Before you setup your Salesforce Security Model it's important that you identify in the simplest of terms what types of access and sharing will be required for your organization. Salesforce's security model is powerful and flexible enough that you can make Salesforce wide-open, locked down like Fort Knox or anywhere in-between.

Do your due diligence now and you can make your security configuration as simple as possible. If you don't, and instead define it in a hodge-podge sort of way as you go along, then maintaining your security configuration can get down-right ugly.

So first and foremost which folks should have access to the system. Simple I know, but you have to start somewhere. 

From there decide who needs access to what? Does everyone need access to Contacts and Accounts?, Do Some just need campaigns and Leads? Do others need Contacts, Accounts, and Cases? Make a spreadsheet. Put each user in the first column and a column header for each type of data. Put an X in each column that a user will need access to. See any similarities? Try to group users that share similar access needs together. This will help to define Salesforce Profiles.

The next thing to consider is how data is shared. A user might have access to Opportunities, but only those that they own. Conversely, maybe everyone should have access to all Accounts and contacts regardless of who owns them. This will help you define how open your organization is. And which parts of the data is sensitive. Should your team have the ability to share records they own with anyone they want should they so choose?

Now there are always exceptions. Perhaps everyone should have access to Contacts, and should be able to see all contact records regardless of who owns it. But perhaps there is some sensitive data on contacts that only a few users should see, such as Social Security number. You can limit access on a field by field basis to specific users. So think through the data you need to track. Are there exceptions?

Same applies for sharing. Do Sales managers need to see all opportunities regardless of who owns it? Should certain executives be able to see data owned by their subordinates that would otherwise be private? Define all exceptions. The more readily you can define these up front the better off you'll be. 

Not only can you define what types of data, and which records people can see and share, you can also control access to the system, and how tight that access is. Set password settings. Does it need to be a certain length, or contain special characters? Should it be reset every so many months? Will folks be logged out after so many minutes of inactivity? Location, location, location! will users be prohibited from logging in from anywhere other than the office or if they are remote, will they need two-factor authentication to login? Should users only be allowed to login during business hours? You can set time limits too.

Now depending on the outcome of this exercise you should be able to determine whether or not you need Professional or Enterprise edition to match your security needs. If you realize perhaps you need to upgrade, it's not too late. But there may be ways around some restrictions too.

Once you have your needs defined, and identified the proper version, you just need to implement. A little understanding of the Salesforce Security Model goes a long way. 

Security configuration can be overwhelming. And you don't want to be too cavalier if your organization's security model is anything other than wide-open. Give us a call if you need a little assistance. We'll gladly talk you through it.

Have Questions? Leave a comment below. We will get back to you with an answer.

Know someone else who might benefit from knowing what we know? Please share us with your friends