Trail Map โ€บ Use-Case Catalog โ€บ Profiles & Permissions
๐Ÿ” Security ยท Module 05

Profiles & Permissions: Lock Data Down by Role, Not by Trust

Finance sees contract values. SDRs don't. Learn the two-tier permission model that makes that a configuration, not a conversation.

4
Units
~12 min
Time to Complete
80 pts
Available
1 Badge
Access Control Architect
Unit 1 ยท Business Problem

Why fine-grained permissions matter

CF
Chris Fenwick ยท CFO

"Our Finance team needs to see contract values on every Opportunity for revenue recognition. Our SDRs โ€” who just qualify leads โ€” absolutely should not see that number. I don't want to rely on people just 'not looking.'"

Relying on trust or training to keep sensitive data private doesn't scale and doesn't survive an audit. Access needs to be enforced by the system itself, consistently, everywhere the data could appear.

๐Ÿ’ก
Business outcome
Sensitive fields are hidden consistently everywhere โ€” record pages, reports, and the API โ€” and access changes are a config change, not a code change.
Unit 2 ยท How It Works

Anatomy of the two-tier model

Every user has exactly one mandatory Profile โ€” the baseline. Permission Sets layer additional grants on top of that baseline, but they can only add access, never take it away.

LayerControlsCan it restrict below the other layer?
ProfileObject CRUD, field-level read/edit, app access, tab visibility, system flagsN/A โ€” this is the baseline
Permission SetExtra grants layered on top for specific usersNo โ€” additive only, can never remove a Profile's access

Key Profile flags to know:

FlagEffect
isSystemAdminFull unrestricted access โ€” bypasses every other check
canViewAllData / canModifyAllDataSee or edit every org record regardless of ownership
canCustomizeApplicationManage objects, fields, layouts, and apps
marketingAccessUnlocks Marketing Studio routes
โœ…
ADMIN role is special
A user with role ADMIN bypasses profile checks entirely, regardless of what their assigned Profile says โ€” useful for platform operators, but assign it sparingly.
Unit 3 ยท Hands-On Challenge

Hide a sensitive field from one profile

Create the profileSetup โ†’ Profiles โ†’ New Profile โ€” name it "Standard Sales User" (or clone an existing one).
Set object permissionsGrant Read/Create/Edit on Opportunity โ€” deny Delete.
Hide a fieldOpen Field Permissions โ†’ find contract_value__c (or any sensitive custom field) โ†’ uncheck "Can Read" for this profile.
Assign itAttach the profile to a test user, then log in as that user.
VerifyOpen an Opportunity as that user โ€” the hidden field should not appear anywhere on the record page.
๐ŸŽฏ
Try a Permission Set
Create a Permission Set that grants Delete on Opportunity, and attach it only to your team lead โ€” notice it adds the extra capability without needing a second profile.
Unit 4 ยท Knowledge Check

Test what you learned

1. Can a Permission Set remove access that a user's Profile already grants?
Yes, permission sets can restrict below the profile
No โ€” permission sets can only add access, never remove it
2. Which flag gives a profile completely unrestricted access to everything?
canViewSetup
isSystemAdmin
marketingAccess