A Comprehensive Guide to Field-Level Security in Salesforce

Salesforce is a powerful CRM tool that provides multiple layers of security to protect data and control user access. Among these security layers, Field-Level Security (FLS) is one of the most important features. FLS enables admins to restrict access to specific fields on a record, ensuring that sensitive data is only visible or editable to authorized users.

In this blog, we will explore everything about Field-Level Security in Salesforce, including its configuration at the profile level, field level, and how to use the View Field Accessibility tool. We’ll also look at where and why this feature is used and provide a step-by-step guide.

What is Field-Level Security?

Field-Level Security allows administrators to control which fields are visible or editable for users based on their profile or permission set. It operates independently of object-level permissions and page layouts, giving fine-grained control over sensitive data.

• Key Features:
  • Hide sensitive fields (e.g., salary, social security numbers).
  • Make fields read-only for specific profiles.
  • Restrict field access for compliance purposes.
  • Works at the profile and permission set level.

How to Configure Field-Level Security

There are multiple ways to configure FLS in Salesforce:

1. Configuring Field-Level Security from the Profile Level

Go to Setup:

• Navigate to Setup → Profiles.

Select the Profile:

• Choose the profile for which you want to configure field-level security (e.g., Standard User, System Administrator).

Find Object Settings:

• Scroll down to Object Settings and select the object (e.g., Account, Contact).

Edit Field Permissions:

• Click Edit.
• Under the Field Permissions section, set the desired permissions for each field:
  • Visible: Allows users to see the field.
  • Read-Only: Allows users to view but not edit the field.

2. Configuring Field-Level Security from the Field Level

Go to Object Manager:

• Navigate to Setup → Object Manager → Select the desired object (e.g., Contact).

Select Fields & Relationships:

• Choose the field for which you want to configure security.

Set Field-Level Security:

• Click Set Field-Level Security.
• A list of profiles will appear.
• Select or deselect Visible or Read-Only for each profile.
  

3. Using the View Field Accessibility Tool

The View Field Accessibility tool allows you to see field access permissions for all profiles in one place.

Access the Tool:

• Navigate to Setup → Object Manager → Select the object → Fields & Relationships → Click on a field → View Field Accessibility.

View Accessibility:

• The tool displays a table of profiles and permission levels (Visible, Read-Only, etc.).

Edit Field Accessibility:

• Click on a profile link in the table to adjust field-level security for that profile.

Using the “Where is this used?” Button for Field-Level Security

The “Where is this used?” button is only available for custom fields. It is not supported for standard fields.

The button might not be available for specific field types, such as formula fields, roll-up summary fields, or certain relationship fields, since their usage can be complex to track programmatically.

Navigate to the Field:

• Go to Setup → Object Manager.
• Select the object (e.g., Account, Contact).
• Click on Fields & Relationships.
• Choose the field you want to investigate.

Click on “Where is this used?”:

• On the field’s detail page, click the “Where is this used?” button.

Review Field Dependencies:

• Salesforce provides a report showing where the field is being referenced,

Where is Field-Level Security Used?

Field-Level Security is widely used in scenarios such as:

1. Protecting Sensitive Information:
   • Example: Hiding the Salary field from users in the Sales team.
2. Complying with Regulations:
   • Limit access to fields containing Personally Identifiable Information (PII) to comply with data protection laws like GDPR.
3. Customizing User Experience:
   • Make specific fields editable only for managers or admins.
4. Preventing Data Loss or Errors:
   • Restrict non-admin users from editing critical fields like Opportunity Stage.
5. Tailoring Access for External Users:
   • Control access for partner and customer portal users.

Best Practices for Field-Level Security

1. Least Privilege Principle:
   • Only grant field access to users who absolutely need it.
2. Test Field Accessibility:
   • Use the View Field Accessibility tool to ensure the correct profiles have appropriate permissions.
3. Combine with Page Layouts:
   • Field-Level Security works with page layouts to fine-tune what users can see on a record.
4. Use Permission Sets for Exceptions:
   • For temporary or specialized access, use permission sets instead of editing profiles.
5. Audit Regularly:
   • Periodically review field-level permissions to ensure they align with current business requirements.

Testing Field-Level Security

1. Create Test Users:
   • Create users with different profiles and permission sets.
2. Simulate User Access:
   • Log in as test users or use the Login As feature to verify field visibility and editability.
3. Check Accessibility via Reports:
   • Run a report to confirm whether restricted fields appear for unauthorized users.

Limitations of Field-Level Security

1. Not Enforced in Apex or API:
   • Field-Level Security does not apply to custom Apex code or API integrations unless explicitly handled.
2. Doesn’t Control Page Layout Visibility:
   • Users may still see field labels on layouts unless removed from the layout.

Conclusion

Field-Level Security is a crucial feature in Salesforce for protecting sensitive data and ensuring users only access the information they need. By configuring field access through profiles, fields, or the Field Accessibility tool, admins can maintain a secure and user-friendly Salesforce environment. Combine FLS with other security features like object permissions and page layouts for a robust data protection strategy.