Limit Access to Fields in the Standard Employee Profile
Let's review our field-level security rules.
- On Positions, hide minimum and maximum pay from standard employees and interviewers
- On Candidates, hide social security numbers from interviewers and hiring managers
- On Job Applications, make Candidate and Position lookup fields read only for hiring managers.
To define these rules, we’ll access field-level security settings in the Standard Employee profile.
You may be wondering: the last two rules are about interviewers and hiring managers, but those functions are defined by permission sets. Why are we concerned with them right now?
Permissions are additive: you can never remove a user’s existing permissions by assigning a permission set; you can only add permissions. If we want to limit access, we need to make sure that the base profile for our users—as well as any of their permission sets—limits this type of access. In the case of our organization, we know we’re going to assign the Interviewer and Hiring Manager permission sets to users with the Standard Employee profile, so we need to restrict field permissions in this profile as well as in the permission sets.
So let’s set up field-level security in the Standard Employee profile, and later we’ll check the field-level security for our permissions sets.
- From Setup, enter Profiles in the Quick Find box, then select Profiles, and select the Standard Employee profile.
The first thing you'll notice about the Standard Employee profile's detail page is that it includes several more areas than the edit page that we originally used to define the profile. These additional areas include Page Layouts (which we learned about earlier), Field-Level Security, Record Type Settings, Login Hours, and Login IP Ranges. Although we won't go into detail in this book about how to use any areas other than Field-Level Security (and record types later on), they're part of what makes a profile so powerful in our application. You can learn more about them in the Salesforce Help.
- In the Field-Level Security area, click View next to the Position object.
- Click Edit.
Here we see security settings for all of the fields on the Position object, including Min Pay and Max Pay, the two fields that we want to restrict. You'll notice that some field-level security settings on some fields cannot be modified—this is because either they are system-generated fields or they act as lookup relationship fields (foreign keys) to other records.
Since the security settings checkboxes can be a little bit confusing, let's do a quick exercise to map their values (Visible and Read-Only) to the three logical permission settings for a field: “Hidden,” “Read Only,” and “Editable”:
After doing this exercise, it's easy to see that most fields are editable, because their Visible checkbox is the only one selected. To restrict a field from ever being viewed by a user, all we have to do is deselect both checkboxes.
- Next to the Max Pay field, deselect Visible.
- Next to the Min Pay field, deselect Visible.
- Click Save.
Now let’s take care of the remaining field-level security rules. Again, since we know that our interviewers and hiring managers will be assigned the Standard Employee profile, we’ll ensure that its field permissions are set correctly.
- Click Back to Profile.
- In the Field-Level Security area, click View next to the Candidate object.
- Click Edit.
- Next to the SSN field, deselect Visible.
- Click Save.
- Click Back to Profile.
- In the Field-Level Security area, click View next to the Job Application object.
- Click Edit.
- Next to the Candidate and Position fields, select Read Only.
- Click Save.
We're done setting field-level security for the Standard Employee profile. We didn’t have to change anything in the Recruiter profile because, as we already determined in the planning stage, recruiters can access all the fields we created in our objects.
