Joshua Minton

Security should be your first thought when implementing or optimizing your Salesforce organization. Security in Salesforce is a five-point control process:
•    Organization Wide Default (OWD) settings for each object
•    Salesforce Role Hierarchy
•    Profile permissions for each object
•    Custom sharing rules (configuration and custom code)
•    View All Data / Modify All Data

Organization Wide Default (OWD) Settings for Each Object

Every object has a baseline permission setting for each object. Taken alone (without the other three sectors above), there are four choices:
•    Private: Records are only viewable and editable by record Owners and System Admins in your org.
•    Public Read: Records are viewable by every Salesforce User in your org.
•    Public Read/Write: Records are viewable and editable by every Salesforce User in your org but only the record Owner or System Admin can transfer the record to another Owner.
•    Public Read/Write/Transfer: Records are viewable, editable and can by transferred to other Users by any User in your Salesforce org.

It’s important to note that the Organization Wide Default settings are the only place in the security controls within Salesforce, where you can limit Users from interacting with data in your objects. Each of the other four security control points only serve to open up access from this OWD setting.

When determining the proper OWD for each of your standard and custom objects in Saleforce, you must ask the following questions for each object:
•    Which users should NOT be able to see this object?
•    Which users should NOT be able to create records in this object?
•    Which users should NOT be able to edit records in this object?
•    Which users should NOT be able to delete records in this object?
•    Which users should NOT be able to delete records in this object?

Once you have the OWD established for each of your settings, there is one item left for you to decide before you leave this security point and move on to the Salesforce Role Hierarchy. You must, on an object by object basis, determine whether you want the role hierarchy to open up data access for this object.
Salesforce Role Hierarchy.

The role hierarchy in Salesforce is not a place for you to replicate your HR hierarchy, to build a complex network of branched job titles that will only serve to confuse your readers as they see the options pollute their reports.

The role hierarchy is simply a functionality that allows you to open up data access and permissions beyond the baseline OWD settings for each object and it impacts a few other functions in the system.

If “Grant Access Using Hierarchies” is checked on the OWD setting for an object, then roles above other roles shall inherit the object access and permissions of those roles beneath them in the hierarchy. This is extremely useful when your business processes require that managers require access to the records of those Users beneath them in the hierarchy, to edit or transfer or other tasks.

While you can make role hierarchies as complicated as you like (I’ve seen some stretch to over 3,800 roles!!!); I would recommend keeping it to below 10 roles and to make them as generic as possible. After you determine how many levels of access you will need, create them and name them Level One, Level Two, etc. and you can rename them after you have the structure nailed down.

Once you have the OWD and role hierarchy set up, it’s time to determine what permissions your Users will need and to build out your Profiles and their permissions.

The profile is the true powerhouse within Salesforce, when it comes to security and permissions. The major responsibilities of the Profile are to:
•    Determine which applications the User can view
•    Determine which tabs the User can view
•    Which Administrative General permissions the User has
•    The CRUD (Create Read Update Delete) permissions for each object
•    Which Page Layouts a User sees
•    The Field-Level Security (FLS) the User has to view and edit fields within each object
•    Which Record Types are available to the User
•    Which Record Types are default for the User within each object
•    The hours and IP ranges each User has to be able to access the system
•    Which Apex classes the User can execute
•    Which Force.com pages the User can access

These above permissions, along with a User’s access to data (determined by the OWD), determine what Users higher above in the role hierarchy can see and do. You can see that each of these security points work in tandem with the others to allow for a complex security structure to be built that will accommodate any business requirement to close down or open up access to data for all Users in the org in almost any situation.

You can set up some pretty intricate sharing rules for each object within the Salesforce UI based on quite a few conditions (owned by, status of, etc.) but there may come a point when you need to grant privileges to specific users based on minute behaviors within the system and then it’s time to call your Developer and get them working on some Apex sharing rules to automagicate your record sharing.

All of this technical talk about security and sharing is very important to get nailed down tightly and tweak constantly when needed. You don’t want to be the company whose data gets exposed because you didn’t take the time to nail this down.

 

PHOTO: Security wire © by lydiashiningbrightly

The worst situation I have ever seen in a Salesforce org was due to lack of planning, lack of commitment and a lack of understanding by Senior Management on how the sales process works inside Salesforce.

The first Salesforce org I was an admin inside was an absolute mess composed of the fossils of organic processes built on a “we need this right now” basis which were then paved over with another process that focused on an alternative solution to the previous ones. Management in the sales and marketing departments rarely, if never logged in. The CFO questioned the cost because he had never seen a report, a dashboard, a closed opportunity, or ever heard one good thing from any of the users about the effectiveness of the system. The data was so riddled with duplicates that the Marketing department hired hourly wage interns to hand scrub their campaign lists by manually typing in each name to get the lead/contact Ids for campaign member creation when Demand Tools was an active vendor.

The completed activities were pretty much worthless in terms of exposing the value to the sale as most were dropped in from Outlook on an email by email basis with no status or description as to the value of the interaction with a customer/client. This meant that anyone seeking to find out where the company was with this customer, had to sift through dozens and dozens of emails logged as tasks and make their own determination. Try having the company subpoenaed and having to to print those emails out one by one!

Few sales teams added Contact Roles to Opportunities which meant that the campaign ROI from responses were broken in the system but that was okay because the Marketing department didn’t put the actual costs of their campaigns in there anyway. And worst of all, the whole thing was all pointless. That’s right. My job and the Salesforce org was pointless because the sales teams executed the actual deal closings through emails directly to the contracts fulfillment department and the sales people were reimbursed from another system, again through emails and phone calls, all of which took place completely outside of Salesforce. This means that closed opportunities, while mandated by Sales Management, were an administrative burden to the sales teams, often put into the system weeks after they had closed and did not have the actual in process data that, when enforced and required by validation and workflow, results in that ever valuable analysis of why a deal closed or didn’t.

And no one at the top knew enough about the system to ask the right questions or even interpret my conveyance of the issues intelligently enough to plan out a functional sales process that would have saved them countless hours of analysis and administrative headaches as they constantly rushed around putting questionable numbers together from multiple data sources throughout the company.

The bottom line is that there is a much, much better way to do things and it begins with executive level buy in and commitment to hammering out a solid, no leaks sales process that flows through Salesforce, a process that focuses strongly on data integrity both on the front and back ends, and one that passes information automatically to all parties and systems necessary to get a deal closed and retain all information related to the deal inside the CRM system of record for future analysis and retrieval. Having this executive level commitment is the first step to success and if you don’t have it, you may as well hang up your keyboard and start picking numbers out of the phone book again.

 

PHOTO: Broken glass © by liknes

1. GET EXECUTIVE BUY IN OR GET OUT (click here to read)


2. GET THE SYSTEM PERMISSIONS AND DATA ACCESS RIGHT NAILED DOWN (click here to read)


3. MAP OUT YOUR SALES PROCESS ON PAPER AND GET ALL STAKEHOLDER TO AGREE (click here to read)


4. PLAN YOUR IMPLEMENTATION


5. AUTOMATE EVERYTHING THAT YOU CAN THROUGH CONFIGURATION


6. IDENTIFY CHAMPIONS FROM EACH OF YOUR BUSINESS SEGMENTS


7. GET A GOOD ADMINISTRATION TEAM


8. TRAIN YOUR USERS AND WAIT FOR THEM TO LET YOU TRAIN THEM MORE


9. ASK FOR IDEAS TO IMPROVE FROM YOUR USERS AND CUSTOMERS AND THEN USE THEIR IDEAS TO IMPROVE THE SYSTEM DRIP BY DRIP


10. STOP WHINING AND START CHATTING


11. DOCUMENT EVERYTHING IN COMMON LANGUAGE THAT ANYONE CAN UNDERSTAND

• Accounts vs Contacts: Finding Higher Ground in the Salesforce Sales Cloud (click here to read)