Let's cut to the chase: a poorly designed permission model in an enterprise Salesforce org is a ticking time bomb. I've seen it firsthand—financial services firms with overexposed profiles causing data leaks, healthcare orgs failing HIPAA audits due to role hierarchy misconfigurations, and manufacturing companies with 200+ custom objects that no one could secure properly. The cost isn't just compliance risk; it's wasted admin hours, frustrated users, and security incidents that cost millions. Here’s how to get it right, based on 10+ enterprise implementations across industries.
1. Kill the "Admin" Profile for Everyone
Stop giving "System Administrator" to power users or managers. In a recent $2B healthcare client, a marketing manager with "Admin" rights accidentally deleted a critical patient data object. We replaced it with a custom profile: "Marketing Manager - Read-Only" with strict object-level permissions. Key principle: Least Privilege is Non-Negotiable. Never grant "Modify All Data" unless absolutely required (and even then, limit to 3-5 users).
2. Role Hierarchy Must Reflect Real Reporting Lines
Don't map roles to org charts without validation. A manufacturing client had roles structured by geography (e.g., "EMEA Sales Manager"), but their data access was based on sales territories. This caused sales reps in Germany to see French sales data. We rebuilt the hierarchy to mirror territory ownership using a custom "Territory" object and role-based sharing. Rule: Roles should only control record access via hierarchy—not replace sharing rules.
3. Use Permission Sets for Granular Control (Not Profiles)
Profiles are for baseline permissions; permission sets handle exceptions. Example: A financial services client needed underwriters to access "Loan Application" objects but not "Credit Score" fields. We created a permission set "Underwriter - Loan App Access" with field-level permissions. Then, we assigned it via a criteria-based permission set group (using a custom field on the user object). Never edit profiles for minor permission tweaks—use permission sets.
4. Audit Field-Level Security (FLS) Quarterly
Custom fields often get orphaned. In one retail org, a "Customer Loyalty Points" field was exposed to all users after a developer added it to a page layout but forgot to lock FLS. We implemented a quarterly SOQL audit:
SELECT Id, Field, TableEnumOrId, IsVisible
FROM FieldPermissions
WHERE TableEnumOrId = 'Account' AND IsVisible = true
Then, we compared results against the actual business need. If a field isn’t used in reports or critical processes, revoke visibility immediately.
5. Never Skip Sharing Rules for Complex Data Models
Custom objects often need dynamic sharing. A SaaS client had a "Contract" object where sales reps should only see contracts for their accounts. We used Apex sharing (not role hierarchy) with this trigger:
trigger ContractSharing on Contract (after insert) {
List shares = new List();
for (Contract c : Trigger.new) {
shares.add(new ContractShare(
ContractId = c.Id,
UserOrGroupId = c.Account.OwnerId,
UserOrGroupId = c.Account.OwnerId,
FullAccess = true,
ReadAccess = true
));
}
insert shares;
}
Without this, reps saw contracts for accounts they didn’t own. Complex sharing needs = Apex or Territory Management, not just standard sharing rules.
The Bottom Line
Enterprise permission models aren’t about "securing the system"—they’re about enabling business processes while preventing accidental data exposure. It’s not glamorous work, but skipping it costs more in the long run. If your org has more than 50 profiles, overlapping permission sets, or a "security" team that only reviews once a year, you’re already in trouble.
Stop guessing. Get a clear view of your permission model’s health. Run a free Salesforce permission health scan at orgscanner.dev—it takes 5 minutes and reveals critical gaps you’re probably missing.
📚 Recommended Resource: Salesforce for Dummies — great for anyone learning Salesforce.
📚 Recommended Resource: NIST Cybersecurity Framework Guide — great for anyone security frameworks.
Need a second opinion on your Salesforce org? Request a diagnostic.
Top comments (0)