - Set Field Level security
Not only from profile one can restrict the field accessibility, but it can also be managed from the “Set Field Level Security” button, friends I have always emphasized on how much data is crucial to us and to reserve the integrity, field accessibility restrictions is equally important, do not worry if your field read/write permissions are restricted from Profile whatever and from wherever you prohibit or set the field accesses it will be mapped to your user’s profile by the salesforce system.
1. Go to the object from Custom Object or from setup type “Products” and click on fields
2. Under Custom fields section select the discount field
3. On the field page, click on the “Set Field Level Security” button if you are an administrator.
4. You will be navigated to the page where you can see various profiles of your org and you need to set the access to either Visible(edit) or (visible and read only) accordingly.
5. There you are, just hit save and enjoy having a secure system. So this is another path from where you can control the field security, we will continue on other.
Restricting the field access from Field Level - View Field Accessibility button
Apart from managing the access from the Set Field Level security button one can also adjust it from the View Field Accessibility button, the process is quite manual but one can do it if they don't have access to the set field level security button. Let me first tell you the importance of this button, this is used to just view to which profiles what access is granted on the object’s fields, be it custom or standard, but we can also edit the visibility from the View Field Accessibility page. Let us understand -
1. From setup again type products and clicks on fields
2. Under custom fields section select the discount field
3. On the same field information page besides the set field level security button, you can find another action named “View Field Accessibility”
4. Click on the button, and you will see a page which will look like this
5. From this choose one bar select the field whose accessibility you want to set or see, let's say I selected again discount field and will get to see first what profiles are assigned with what accesses
6. Now let's say you have to manipulate the access for sales executive user from no access to read click on button Hidden
7. Set the access from the below highlighted areas
8. Although the visibility is “edit” from FLS but on the layout no visibility is enabled and thus the user would not be able to do any task on the field from the layout, isn't it interesting that the user’s field visibility can also be controlled from the layout let us see how it is done.
Controlling the field access on Front end UI from Page Layouts
Whatever we are learning, all methods focus on controlling the security of sensitive field data on any standard or custom object. The pattern that we are going to learn now is about managing the field accessibility from page layout wholly and solely concentrates on front end or UI level data insertion or modification control, if someone were to ask me that how about backend then obviously one can manage data from backend let's say if you have nearer admin rights and even bulk loads are possible. But this would be beneficial if we need to restrict the fields update for a support kind of profile. Please note we can make the field readable from the layout, also we can responsibly manage the fields visibility on the layout by configuring the layout.
1. From setup go to say - Products and click on Page layout
2. Under layouts click on edit button for the intended layout whose configuration has to be done
3. From the below highlighted you can manage the placing of fields whether its required or not
4. And from the below highlighted click on the configurer icon and manage the accessibility of that particular field on the layout
5. You can make it read only by selecting this option and then saving the layout will bring it in action
This is how one can control the field accessibility from the page layout. Also you can assign these page layouts under different record types and assign them to the profile accordingly. Lets learn about record types.
Controlling the field visibility through Record Types
Guys we are seeing variable patterns of how we can handle the visibility of fields from layouts, also there is another way of maintaining the field see-through via record types, which concerns being able to work on what set of fields and can be beautifully managed from record types. I am not claiming we are controlling the field security through record types but definitely preventing un privileged to make updates on such fields on which they should not by just managing the placeholders. Not only fields but you can also decide what picklist values should be visible on what record types.
1. Go to Record types under setup present under object
2. Click on New button, give the record type label and choose to which profiles the record type will be visible
3. Click on Next and assign the page layout and hit save, there you go, assigning record types will only allow those fields accessibility on which profiles are allowed to work in their daily job.
So, till now we saw how one can control the field security but there should also be a way available which can open up the rigidity.
Opening up the field access from Permission set
We will now see how we can give field accesses from a permission set. Remember permission sets are not for restricting controls on fields, it will always expand the access on fields for a specially privileged user. Lets learn how it's done.
1. Go to the permission set whose field accesses needs to be opened up
2. Again click on the object settings if its enhanced permission set UI,navigate to the object
3. Click on edit and give the accesses and hit save. Simple enough right!!
Guys any type of security control be it on object level, field level or record level we need to always keep in mind that it needs to take care of our business data but at the same time it should not be that rigid that business itself gets affected that is why salesforce offers various ways to lessen the restrictions for the special users. Security is a boon to good data quality and maintenance. Hope you enjoyed learning about FLSs.