Why fine-grained permissions matter
"Our Finance team needs to see contract values on every Opportunity for revenue recognition. Our SDRs โ who just qualify leads โ absolutely should not see that number. I don't want to rely on people just 'not looking.'"
Relying on trust or training to keep sensitive data private doesn't scale and doesn't survive an audit. Access needs to be enforced by the system itself, consistently, everywhere the data could appear.
Anatomy of the two-tier model
Every user has exactly one mandatory Profile โ the baseline. Permission Sets layer additional grants on top of that baseline, but they can only add access, never take it away.
| Layer | Controls | Can it restrict below the other layer? |
|---|---|---|
| Profile | Object CRUD, field-level read/edit, app access, tab visibility, system flags | N/A โ this is the baseline |
| Permission Set | Extra grants layered on top for specific users | No โ additive only, can never remove a Profile's access |
Key Profile flags to know:
| Flag | Effect |
|---|---|
isSystemAdmin | Full unrestricted access โ bypasses every other check |
canViewAllData / canModifyAllData | See or edit every org record regardless of ownership |
canCustomizeApplication | Manage objects, fields, layouts, and apps |
marketingAccess | Unlocks Marketing Studio routes |
ADMIN bypasses profile checks entirely, regardless of what their assigned Profile says โ useful for platform operators, but assign it sparingly.Hide a sensitive field from one profile
contract_value__c (or any sensitive custom field) โ uncheck "Can Read" for this profile.Test what you learned
canViewSetupisSystemAdminmarketingAccess