Table of Contents
ToggleWhat is Object Level Security in Salesforce?
Object level security in Salesforce is a mechanism that controls which users — or groups of users — can access specific objects within a Salesforce org. In Salesforce, an object is essentially a database table that stores a particular type of data (like Leads, Accounts, Contacts, or Opportunities). Object level security determines whether a user can Create, Read, Edit, or Delete records belonging to those objects.
Think of it this way: imagine your Salesforce org is a large office building. Each room in the building represents a different object (e.g., one room for Accounts, another for Cases). Object level security is the key card system — it controls which employees can even enter which rooms. Once inside the room (object), other layers of security then govern which files (records) and drawers (fields) they can access.
This is the broadest and first layer of Salesforce’s data security model — if a user is blocked from an object entirely, they can never access any record within that object, regardless of other sharing settings.
Why Object Level Security Matters
Salesforce stores enormous volumes of sensitive business data — customer contacts, financial records, contracts, support tickets, and more. Without proper object-level controls, any user in your org could potentially view, modify, or delete data that is irrelevant — or worse, sensitive — to their role.
Here’s why getting object level security right is critical:
- Data Privacy & Compliance: Regulations like GDPR, HIPAA, and SOC 2 require organizations to limit data access to only those who need it.
- Operational Accuracy: Restricting who can edit or delete records reduces accidental data corruption.
- Least-Privilege Principle: A foundational security best practice — users should have only the minimum access required to perform their job.
- Audit Readiness: Well-configured security settings make it easier to pass internal and external audits.
For Salesforce Admins, mastering object level security is not optional — it is one of the core responsibilities of the role and a heavily tested topic in the Salesforce Administrator Certification exam.
Salesforce Security Model: Where Object Level Fits In
Salesforce uses a layered security model to protect data at multiple levels. Object level security sits at the top of this hierarchy — it is the widest net. Here’s how the layers stack:
| Security Layer | What It Controls |
|---|---|
| Organization Level | Login access, IP restrictions, session settings |
| Object Level | Access to entire objects (tables) — can a user see Accounts at all? |
| Field Level | Access to specific fields within an object — can a user see the Revenue field? |
| Record Level | Access to individual records — can a user see a specific Account record? |
Object level security is configured before field and record level security even applies. If a user has no Read access to the Leads object, they will never encounter a Lead record or its fields — regardless of sharing rules.
How Does Object Level Security Work in Salesforce?
Object level security in Salesforce is set and enforced through two primary mechanisms: Profiles and Permission Sets. Together, these two tools give Salesforce Admins granular control over what objects each user can interact with — and in what ways.
Profiles in Salesforce
What is a Profile?
A Profile is a collection of settings and permissions that controls what a user can see and do in Salesforce. Every user in Salesforce must be assigned exactly one profile — it forms the baseline of their access. You can think of a profile as a job role template: all Sales Representatives share one profile, all Support Agents share another.
Profiles control a wide range of settings, including:
- Object Permissions (what objects a user can access and how)
- Field Permissions (which fields are visible or editable)
- User Permissions (system-level capabilities like “Run Reports” or “Manage Users”)
- Tab Settings (which tabs are visible)
- App Settings (which apps appear in the App Launcher)
- Apex Class Access
- Visualforce Page Access
- Page Layouts and Record Types
- Login Hours and Login IP Ranges
Standard vs. Custom Profiles
Salesforce ships with a set of Standard Profiles that are available by default in every org. These include:
| Profile | Description |
|---|---|
| System Administrator | Full access to all objects and data, including “View All Data” and “Modify All Data” permissions. The most powerful profile. |
| Standard User | Read, Create, Edit, and Delete permissions on most standard objects. |
| Read Only | Read-only access — similar to Standard User but users cannot create or edit records. |
| Marketing User | Standard User permissions plus additional marketing-related capabilities. |
| Contract Manager | Standard User permissions plus contract management capabilities. |
| Solution Manager | Standard User permissions plus solution management access. |
Important: Standard Profile object permissions cannot be edited. If you need a customized permission set, the best practice is to clone a standard profile, give it a new name, and then customize the copy to suit your organization’s requirements.
How to Navigate to Profiles
- Go to Setup
- In the Quick Find Box, type Profiles
- Select Profiles from the results
- Click on the profile name to view or edit its settings
Key Rules About Profiles
- Every user must be assigned to one and only one profile at a time.
- A profile can be assigned to multiple users.
- When a custom object is created, most profiles (except those with “Modify All Data”) do not automatically gain access to that custom object — an Admin must explicitly grant it.
- Every profile should have at least one visible app.
- If an app is visible in a profile, its tabs will only appear if the profile also has permission to view the related objects.
Permission Sets in Salesforce
What is a Permission Set?
A Permission Set is a collection of permissions and access settings that can be granted to users in addition to what their profile already provides. Think of a permission set as a way to give a user an extra key to certain rooms — without changing their main access card (profile).
Permission sets are ideal when:
- A user needs temporary access to an object for a specific project
- A small subset of users with the same profile needs slightly different access
- You want to avoid creating dozens of very similar custom profiles
Key Characteristics of Permission Sets
- Can only be used to grant permissions — they cannot be used to revoke permissions already set at the profile level.
- Can be assigned to individual users (not to profiles).
- A user can be assigned multiple permission sets simultaneously.
- Permissions sets can grant Read, Create, Edit, Delete, View All, and Modify All access to objects.
How to Create a Permission Set
- Go to Setup
- In the Quick Find Box, type Permission Sets
- Click New
- Enter a label and description
- Configure the object permissions as needed
- Assign the permission set to the relevant users
Real-World Use Case
Consider a user in the Marketing department whose profile restricts access to the Leads object. A campaign is launching, and they need temporary read access to Leads for analysis. Rather than changing their profile (which would affect all Marketing users), the admin creates a permission set granting Read access to Leads and assigns it solely to this user. Once the project concludes, the permission set can simply be unassigned.
Permission Set Groups
Permission Set Groups are a more advanced feature that allows administrators to bundle multiple permission sets together into a single entity. This simplifies the management of access for users who require a large combination of permissions.
Why Use Permission Set Groups?
- Reduces the overhead of assigning many individual permission sets to users
- Allows for centralized management — update the group once, and all assigned users get the change
- Supports muting permission sets within a group to remove specific permissions if needed (available in certain editions)
How to Create a Permission Set Group
- Go to Setup > Permission Set Groups
- Click New Permission Set Group
- Give the group a label and description
- Add existing permission sets to the group
- Assign the group to users as needed
Object Permissions: CRUD and Beyond
Object level security in Salesforce revolves around a set of specific permissions that can be granted or denied on any object. Here is a complete breakdown:
| Permission | What It Allows | Respects or Overrides Sharing? |
|---|---|---|
| Read | View records of the object | Respects sharing |
| Create | View and create new records | Respects sharing |
| Edit | View and modify existing records | Respects sharing |
| Delete | View, edit, and delete records | Respects sharing |
| View All | View all records of the object, regardless of sharing settings | Overrides sharing |
| Modify All | Read, edit, delete, transfer, and approve all records regardless of sharing | Overrides sharing |
The Power of "View All" and "Modify All"
View All and Modify All are considered “super permissions” because they bypass Salesforce’s entire sharing model. When a user is granted Modify All on an object, they can perform any operation on any record of that object — including records owned by other users — no matter what the org-wide defaults, role hierarchy, or sharing rules say.
Admin Best Practice: Grant View All and Modify All sparingly and only when there is a clear business justification. Overuse of these permissions defeats the purpose of your carefully designed security model.
Object Level Security vs. Record Level Security vs. Field Level Security
A common point of confusion for Salesforce students and admins is understanding the difference between the three main Data security layers. Here’s a clear comparison:
Object Level Security
- Scope: Entire object (e.g., all Opportunity records)
- Tool: Profiles and Permission Sets
- Question it answers: “Can this user access the Opportunities object at all?”
Field Level Security
- Scope: A specific field within an object (e.g., the “Annual Revenue” field on Account)
- Tool: Profiles and Permission Sets (Field-Level Security settings)
- Question it answers: “Can this user see or edit the Annual Revenue field on any Account they can access?”
Record Level Security
- Scope: Individual records (e.g., one specific Account record)
- Tools: Org-Wide Defaults (OWD), Role Hierarchy, Sharing Rules, Manual Sharing
- Question it answers: “Can this user access this particular Account record?”
All three layers work together and in sequence: object → field → record. A user cannot access a field or record they don’t have object-level permission to view in the first place.
Best Practices for Managing Object Level Security
Implementing object level security well is as much about governance as it is about configuration. Here are the top best practices every Salesforce Admin should follow:
1. Follow the Principle of Least Privilege Always start with minimal access and add permissions only as business needs dictate. It’s easier to grant access than to clean up a data breach caused by over-permissioning.
2. Never Directly Edit Standard Profiles Standard profiles cannot have their object permissions changed. Always clone a standard profile, rename it appropriately, and customize the clone.
3. Use Permission Sets Over Custom Profiles Where Possible Instead of creating a new custom profile for every unique access combination, use a base profile supplemented by permission sets. This keeps your profile list manageable and your security model flexible.
4. Document Your Security Model Maintain a data dictionary or security matrix that maps roles to objects and permissions. This is invaluable during audits and when onboarding new team members.
5. Regularly Audit Permissions Periodically review who has access to what, especially for high-sensitivity objects. Users change roles, projects end, and access that was once needed may no longer be appropriate.
6. Be Extremely Cautious With View All and Modify All These permissions override sharing rules entirely. Reserve them for administrators and designated power users with a clear, documented business need.
7. Test in a Sandbox First Always test permission changes in a sandbox environment before deploying to production. An unintended permission change can lock users out — or expose data they shouldn’t see.
Key Points Every Salesforce Admin Must Remember
- Object level security is the first and broadest layer of Salesforce’s security model.
- Every user must be assigned exactly one profile.
- Standard profile object permissions cannot be edited — always clone and customize.
- Permission sets add permissions; they cannot remove what a profile grants.
- Permission sets are assigned to users, not profiles.
- View All and Modify All override sharing rules — use with extreme caution.
- When a custom object is created, access is not automatically granted to most profiles.
- Permission Set Groups streamline management when users need many permissions combined.
FAQs About Object Level Security in Salesforce
Q: What is the difference between a profile and a permission set in Salesforce? A profile is the baseline permission set assigned to every user — it defines their default access. A permission set extends that access by adding extra permissions to specific users without changing their profile. Every user has one profile; a user can have multiple permission sets.
Q: Can I use a permission set to remove access granted by a profile? No. Permission sets can only grant additional permissions. To restrict access below the profile level, you need to modify the profile itself or assign the user to a different profile.
Q: What happens if a user has no permissions on an object? If a user’s profile grants no permissions on an object (no Read, Create, Edit, or Delete), the object’s tab, records, and related lists will be entirely invisible to that user.
Q: Does object level security override sharing rules? Partially. Standard permissions (Read, Create, Edit, Delete) respect sharing rules. However, View All and Modify All override sharing rules and allow access to all records of an object.
Q: How many permission sets can be assigned to a single user? There is no hard limit on the number of permission sets you can assign to a user, though practical limits exist based on your Salesforce edition and license type.
Q: Is object level security relevant for the Salesforce Admin Certification exam? Absolutely. Object level security, along with field level security and record level security, is one of the most important and heavily tested topics in the Salesforce Certified Administrator exam.
Ready to Master Salesforce Security?
Understanding object level security in Salesforce is just one piece of the puzzle. To truly master Salesforce administration — and to pass the Salesforce Certified Administrator exam — you need a structured, hands-on learning path that covers every critical concept: data security, automation, reports, dashboards, and much more.
If you’re serious about building a Salesforce career or earning your Admin certification, the Salesforce Admin Certification Course at MyTutorialRack is your complete roadmap to success.
What you’ll learn:
- The complete Salesforce security model — Organization, Object, Field, and Record levels
- Profiles, Permission Sets, and Permission Set Groups — with real-world examples
- Org-Wide Defaults, Role Hierarchy, Sharing Rules, and Manual Sharing
- Salesforce automation tools: Flows, Process Builder, Workflow Rules
- Reports, Dashboards, and Data Management
- Hands-on practice with a real Salesforce org
- Exam-focused preparation aligned with the latest Salesforce Admin exam guide.
Why choose MyTutorialRack?
- Taught by experienced Salesforce professionals
- Beginner-friendly yet comprehensive enough for professionals upskilling
- Structured curriculum designed specifically to help you pass the Salesforce Admin certification
- Practical, scenario-based lessons that mirror real-world admin tasks
Whether you’re a complete beginner or an experienced IT professional looking to transition into the Salesforce ecosystem, this course gives you everything you need to get certified and land your dream Salesforce job.
Conclusion
Object level security in Salesforce is the cornerstone of your org’s data protection strategy. By using Profiles, Permission Sets, and Permission Set Groups effectively, Salesforce Admins can ensure that every user has exactly the access they need — no more, no less.
To recap the essentials:
- Object level security controls access to entire objects via profiles and permission sets.
- Profiles set the baseline; permission sets extend it.
- CRUD permissions respect sharing rules; View All and Modify All override them.
- Best practice is to follow the principle of least privilege and audit regularly.
This is a topic that every Salesforce professional — whether you’re studying for your Admin certification or working as an org admin today — must know inside and out. Start building your expertise now, and take your Salesforce skills to the next level with structured, certified training.





