Salesforce is the most popular CRM platform in the world for a good reason, but you’ll need to make the right data available to the right people on your team. As such, you’ll need to get your security and permissions right with roles in Salesforce.
In Salesforce, roles, profiles, and permission sets work together to help you determine your permissions and ensure proper security. They form the foundation of what data your users can view and use. But what exactly are roles in Salesforce? How do they work? How do they compare with profiles? This post will walk you through everything you need to know!
What Are Roles in Salesforce?
Salesforce roles are record-level access controls that define what data a user can see in Salesforce. In other words, roles can be used to determine the visibility access of the user and the data they can access in your Salesforce CRM organization. Let’s consider how you can use roles to do this.
Every organization has default visibility settings determining the access levels for every object in the organization. These defaults are known as the organizational-wide default, and we recommend setting them to the most restrictive settings. In this way, you’ll have the most secure settings and can open access to those users who need it.
You can then increase data visibility through roles by using the role hierarchy in Salesforce. Role hierarchy determines what level of access a user will have relative to other users in the organization. Generally, you’ll have access to your data and the data of anyone below you in the hierarchy.
For example, let’s look at a sales rep and a sales manager, who are at different levels in the hierarchy. Because they are higher in the hierarchy than the sales rep, the sales manager will have access to their own and the rep’s data. Conversely, the sales rep will only have access to their data and anyone below them in the hierarchy.
In addition to the role hierarchy, you can use sharing rules to customize your access levels even further. These sharing rules extend horizontal access across different levels of the hierarchy. For example, using the sales rep and sales manager example above, the sales manager will have higher access levels than sales reps, but you can give certain reps more access by using sharing rules.
Salesforce Roles vs. Profiles: What’s the Difference?
Now that we’ve looked at roles and how they work, it’s also essential to understand what Salesforce profiles are and how they differ from roles. In contrast to roles, Salesforce profiles determine what users can do with objects in the organization. So, in simple terms, roles determine what users can see, while profiles determine what users can do.
Depending on the user’s profile, they’ll be able to create, read, edit, or delete data. You can customize these settings for every profile. For example, you can determine that some profiles can view and edit data but not create or delete it. To customize these settings, you’ll use either standard or custom profiles.
Considering the above, both roles and profiles are used for security and permissions, but they do it in different ways. To sum up, there are four main differences between profiles and roles in Salesforce:
- Access control. Roles in Salesforce are record-level access controls that determine the visibility access of specific users. Conversely, Salesforce profiles provide object and field-level access controls determining whether issuers can create, read, edit, or delete records.
- Mechanism. Roles follow a hierarchy, with higher-up users having more permission than users lower on the hierarchy. In contrast, profiles do not follow any type of hierarchy, and permissions are set on a profile basis.
- Interdependence. A user’s role always depends on their profile, while a profile can be independent of their role.
- User requirement. Profiles are mandatory for all users, while roles are only optional.
Where Do Permission Sets Fit in?
Think of permission sets as add-ons to profiles that give you more flexibility in managing permissions. You can quickly and easily give users permissions without creating new profiles if you group specific permissions in sets.
To illustrate this concept better, let’s look at a simple example. Let’s say you have a sales team, and all the reps on the team have the same permission. Thus, they’ll all have the same profile, which we’ll call Sales Rep.
Now, let’s say you only want to give Tom, one of your sales reps, the ability to change the team’s email templates. So, instead of creating a separate profile for Tom, you’ll create a permission set that allows Tom to do this. Once done, you’ll add this permission set to Tom’s user record.
How to Create Roles in Salesforce
Let’s look at how you’ll create roles and a role hierarchy. In this example, we’ll set up a role hierarchy with Managing Director at the top, General Manager in the middle, and the Marketing and Sales Manager at the bottom.
To start, we’ll click on Setup in the top-right corner of our Salesforce dashboard. On the Setup screen that opens, we’ll find and click on Users in the left-hand side menu. This will expand the Users submenu. In this menu, we’ll click on Roles, which will open the Understanding Roles page. Here, we’ll click on Set Up Roles.
We’ll see our existing hierarchy on the Creating Role Hierarchy page. For this example, we’ll delete all the roles by clicking on Del after the role’s label. This leaves only the organization name.
To create our new hierarchy, we’ll create the first role – Managing Director. We’ll click on Add Role under the organization’s name to do this. This will open the New Role screen, where you can provide a name and label for the role and to who it reports.
So, the name and label for the role will be Managing Director, and because it’s at the top of the hierarchy, we’ll enter the name of the organization as the person this role reports to. Once we’ve entered the details, we can click on Save, which will take us to the Role Detail page.
We can now navigate to the Creating Role Hierarchy page to create the next role – General Manager. To do this, we’ll click on Add Role under Managing Director. On the New Role page, we’ll enter a name and label as before and select a role to which the role reports. In this case, the name and label will be General Manager, and the role will report to the Managing Director. Once done, we’ll click on Save.
On the Creating Role Hierarchy Page, we can then add the other roles. Here, we’ll create both the Sales and Marketing Manager roles as we did above. So, we’ll give each a name and a label, and they’ll both report to the General Manager.
In this simple example, the Managing Director will have the highest level of access and, as such, have access to all the data of the General, Sales, and Marketing Manager. Conversely, the Sales and Marketing Managers will have the lowest levels of access and will only have access to their own data. Remember, as mentioned earlier, these are record-level access, and what they can do with the data depends on their permissions. For example, if your Marketing Managers need to be able to use Salesforce Reporting data, make sure your permissions enable them to do so.
Best Practices to Get Your Salesforce Roles and Permissions Right
For your teams to be more efficient and serve your customers better, you need to give them access to the right data at the right time. In Salesforce, this relies on your roles, profiles, and permission sets.
The best way to set everything up right with roles in Salesforce is to map out your hierarchy. Start with the highest roles, and then work your way down to independent contributors, analyzing which data they need to be able to access and use. Remember: there’s a world of difference between seeing and using data in Salesforce, so be mindful of your workflows.
Similarly, pay attention to the Salesforce AppExchange apps and integrations you use. For example, your sales reps may need to modify data to log their external emails into Salesforce. This seems like a little detail, but proper permissions are crucial to avoid obstructing workflows.
Finally, keep your hierarchy simple. Try to keep it under 10 levels whenever possible to avoid creating intricate structures that get more complex with every new profile or permission set.
Setting up roles in Salesforce is an ongoing process, but with a little organization and prior planning, you’ll establish the foundations your team needs to succeed.