Search

Domino Upgrade

VersionSupport end
5.0
6.0
6.5
7.0
8.0
8.5
Upgrade to 9.x now!
(see the full Lotus lifcyle) To make your upgrade a success use the Upgrade Cheat Sheet.
Contemplating to replace Notes? You have to read this! (also available on Slideshare)

Languages

Other languages on request.

Twitter

Useful Tools

Get Firefox
Use OpenDNS
The support for Windows XP has come to an end . Time to consider an alternative to move on.

About Me

I am the "IBM Collaboration & Productivity Advisor" for IBM Asia Pacific. I'm based in Singapore.
Reach out to me via:
Follow notessensei on Twitter
(posts)
Skype
Sametime
IBM
Facebook
LinkedIn
XING
Amazon Store
Amazon Kindle
NotesSensei's Spreadshirt shop
profile for stwissel on Stack Exchange, a network of free, community-driven Q&A sites

« Using FontAwesome in your VisualForce pages | Main| Salesforce Community License Overview »

Sharing is caring - Salesforce edition

I like declarative security to give access exactly to the extend a user requires. When learning Salesforce, I discovered to my delight the portfolio of possibilities to tailor access. With great powers, as we know, come great responsibilities. Learning the Salesforce lingo can be quite daunting. So here is my little overview:

Salesforce Sharing Terminology, click for full size
  • Access to data in Salesforce is based on two principles: everything is owner based and a generally restricted access can be extended for given conditions, but not limited. This single vector of access makes systems cleaner that the ability to add and remove privileges based on conditions. It avoids the need to resolve conflicts where condition 1 gives access, while condition 2 would remove it. These conflict solution rules are a security flaw in waiting (prime vector for human error). Nevertheless access in Salesforce need to be well planned (How much does any role need to see: give to little and you invite data duplicates, give too much and you increase leakage risks) - How to plan is another story for another time
  • Access has 3 element: access to objects (that would be access to classes in OO), access to records (instances of a class) and fields (properties of a class instance)
  • Computation starts from the organization wide settings, which are the most restrictive settings for a given organisation and then gets extended with various means (see image above)
  • There's a general distinction between internal access and access via a community. This reflects the need to be able to interact with customers, suppliers and partners in a controlled fashion
  • Owner based: I've seen this quite often: data exists, gets used, but nobody wants to own it, the owner has left or data gets inaccessible when the owner gets deleted. All this issues don't happen in Salesforce since no object data can exist that doesn't have an owner and owner transfer capability is baked into the platform (even rule based, but that's another story for another time)
  • Hierarchical: access rules know the role and reporting hierarchy. So access can be granted to a user and her entire reporting hierarchy including subordinates etc. Quite extensive possibilities worth exploring

As usual YMMV

Disclaimer

This site is in no way affiliated, endorsed, sanctioned, supported, nor enlightened by Lotus Software nor IBM Corporation. I may be an employee, but the opinions, theories, facts, etc. presented here are my own and are in now way given in any official capacity. In short, these are my words and this is my site, not IBM's - and don't even begin to think otherwise. (Disclaimer shamelessly plugged from Rocky Oliver)
© 2003 - 2017 Stephan H. Wissel - some rights reserved as listed here: Creative Commons License
Unless otherwise labeled by its originating author, the content found on this site is made available under the terms of an Attribution/NonCommercial/ShareAlike Creative Commons License, with the exception that no rights are granted -- since they are not mine to grant -- in any logo, graphic design, trademarks or trade names of any type. Code samples and code downloads on this site are, unless otherwise labeled, made available under an Apache 2.0 license. Other license models are available on written request and written confirmation.