I'm starting out with force.com development, and I'm currently a little hazy about what the above terms all mean. Could someone give an overview, and if possible explain how permissions are defined on each one (if at all)?
User: a user who can login to Salesforce. Also includes customer and partner portal users.
Account: a business account, which usually represents a company and usually has child contacts (i.e. people in the company)
Role: a hierarchical group users in an organization that is used as part of the sharing model. Users in higher roles have rights to see the records owned by users in lower roles (assuming their Profile allows it). Users do not have to belong to a role.
Profile: a collection of permissions and access rights for a user including CRUD permissions. A user must belong to exactly one profile. Also see about Permission Sets, which are a many-to-many relationship with users and augment profiles.
Owner: A user or group (queue) that owns a record. Record ownership along with the role hierarchy (and a few other things) control who can see the record.
To put it all together, you could say something like:
John Doe is a salesperson for ABC, Inc, and is a user in their organization. He is the owner of the Acme account. He has the Salesperson role, which is subordinate to the Sales Manager role, so his manager can see all his records. He has the Standard User profile, so he cannot perform administrative functions in Salesforce.
I'd also recommend that you take a look at the API doc, which explains all the entities and has relationship diagrams.
Related
If you have used Telegram messenger, there is a possibility to add several administrators to Telegram channels and groups by the owner. You can also change administrators permissions and set a custom title for each admin, etc.
I am developing a Telegram bot, in its database, one person is designated as the owner of the bot. When users use the bot, their information is stored in the database. The owner of the bot can set any of these users as an administrator so that those users can execute certain commands in the administrator position in the bot. Also, the owner of the bot can determine the permissions of each administrator in a very precise manner. For example, things like the following should be considered for every administrator:
can_add_channel,
can_delete_channel,
can_edit_users_info,
can_delete_users,
etc.
It is also necessary to record the time of promotion and demotion of administrators, etc...
But I don't know how to design its database.
I only know that it should be similar to the structure that Telegram has implemented for its channels and groups to manage administrators
I think I should have tables called users, permissions, admins, roles, etc. But I can't create a good relationship between these tables and I don't even know what columns are needed for each one.
I don't know what topic this question is about and what topic I should search on Google exactly. I need a basic and correct structure.
Please help
...........................
I have roles hierarchy in place.
the new requirement is to set up permission to specific external users so they will not be able to see other users records.
the sharing setting for the object is set to Private. I cannot create a user without a role. Other users should be able to see other users (in their role) records. but only this few users should be able to see only records they own.
any idea how to solve it?
thanks,
Chen
We are using Drupal Commerce in our website.
We have multiple roles in this website ex. Customer, Customer representative, Content editor and Admin.
Users with "Customer" roles will be allowed to purchase product and make orders, Edit profile.
Users with "Customer representative" roles will be allowed to manage all users that are having "Customer" role. Which will include profile edit of any customer, edit customer's orders etc.
We are not sure how to make this functionality working with Drupal7 and Workbench module.
Any suggestions/ideas?? Thanks in advance!
This module allows site builders to set up fine-grained permissions for allowing "sub-admin" users to manage other users based on the target user\'s role.
The module defines new permissions to control access to edit/delete users - more specific than Drupal Core\'s all-or-nothing 'administer users'. It also provides and enforces a 'create users' permission.
https://www.drupal.org/project/administerusersbyrole
I am designing a user management system where there is a very large number of users (millions) and with a small number of user groups (100s) and a small number of applications (100s).
Users can be added/removed from groups.
Users are given roles per application. For example a user may have the GUEST role to an application, and another user may have the Administrative role to an app. Users who have a role/entitlement associated with an application, can access the application.
What is the industry level approach to creating the ACL for such system.
Easiest approach I can think of is to create an xml file (or a JSON) and attach it to every user profile. For example for 'user A' it could look like:
<USER id="user A">
<APP id="app 1"> <ROLE> GUEST </ROLE> </APP>
<APP id="app 2"> <ROLE> ROLE1 </ROLE> <ROLE> ROLE1 </ROLE></APP>
<GROUP id="group 1> <ROLE> MEMBER </ROLE> </GROUP>
</USER>
Now there are some use cases that should be addressed, for example:
The proposes system should be able to assign an entire group of user a specific role. Would I in this case a) reference the User to a Group , and reference the Group to an App. or b) Reference each user within the group to an App one by one in a loop.
I have to be able to easily see (query) the users of a group, or users accessing a particular app.
Is it better to create a separate database record for each User/App/Group relationship and store that? something like a 'shadow' record.
What are the industry guidelines or approaches to designing ACL for such systems?
Overall I should be able perform the following common tasks with the system:
get a users profile and the apps and groups he is associated with
get members of a particular group, along with their roles (yes group can have roles as well)
get users of a particular app, along with their roles
remove/edit roles of a every user for a particular app or group
add new users to a group
add apps to a group of users
remove app from a group of users
Is it possible to use sharing rules for users WITH profiles. Is there any use of them if users have profiles? Or does the profile completely override record access so that i can forget about sharing rules?
I'm in situation where ALL my users have profiles. What I wanted to do was to GRANT "Edit" access for certain records to certain user groups. Is that possible?
Thanks!
A user's role dictates which records they can SEE, while their profile dictates what they can DO with those records. Typically the only case where the profile overrides the role is if their assigned profile contains one of the "View All" or "Modify All" permissions on an object.
For example, if you have a role hierarchy set up that divides different branches of your organization, it may be useful to hide the data between these branches. In this case, you would want to set the org-wide default to Read Only, and provide sharing rules that grant access on an as-needed basis (these sharing rules would be based on a user's role, public groups, or queues that they belong to).
Sharing rules also allow you to specify whether you want to grant the ability to edit records or simply view them. So in your case, you will want to create a sharing rule granting edit access on records owned by one group of users to your second group of users.
See the Overview of Sharing Settings for more information.