• Articles
  • Tutorials
  • Interview Questions

What is Salesforce Security Model?

What is Salesforce Security Model?

This blog will explore in detail the unique security model of Salesforce. We will discuss concepts like sharing, visibility, and access control that make Salesforce’s security model stand out. Moreover, we will look at some salesforce security best practices that you can implement to strengthen security in your Salesforce organization.

Learn Salesforce by watching the video below

What is the Salesforce Security Model?

The Salesforce security model determines how your data is accessed in Salesforce. It controls what data a user can view and edit based on their profile, role, and sharing settings. The security model also authenticates users and protects your Salesforce organization from unauthorized access.

The main objectives of the Salesforce security model are mentioned below:

  • The security model ensures that users can only access data that they are authorized to view. 
  • It prevents unauthorized access to your Salesforce organization.
  • The security model provides data privacy and protects sensitive data. 
  • It enables collaboration while maintaining control over who can access what.

Key Components of the Salesforce Security Model

Key Components of the Salesforce Security Model

As an integral aspect of the Salesforce platform, the Salesforce security model ascertains the protection of sensitive data as well as the overall security of the system. With rising instances of cyber threats, salesforce security vulnerabilities and data breaches, it’s more important than ever to have a robust security model in place. The Salesforce security model encompasses several key components that work hand in hand to bring forth a comprehensive security approach. Mentioned below are some key components associated with the Salesforce security model:


Authorization determines the data that a user can access based on their profile and permissions. Profiles bundle several permissions together, thus making them easier to assign to users. With profiles and permissions, you can control a user’s level of access to objects, fields, record types, and more.


Visibility settings control the records and data that a user can view and manipulate in Salesforce. At the organization-wide level, there are three main options, which are mentioned below:

  • Public Read/Write: All users can view and edit all data.
  • Public Read Only: All users can view all data, but only content owners can edit.
  • Private: Users can only view and edit their data.


Sharing rules control record-level access in Salesforce. They allow you to make automatic exceptions to the default organization-wide sharing settings. You can use sharing rules to increase or decrease a user’s access to records based on criteria like record owner, record type, or field values.

These sharing rules provide a flexible means of opening up collaboration access while restricting visibility when needed. They come in handy when security and productivity need to be balanced, especially in large organizations with many users and diverse roles.


The process of authentication verifies a user’s identity before they can log in to Salesforce. Salesforce supports various authentication methods like username/password, multi-factor authentication, and single sign-on (SSO). Multi-factor authentication and SSO add an extra layer of security to your login process.

Enroll in a Salesforce Training Course right now!

Salesforce Master Course

What Does the Salesforce Security Model Look Like?

Salesforce Security Model provides an effective method of protecting information at multiple levels, from an organizational to individual record level. Organization, Objects, Records and Fields make up four logical tiers of security that users can leverage in protecting the organization’s information at four distinct layers.

Here is a review of all these areas to give you the essential foundation needed to create your data protection strategy.

Organization-Level Security: Establishing organizational level security involves limiting who has access to your Salesforce org and when and from where. Users could implement IP restrictions to limit which IPs customers could log in from and use access permissions to limit user sessions.

Object-Level Security: Object-level security allows administrators to control who has access to specific objects. Set access permissions on domain-wide profiles or individual accounts within your provided profile to achieve maximum protection of these sensitive assets.

Field Level Security: Profiles and authorization sets also help manage access to fields for users, which is helpful if you want to grant them access while restricting their ability to see, modify or edit a particular field’s value.

Record-Level Security: Record-level security, also referred to as record sharing, regulates which records customers have access to. Organization-wide redirects, role hierarchically distribution, sharing rules between roles and manual sharing are four significant ways in which this form of access control may be implemented.

Salesforce Standard Objects Security 

In Salesforce, standard objects like accounts, contacts, opportunities, and leads have default security settings. However, you can modify the salesforce security settings to suit your business needs. 

For instance, accounts have an organization-wide default of Private. However, you may need sales representatives to look into account records that they do not own. In such a case, you can change the default security setting to Public Read Only and implement sharing rules to grant additional access.

Sharing rules allow combinations like the ones mentioned below:

  1. Account owners can share records with an Account Team and allow them Read/Write access. 
  2. Sales Operations Managers can view all account records in their region with Read Only access.
  3. Account Sharing Groups can provide Read Only or Read/Write access to selected users across departments.

Salesforce Custom Objects Security 

For custom objects in Salesforce, you can define the organization-wide defaults when creating the object; three options are available for this.

Your default depends on your custom object’s data type and business requirements. You can then set up sharing rules to open or restrict access as needed. 

If you only want a few selected users to interact with a custom object, consider leaving the default as Private and using sharing rules to grant limited access to certain groups of users. This “whitelist” approach helps ensure tight control over sensitive data.

Learn Salesforce with the help of Salesforce Tutorial!

Get 100% Hike!

Master Most in Demand Skills Now !

User Security

It is crucial to assign your users appropriate permissions, profiles, and sharing rules based on their job responsibilities. Some key considerations for user security are mentioned below:

  • For most users, choose limited profiles that provide access to only the necessary objects and permissions. Avoid assigning the System Administrator profile when possible.
  • Use permission sets to grant additional access as needed. Permission sets provide an easy way to extend a user’s access without changing their profile.
  • Use multiple profiles if a user has more than one job role. You can assign up to two profiles to a single user.
  • Review user accounts regularly and deactivate any unused accounts. This limits the possibility of abandoned but active user accounts becoming a security risk.
  • Train users on security best practices. Educate them about phishing emails, strong passwords, and other measures that they can take to help keep your organization secure.

Check out the Top Salesforce Interview Questions to crack your next interviews!

Best Practices for Salesforce Security

Best Practices for Salesforce Security

Mentioned below are some key Salesforce security best practices you can implement to improve security in your Salesforce organization:

  • Use multi-factor authentication (MFA) for all logins, especially admins. MFA adds an extra layer of protection for user accounts. Assign limited profiles and use permission sets for most users. Only assign the System Administrator profile to true admins. 
  • Educate users on best security practices for solid passwords, avoiding phishing attempts, etc. Your users are key players in defense. Deactivate unused user accounts to reduce the risk of abandoned accounts becoming a security threat. 
  • Use security tools like Shield Platform Encryption to encrypt sensitive fields and secure data. Depending on the version, enable the security center or security health check. These tools automatically check for and remediate security risks in your organization.
  • Monitor login history and API usage for suspicious behavior. This can help identify unauthorized access attempts or compromised user accounts. Regularly review sharing rules and visibility settings. Make sure that there are no open access points to sensitive data. 


The Salesforce security model provides enterprise-grade data security for your Cloud data. By understanding concepts like authentication, authorization, sharing, and visibility, you can set up Salesforce security to protect your data while enabling productivity.

Review your organization’s security policies and salesforce security settings regularly and continue educating your users on safe practices. Maintaining solid security in Salesforce is an ongoing process, but with the right approach, you can keep your organization safe and build trust with your customers.

Drop your doubts to get them clarified at Intellipaat’s Salesforce Community!

Course Schedule

Name Date Details
Salesforce Certification 20 Jul 2024(Sat-Sun) Weekend Batch
View Details
Salesforce Certification 27 Jul 2024(Sat-Sun) Weekend Batch
View Details
Salesforce Certification 03 Aug 2024(Sat-Sun) Weekend Batch
View Details