Ajax (1) Apex Class (12) Apex Trigger (2) Community (2) Home Page (1) HTML (4) Integration (3) JS (7) KB (1) Label (1) Licenses (1) Listing (1) Log (1) OOPs (5) Sharing (1) Static Resource (1) Test Class (3) URI (1) Visualforce (10)

Tuesday 7 October 2014

Difference between Roles and Profiles

Article 1:
Roles and Profiles are the two pillars in Salesforce.com on which the entire access hierarchy is based.
For a user in Salesforce.com It is mandatory to have a profile but not a role.

Profile is used for multiple things in Salesforce.com and some of the key one's are:
 
- To analyze the type of Salesforce.com license used by the user
 
- To give the access to an object. If the object level permission is missing in the profile then the user will not be able to see the records of that object inSalesforce.com
 
- To give access to Tabs, fields via FLS, General and Administrator settings
 
A role is used to maintain the role hierarchy. Role hierarchy allows the managers to see the data of the user reporting to them.

Remember:- Role hierarchy is a tool given to developer to meet the data roll up requirements. It need not be the organization role hierarchy.

Role hierarchy can be enabled or disabled for the custom objects. This will decidethat data of managers will be seen by CEO or not.

In nutshell profile give access to Object where as role give access to the 


=======================================

Article 2:

Profiles, Permission sets & Roles

What is profile?

A profile is a group/collection of settings and permissions that define what a user can do in salesforce. A profile controls “Object permissions, Field permissions, User permissions, Tab settings, App settings, Apex class access, Visualforce page access, Page layouts, Record Types, Login hours & Login IP ranges.

You can define profiles by user’s job function. For example System Administrator, Developer, Sales Representative.

A profile can be assigned to many users, but user can be assigned single profile at atime.

Types of profiles in salesforce

  1. Standard profiles: By default salesforce provide below standard profiles. We cannot deleted standard ones.

  Read Only, Standard User, Marketing User, Contract Manager, Solution Manager & System Administrator. 

  Each of these standard one includes a default set of permissions for all of the standard objects available on the platform.

  2. Custom Profiles: Custom ones defined by us. They can be deleted if there are no users assigned with that particular one.

Navigation: setup -> Administer -> Manage users -> Profiles

profile

What is Permission Sets?

Permission set is also very similar to profile. What ever you can manage at profiles (Like Object permissions, Field Permissions, User permissions, Tab settings, App settings, Apex class permission, visualforce permission) the same you can manage here also. But the main difference between these two is that user can have only one profile and can have multiple permission sets at time.

So we can define profiles to grant minimum permissions and settings that every type of user needs, then we can use permission set to grant additional access.

Examples: 

1. We have many user in your organization with some fundamental job functions. We can assign all of then with one profile that grants them all access to do their job. But some set of people are working on special apps or some special functionality, for this type of special users we can create permission sets and can be assigned to them.

2. Some users need some temporary access to specific set of  fields and objects we can create permission set with those object & field access and we can assign that specific users.

Navigation: Setup -> Administer -> Manage users -> Permission sets

permission set

What is Role Hierarchies?

A role hierarchies controls level of visibility that users have to an organization data. By defining role hierarchies we can share access to records. Users assigned to roles near the top of hierarchies like (CEO, executives and other higher level roles) get to access the data of all users who fall directly below them i hierarchy.

Role hierarchies enable following behaviors.

A manager will always have access to the same data as his or her employees, regardless of the org-wide default settings. For custom objects, you can override this behavior by deselecting the Grant Access Using Hierarchies check box. However, we want our role hierarchy to apply to all of our custom objects, so leave the check boxes selected.

Users who tend to need access to the same types of records can be grouped together—we’ll use these groups later when we talk about sharing rules.

======================================

Article 3:

Roles
In salesforce, roles are defined so as to increase the data visibility a particular user has. The data visibility can be increased using sharing rules or by building role hierarchy. Role hierarchy allows the user sitting in higher level have access of records owned by users having role lower in hierarchy. It is not mandatory that a user should have a role.

Organisation wide default sets the default access for objects, for example OWD set as private would mean that only the owner of the record can access the record. One way to grant additional access of these records to other users is through roles i.e users higher in role hierarchy would get the access of records owned by users lower in hierarchy. Other way is by writing sharing rules, wherein we can specify the logic to decide which record should be shared and with what role user. We can specify against custom objects whether the records should be shared using role hierarchy or not but this is default set for standard objects and cannot be changed. That is, standard object records will always be shared according to role hierarchy. Defining role for users is not a mandatory thing, however not defining role for a user could affect the data shown on opportunity and other reports for that user.
Summarising the points for role,
1. Role controls the level of record access user has
2. Helps extend the OWD settings for different objects
3. Sharing rules can be written to share records with particular role and subordinates
4. Defining role for user is not mandatory. 




Profiles
Unlike role,  profile is mandatory for every user in salesforce. You cannot have a user without a profile. It is the building pillar of the entire org. Profile states the objects/field permissions and also other permissions with in the org. It defines what a user can do within the org, it states the access settings and user permissions. Profile controls following -
  • Object permissions [create, delete,read, edit permissions] 
  • field permissions [view, edit]
  • Record type permission 
  • Which Apps can be viewed 
  • Login hours can be defined 
  • Ip address permissions 
  • Which tabs are visible 
  • Which page layouts can be viewed  
  • Classes, vf pages permissions
Salesforce provides some standard profiles with different set of permissions for each, we can create our own profiles to have permissions as per our requirement. New profile should be cloned from existing profile.

Difference between the two can be summarised as below
1. Role defines what user can see depending on the hierarchy(Helps in defining data visibility)
2. Profile defines what a user can do within the org(Defines various permissions)
3. Defining profile for a user is mandatory, role is not.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)