• Assign profiles to define a user's absolute minimum baseline access.
• Limit permissions strictly based on core job roles.
• Apply the "Least Privilege" principle.
| [User Profiles](https://help.salesforce.com/s/articleView?id=ind.tpm_user_profiles.htm\&language=en_US\&type=5) | | Utilize Permission Sets & Groups |• Assign permission sets to grant extra access without modifying profiles.
• Helps avoid messy and excessive profile creation.
| [Create, Edit, Delete, and Assign a Permission Set](https://help.salesforce.com/s/articleView?id=000386289\&language=en_US\&type=1) | | Leverage Role Hierarchies |• Define roles to control record visibility vertically.
• Higher roles inherit access from lower roles, but do not override object-level security.
| [Add Roles to the Role Hierarchy](https://help.salesforce.com/s/articleView?id=000384747\&language=en_US\&type=1) | | Implement OWD & Sharing Rules |• Set Organization-Wide Defaults (OWD) to restrict baseline access (e.g., Private).
• Use Sharing Rules to grant additional access laterally.
| [Organization-Wide Sharing Defaults](https://help.salesforce.com/s/articleView?id=platform.security_sharing_owd_about.htm\&language=en_US\&type=5) | | Enforce Field-Level Security (FLS) |• Restrict the visibility and edibility of sensitive fields at the profile or permission set level.
• Prevent unauthorized viewing of critical data.
|Set Field-Level Security for a Field
• Object-level: Determines if a user can see/edit the object at all (Profiles/Perm Sets).
• Record-level: Determines which specific records they can see (OWD/Roles/Sharing).
| [Data Access and Security Overview](https://help.salesforce.com/s/articleView?id=platform.security_owd_external.htm\&language=en_US\&type=5) | | Audit & Monitor System Usage |• Use Setup Audit Trail and Field History Tracking.
• Review user access and system changes periodically.
| [Setup Audit Trail](https://help.salesforce.com/s/articleView?id=xcloud.admin_monitorsetup.htm\&type=5) | | Mandate Multi-Factor Auth (MFA) | • Enforce Multi-Factor Authentication (MFA) to add an essential extra security layer. | [Verification Methods for Multi-Factor Authentication](https://help.salesforce.com/s/articleView?id=xcloud.mfa_supported_verification_methods.htm\&language=en_US\&type=5) | | Minimize System Admins |• Limit the System Administrator role strictly to essential personnel.
• Audit users with “Modify All Data” permissions (Consider Delegated Admins
| [Define Delegate Administrators](https://help.salesforce.com/s/articleView?id=platform.delegating_user_administration.htm\&language=en_US\&type=5) | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.sdocs.com/sdocs/administration/landing-page-for-admin/security/salesforce-best-practices-when-using-s-docs.md?ask=