2. Open up access to particular records for particular users. To lock down records, the Force.com platform provides a concept known as organization-wide defaults, usually referred to as org-wide defaults. As the name implies, this speci fi cation de fi nes the default access to all records in an object for all users. There are three settings for org-wide defaults: • Public Read/Write allows all users to read and write data to all the records in an object. Caution: This org-wide default does not grant delete, transfer or share permissions. These are only available to owners of a record. • Public Read allows all users to read all the records in an object. • Private only allows the owner of the record, and users with the appropriate permissions, such as Edit All Data or View All Data , to view or edit a record in the object. By default, all custom objects are created with an org-wide default setting of Public Read/Write . You can change org-wide defaults through the page accessed by Setup ➤ Security Controls ➤ Sharing Settings ➤ Edit , shown below. Figure 117: Editing org-wide defaults 195 Protecting Your Data
The org-wide default you choose should be based on an analysis of the intended usage of the data. Since org-wide defaults are used to lock down data, select the setting that matches the least amount of access granted to the least privileged user of your organization. If all users of your organization are allowed to edit all records in an object, then the Public Read/Write setting is appropriate for the org-wide default. If all users of your organization are able to read all records in an object, but not be allowed to edit some of the records, the Public Read setting is appropriate. If any of the users of your organization are not allowed to read or write any of the records in an object, the Private setting is appropriate. Tip: Remember, the sharing settings are used to grant differential access to individual records within an object. If a user is not allowed access to any records in an object, you can simply not grant their pro fi le any permissions on the object. Record-based permissions cannot override component permissions.For instance, if you do not want a user to be able to see any Position records, deny them access to the Position object. If the user is able to see some Position records, allow them the appropriate access at the object level but then limit their access to records through sharing. The diagram shown below explains the decision fl ow for selecting an org-wide default for an object. 196 Chapter 7: Protecting Your Data
Figure 118: Decision fl ow for setting org-wide defaults Sharing You use org-wide defaults initially to lock down the data in an object, since the core goal of security is to prevent unauthorized access to critical data. You can think of org-wide defaults as adding a door to a room where your precious data is kept — a solid door that is locked (private), a door made of glass and locked (read-only) or a door that is left open (read-write 197 Protecting Your Data
access).The Force.com platform gives you a way to share a key to open that door with individual
You've reached the end of your free preview.
Want to read all 539 pages?
- Summer '18
- alan li
- Test, developer