Field-Level Security (FLS) is a critical component of Salesforce's security model that controls user access to view, edit, or delete specific fields on objects. As a Platform Administrator, understanding FLS is essential for maintaining data security and ensuring users only see information relevant…Field-Level Security (FLS) is a critical component of Salesforce's security model that controls user access to view, edit, or delete specific fields on objects. As a Platform Administrator, understanding FLS is essential for maintaining data security and ensuring users only see information relevant to their roles.
FLS operates at the profile and permission set level, allowing administrators to define which fields are visible and editable for different user groups. There are two primary settings for each field: Visible and Read-Only. When Visible is checked, users can see the field. When Read-Only is also enabled, users can view but cannot modify the field value.
Administrators can configure FLS through several methods. The most common approach is through Setup by navigating to Object Manager, selecting the desired object, clicking on Fields & Relationships, choosing the specific field, and then clicking Set Field-Level Security. This displays a matrix showing all profiles with checkboxes for visibility and read-only permissions.
Alternatively, FLS can be managed through Profiles or Permission Sets. When editing a profile, navigate to Field-Level Security section to modify access for multiple fields simultaneously. Permission Sets offer more granular control and are recommended for extending field access beyond base profile settings.
Best practices for FLS include starting with minimal access and granting additional permissions as needed, regularly auditing field accessibility, using permission sets for flexibility, and documenting security requirements. Remember that FLS works in conjunction with object-level security - users need both object access and field-level access to interact with data.
FLS affects not only page layouts but also reports, list views, search results, and API access. Fields hidden through FLS will not appear in these contexts, providing comprehensive data protection across the entire platform. Understanding and properly configuring FLS is fundamental to maintaining a secure Salesforce environment.
Field-Level Security
What is Field-Level Security?
Field-Level Security (FLS) is a Salesforce security feature that controls which fields users can see, edit, or neither on records they have access to. It operates at the profile and permission set level, providing granular control over data visibility within objects.
Why is Field-Level Security Important?
Field-Level Security is critical for several reasons:
• Data Protection: Sensitive information like salary, social security numbers, or confidential business data can be hidden from users who should not see it • Compliance: Helps organizations meet regulatory requirements by restricting access to protected data • Data Integrity: Prevents unauthorized modifications to critical fields • User Experience: Simplifies the interface by showing users only relevant fields
How Field-Level Security Works
Field-Level Security operates on two settings for each field:
• Visible: Determines if users can view the field value • Read-Only: Determines if users can only read (not edit) the field
The possible combinations are: • Visible and Editable: Users can see and modify the field • Visible and Read-Only: Users can see but cannot modify the field • Hidden: Users cannot see the field at all
Where to Configure Field-Level Security
FLS can be configured in multiple locations:
1. Profiles: Setup → Profiles → Select Profile → Field-Level Security 2. Permission Sets: Setup → Permission Sets → Select Permission Set → Field Permissions 3. Field Settings: Object Manager → Select Object → Fields → Select Field → Set Field-Level Security
Key Concepts to Remember
• FLS is restrictive - it can only restrict access granted by object-level permissions • Users must have object-level access before FLS applies • FLS applies across all areas: page layouts, reports, list views, search, and API • If a field is hidden via FLS, it will not appear on page layouts regardless of layout configuration • Permission sets can grant additional field access beyond what a profile provides • FLS is enforced in Apex when using WITH SECURITY_ENFORCED or Security.stripInaccessible()
Exam Tips: Answering Questions on Field-Level Security
1. Understand the Hierarchy: Remember that FLS works in conjunction with object permissions. A user needs Read access on the object before field-level restrictions apply.
2. Profile vs Permission Set: Profiles set the baseline access, while permission sets can only add permissions, not remove them. If a question asks about restricting access, focus on profile settings.
3. Page Layout Confusion: A common exam trap involves page layouts. Removing a field from a page layout does not secure it - users can still access it through reports, list views, or the API. Only FLS truly secures field data.
4. Universal ID Fields: Some fields like Record ID and System fields cannot have FLS applied to them.
5. Master-Detail Relationships: The master-detail relationship field is always required and visible; FLS cannot be applied to it.
6. Formula Fields: If a formula field references a field hidden by FLS, users will see an error or blank value.
7. Validation Rules: FLS does not prevent validation rules from running on hidden fields, which can cause confusing error messages for users.
8. Most Restrictive Wins: When multiple security settings conflict, Salesforce applies the most restrictive combination.
9. Scenario Questions: When presented with a scenario requiring field restriction, FLS is typically the correct answer over page layout modifications or other options.