Role Security

Roles control the level of visibility a user has into your organization's data.

Depending on your sharing settings, roles can control the level of visibility that users have into your organization’s data. Users at any given role level can view, edit, and report on all data owned by or shared with users below them in the hierarchy, unless your organization’s sharing model for an object specifies otherwise. Specifically, in the Organization-Wide Defaults related list, if the Grant Access Using Hierarchies option is disabled for a custom object, only the record owner and users granted access by the organization-wide defaults receive access to the object's records.

Users that require visibility to the entire organization should be assigned the highest level in the hierarchy, for example, Executive Staff.

In general, within a role hierarchy someone in a higher role can see records owned by users in a role below them. Those in roles below, need access to records owned by someone above them, this can be accomplished with adjustments to the Sharing Settings.

NOTE – At the very least, ensure that you have a profile called Full Access under the root of the hierarchy to add all your users to. More complex role assignments can be added

later.

Navigate to Setup

Click Your Name

Select Setup

 

Navigate to Roles

Under Adminstration Setup

Choose Manage Users

Select Roles

Views

Views

Show in tree view

See a visual representation of the parent-child relationships between your roles. Click Expand All to see all roles, or Collapse All to see only top-level roles. To expand or collapse an individual node, click the plus (+) or minus (-) icon.

Show in sorted list view

See a list that you can sort alphabetically by role name, parent role (Reports to), or report display name. If your organization has a large number of roles, use this view for easy navigation and filtering.

To show a filtered list of items, select a predefined list from the View drop-down list, or click Create New View to define your own custom view.

To edit or delete any view you created, select it from the View drop-down list and click Edit.

Show in list view

See a list of roles and their children, grouped alphabetically by the name of the top-level role. The columns are not sortable. This view is not available for hierarchies with more than 1,000 roles.

Role related list

Role related list

In the Role Detail related list:

To view the role detail page for a parent or sibling role, click the role name in the Hierarchy or Siblings list.

To edit the role details, click Edit.

To remove the role from the hierarchy, click Delete.

Role Detail

Role Detail

Role edit page

To edit a role, click Edit next to a role name, then update the role fields as needed (see Below).

Role Fields

The above fields (listed in alphabetical order) make up a role entry.

* Some of these fields may not be visible or editable depending on your organization's permissions and sharing settings.

In the Users in Role related list:

To assign a user to the role, click Assign Users to Role.

To add a user to your organization, click New User.

To modify user information, click Edit next to a user name.

To view a user's details, click the user's full name, alias, or username.

NOTE: When Active is selected, the user can log into Salesforce.

~ Deactivated users, such as employees who are no longer with your company, cannot log in to Salesforce.

NOTE: Removing a user from the Selected Users list deletes the role assignment for that user.

Notes on Roles

  • Every user must be assigned to a role, or their data will not display in opportunity reports, forecast roll-ups, and other displays based on roles.
  • All users that require visibility to the entire organization should belong to the highest level in the hierarchy.
  • It is not necessary to create individual roles for each title at your company, rather you may want to define a hierarchy of roles to control access of information entered by users in lower level roles.
  • When you change a user’s role, any relevant sharing rules are evaluated to add or remove access as necessary.
  • When an account owner is not assigned a role, the sharing access for related contacts is Read/Write, provided the organization-wide default for contacts is not Controlled by Parent. Sharing access on related opportunities and cases is No Access.
  • Users that gain access to data due to their position in hierarchies do so based on a setting in your organization-wide defaults.

 

Additional Details:

Full explanation of security and roles is beyond the context of this lesson.

For more detailed information See Force.com's: Overview of Roles