Salesforce object permissions control what users can do with standard and custom objects in your org. These permissions determine whether users can create, read, update, or delete records, and they work alongside field-level security to create a comprehensive data protection model.
Object permissions are assigned through profiles and permission sets, forming the foundation of Salesforce’s security architecture. Understanding how to configure these permissions correctly is essential for maintaining data integrity while enabling users to perform their job functions.
What is a Salesforce Object?
A Salesforce object is a database table that stores specific types of data in your org. Objects contain fields (columns) and records (rows), similar to tables in a traditional database.
Standard objects come pre-built with Salesforce and include:
- Account – Companies and organizations
- Contact – Individual people
- Opportunity – Sales deals and prospects
- Lead – Potential customers
- Case – Customer service requests
- Product – Items your company sells
Custom objects are created by administrators to store data specific to your business needs. They always end with “__c” (like “Property__c” or “Invoice__c”).
Understanding Object Permissions in Salesforce
Object permissions define the baseline access users have to objects. These permissions are binary – users either have them or they don’t. The four core object permissions are:
| Permission | Description | Required For |
|---|---|---|
| Read | View records and field data | All other permissions depend on Read |
| Create | Add new records | Data import, lead conversion, record creation |
| Edit | Modify existing records | Updates, mass updates, data loader imports |
| Delete | Remove records permanently | Record deletion, mass delete operations |
Additional permissions include:
- View All – See all records regardless of sharing rules
- Modify All – Edit and delete all records regardless of sharing rules
How to Create Object Permissions in Salesforce
Object permissions are configured in two places: profiles and permission sets. Here’s how to set them up:
Setting Permissions in Profiles
- Navigate to Setup → Users → Profiles
- Select the profile you want to modify
- Click Object Settings or scroll to Standard Object Permissions / Custom Object Permissions
- Find your target object and click Edit
- Check the appropriate permission boxes (Read, Create, Edit, Delete)
- Configure field-level security if needed
- Click Save
Setting Permissions in Permission Sets
- Go to Setup → Users → Permission Sets
- Select an existing permission set or create a new one
- Click Object Settings
- Choose your object and click Edit
- Enable the required permissions
- Save your changes
- Assign the permission set to users
Salesforce Profile Permissions Best Practices
When configuring profile permissions, follow these production-tested guidelines:
Principle of Least Privilege
Grant users only the minimum permissions needed to perform their job functions. Start with restrictive permissions and add access as needed rather than starting with broad access and removing it.
Use Permission Sets for Exceptions
Keep profiles focused on job roles and use permission sets for:
- Temporary access grants
- Cross-functional responsibilities
- Project-specific permissions
- Integration user access
Standard vs Custom Object Considerations
Standard objects often have dependencies. For example:
- Contact permissions require Account read access
- Opportunity permissions need Account read access
- Case permissions may require Contact and Account access
Custom objects have fewer built-in dependencies but may have lookup relationships that require read access to parent objects.
Data Loader and Object Permissions
When an administrator plans to use Data Loader to mass import new records to a custom object from a new API, they need specific permissions:
Required Object Permissions
- Read permission on the target custom object
- Create permission on the target custom object
- Edit permission if updating existing records
Additional Requirements
- API Enabled permission in the user profile
- Field-level security set to “Visible” and “Editable” for all fields being imported
- Read access to any parent objects referenced in lookup fields
- Bulk API permissions if using Bulk API mode
Integration User Setup
For API integrations, create a dedicated integration user with:
// Example permission set for Data Loader integration
{
"objectPermissions": {
"CustomObject__c": {
"read": true,
"create": true,
"edit": true,
"delete": false
}
},
"systemPermissions": [
"ApiEnabled",
"BulkApiHardDelete"
]
}
Salesforce Object Relationship Types and Permissions
Object relationships affect how permissions cascade through your data model:
Lookup Relationships
Lookup relationships are loosely coupled. Users need:
- Read permission on both parent and child objects
- Create/Edit permission on child object to create relationships
- No automatic permission inheritance
Master-Detail Relationships
Master-detail relationships are tightly coupled:
- Child records inherit sharing from parent records
- Users need Read permission on master object to see detail records
- Delete permission on master object allows deletion of detail records
- Detail records cannot exist without a master record
Hierarchical Relationships
Available only on User object:
- Used for manager-subordinate relationships
- Affects role hierarchy and sharing rules
- No special permission requirements beyond standard User object access
Common Object Permission Scenarios
Sales Team Configuration
// Sales Representative Profile
Account: Read, Create, Edit
Contact: Read, Create, Edit
Opportunity: Read, Create, Edit, Delete
Lead: Read, Create, Edit, Delete
Product: Read
Pricebook: Read
Customer Service Configuration
// Service Agent Profile
Account: Read, Edit
Contact: Read, Create, Edit
Case: Read, Create, Edit, Delete
Solution: Read
Product: Read
Marketing Team Configuration
// Marketing User Profile
Lead: Read, Create, Edit, Delete
Campaign: Read, Create, Edit, Delete
Account: Read
Contact: Read, Create, Edit
Opportunity: Read
Troubleshooting Object Permission Issues
Common Error Messages
“Insufficient Privileges” – User lacks required object permission or field-level security access.
“Unable to Lock Row” – Record is being edited by another user or process. Not a permission issue.
“Field is Not Writable” – Field-level security prevents editing, even with object Edit permission.
Permission Debugging Steps
- Check the user’s profile object permissions
- Review assigned permission sets
- Verify field-level security settings
- Confirm sharing rule access
- Test with “View Setup and Configuration” permission to see effective permissions
Security Best Practices
Regular Permission Audits
Conduct quarterly reviews of:
- Profile assignments and permissions
- Permission set assignments
- Inactive user access
- Integration user permissions
Documentation Standards
Maintain documentation for:
- Profile purpose and intended users
- Permission set business justification
- Custom object permission requirements
- Integration user access patterns
Testing Procedures
Before deploying permission changes:
- Test in a sandbox environment
- Verify with actual user accounts
- Check integration functionality
- Document rollback procedures
Frequently Asked Questions
What is the difference between object permissions and field-level security?
Object permissions control access to entire objects (tables), while field-level security controls access to specific fields within those objects. You need both Read object permission AND field visibility to see field data. Object permissions are broader; field-level security is more granular.
Can users access records without Read permission on the object?
No. Read permission is the foundation for all other access. Without Read permission on an object, users cannot see any records of that type, regardless of sharing rules or other permissions.
How do View All and Modify All permissions affect sharing rules?
View All and Modify All permissions bypass all sharing rules for that object. Users with these permissions can see and edit all records regardless of ownership, role hierarchy, or sharing rule configurations. Use these permissions carefully as they override your org’s sharing model.
What happens if I remove Create permission but leave Edit permission?
Users can modify existing records they have access to but cannot create new records. This is common for roles that need to update data but shouldn’t add new records, like certain customer service or data quality roles.
Do I need special permissions for Data Loader with custom objects?
Yes. For Data Loader operations, you need API Enabled permission in your profile, plus Read and Create permissions on the target object. For updates, you also need Edit permission. Field-level security must be set to Visible and Editable for all fields you’re importing.
How do master-detail relationships affect object permissions?
In master-detail relationships, detail records inherit sharing from their master records. Users need Read permission on the master object to access detail records. If you have Delete permission on the master object, you can delete detail records. Detail records cannot exist without a master record.