does profile level Object settings override OWD? - Answers - Salesforce Trailblazer Community
Ask Search:
Rajasree JayarajRajasree Jayaraj 

does profile level Object settings override OWD?

If OWD for Account = Private and a user with Profile permission for Account = R/C/E/Delete be able to delete others records as well?

In short I would like to know if Profile level settings can override OWD.

Thanks.

Best Answer chosen by Rajasree Jayaraj
Mayank SrivastavaMayank Srivastava
Hello Rajasree,

Remember the following:
  • Profiles: Which objects do I have access to and what can I do with them? (CRUD on ones you own)
  • Org-wide defaults: Which records do I have access to? (ones you don't own)
Profile permissions set the baseline for what you can do with records that you own and then OWD is used to decide which records you can execute those Profile permissions on (only yours or others').

For your use case, a user with Account = R/C/E/Delete permissions cannot delete other's records at all. Remember that OWD, sharing settings, roles have no control over Delete (either your or others' records) so a person with Delete permission on an object can only delete his/her own records no matter what the OWD is.

Following is a must watch to understand security and sharing settings better in Salesforce:
https://www.youtube.com/playlist?list=PL6747B4DAE356E17C&feature=iv&src_vid=X3Hg6OXhPO8&annotation_id=annotation_1079522389

I highly highly recommend the above.

All Answers

bhanu babajobbhanu babajob
Hi
  You can't overide profile permissions...
link:https://www.youtube.com/playlist?list=PL6747B4DAE356E17C
Mayank SrivastavaMayank Srivastava
Hello Rajasree,

Remember the following:
  • Profiles: Which objects do I have access to and what can I do with them? (CRUD on ones you own)
  • Org-wide defaults: Which records do I have access to? (ones you don't own)
Profile permissions set the baseline for what you can do with records that you own and then OWD is used to decide which records you can execute those Profile permissions on (only yours or others').

For your use case, a user with Account = R/C/E/Delete permissions cannot delete other's records at all. Remember that OWD, sharing settings, roles have no control over Delete (either your or others' records) so a person with Delete permission on an object can only delete his/her own records no matter what the OWD is.

Following is a must watch to understand security and sharing settings better in Salesforce:
https://www.youtube.com/playlist?list=PL6747B4DAE356E17C&feature=iv&src_vid=X3Hg6OXhPO8&annotation_id=annotation_1079522389

I highly highly recommend the above.
This was selected as the best answer
Rajasree JayarajRajasree Jayaraj

Thanks @Mayank.

I was wrong, I wanted to know if the Account Owner can delete that account.

This is my scenario. I have a child object under Account-X (which inherits OWD from Parent-Account). Account owner User profile has access to delete X record. Now, can the Account Owner delete this child record X?

Sunil SarillaSunil Sarilla
If the OWD for the child object under Account is controlled by Parent then Account Owner can delete the child record, not only the Account owner, any User who can delete the Account can also delete the child record.
Mayank SrivastavaMayank Srivastava
+1 Sunil, it will depend on the OWD of the child object and that will decide who can do what with the child object record.

User can delete  account?
User can delete the child object record too.

It's that simple.
Rajasree JayarajRajasree Jayaraj

Thanks @Suni , @Mayank.

OWD under Account is Private (which means they can delete only the ones they own) and this applies for the child object too (like I said this child is inheriting OWD from parent). So now,

Account OWD= Private, CRUD: C/R/E/View All
Child X OWD= Private, CRUD= C/R/E/Delete

Now my question is if Account Owner can delete the child X. I think they should be, but I tested and couldn't. Not sure if I'm missign something.

Sunil SarillaSunil Sarilla
OWD is Private means the following
For Standard Objects: Owner and anyone above them in the Role Hierarchy will be able to access the record by default and depending on Permissions they have through Profile, they can do additional things like Create, Edit, Delete
For Custom Objects: If the Grant Access Using Hierarchies is checked, then Owner and anyone above them in the Role Hierarchy will be able to access the record by default
If the Grant Access Using Hierarchiesis unchecked for the custom object, only Owner will have access to the record and depending on the they Permission they have through Profile, they can do additional things like Create, Edit, Delete
I would strongly recommend to go through the link Mayank has earlier posted to understand who sees what and what they can do based on the profile permissions.
Rajasree JayarajRajasree Jayaraj
Okay, Thanks a lot guys :)
Shahid HusainShahid Husain
Just to be clear - If there is a custom object Cars and the user Profile does not give access to it but the OWD is Public Read/Write. Does the user have access to the records in Cars? 

 
Rajasree JayarajRajasree Jayaraj
Hi @shahid,

Answer to your question is No. Even if OWD is set to Read/Write and if the profile grants no access to the object, users belonging to that profile will not have access to those records.

 
Shahid HusainShahid Husain
Thank you. I was confused which has the higher power - OWD or Profile - but how about if on the object you have Modify All / View All or even Modify All Data / View All Data - I think even if you do not have access to an object through your Profile you will still be le to access the data.
 
Farhan AliFarhan Ali
I had the same confusion @Shahid. Even if Org wide default is set to Private for an Object, but the user's profile has Modify All/View All permission for that object, then the user will be able to see or modify the record.
Christopher BurtChristopher Burt
Okay so I definitely understand the fundamental logic behind OWD's (which records you can access) and Profile/Permission Set (what actions you can take on those records).  But the paradox around the OWD setting of "Public Read/Write" just doesn't make a lot of sense to me.  What if the OWD on the Account object is "Public Read/Write" AND my profile grants me "Read" access to the Account object?  Does this mean that I have read/write access to every account record in Salesforce, or does this mean I have read only access to every account record in Salesforce?
Deepthi NukalaDeepthi Nukala
You will have R/W access to every Account record as OWD is R/W.
For Ex: If you remove/hide Accounts Tab from Profile but on contrary Owd on Accounts is R/W, you will not be able to see the tab though OWD is R/W. OWD is to open up record level functionality and Profiles for what you will see on that record