Driving Data Access: Profiles vs Roles


One of the first things that someone new to administering Salesforce will need to learn is how to manage data access by using and controlling profiles and roles. Unfortunately it can also often be one of the steepest learning curves, and if you’re anything like me you’ll be up and running on things like custom fields, layouts, workflows and validation rules long before you truly understand the differences between the two.

There are several very good articles out there that explain the nuances of profiles, permission sets, org-wide defaults and roles (a few are linked below), and we’re not going to reinvent the wheel here. Instead I just wanted to out forward one analogy that really helped me to get the concepts straight in my head when I was learning, in case it helps others.

To lay down the basics, let’s start by saying that profiles and permission sets control what you can do in Salesforce, and org-wide defaults and roles control what you can do it to (or, put another way, what you can see).

So the analogy I like to use is driving a car. A profile is like a driving licence: it gives you the right to drive cars and even sets out what kind of vehicles you’re allowed to drive. In contrast, a role is like owning a car, or being given someone’s keys: it gives you access to drive this particular car.

But even once that is understood, many people still struggle with some of the theory behind the concepts. Just today I answered a question on the Answers forum from somebody wanting to know which ‘wins’ or which one overrides the other. The simple answer is that they control different things and therefore neither ‘wins’ – it is the intersection of what they both allow which dictates what each user can do. Just because I have a driving licence doesn’t mean I can drive your car, and just because I get hold of someone’s car keys doesn’t mean I’m legally allowed to be on the road.

However, there is one thing we should point out. Some profiles (typically those reserved for system administrators) have a couple of permissions – View All Data and Modify All Data – which do override the role hierarchy and org-wide default sharing. Think of these super-permissions as a kind of super-licence: just by flashing my pass, I can take your car and do what I please with it.

“Stop right there, sir; I’m commandeering this vehicle!” (Quote taken from the yet-to-be-commissioned film Driving Data Access: A Day in the Life of a Salesforce Admin.)

Related Articles
Miss The Iceberg, Jeff May 
Backupify, Andy Wolber 

Leave a Reply

%d bloggers like this: