Salesforce User Management, Profiles, and Roles

Every person who logs into Salesforce is a User. But not all users should see the same data or have the same abilities. A sales intern should not be able to delete Accounts. A support agent does not need access to the Sales Cloud setup. Salesforce uses Profiles and Roles to control exactly what each user can do and see. Understanding these two concepts is essential for any Salesforce administrator.

Creating and Managing Users

Administrators create users in Setup under Users → Users. Each user record requires:

  • First Name, Last Name
  • Email Address (used as the login username)
  • Username (must be unique across all Salesforce orgs globally — usually the email address)
  • License Type (which Salesforce features the user can access)
  • Profile (controls permissions)
  • Role (controls data visibility)

Deactivating a user — not deleting them — is the correct way to remove access when someone leaves the company. Deleting a user is not possible once they own records, so deactivation preserves data integrity while removing login access.

Licenses: The Foundation

Before a user gets a Profile, they need a License. A license is like a ticket that grants access to a specific set of Salesforce features. Common license types:

  • Salesforce License — full access to CRM features (Sales, Service, etc.)
  • Salesforce Platform License — access to custom apps but not standard CRM objects
  • Chatter Free License — Chatter only, no CRM data access
  • Community License — for external portal users (customers, partners)

You pay per license per user per month. The license type limits what Profiles you can assign.

What Is a Profile?

A Profile controls what a user can do — the actions they are allowed to perform in Salesforce. Every user has exactly one Profile. Think of a Profile as a job description that lists permitted actions.

What Profiles Control

  • Object Permissions — can the user Read, Create, Edit, or Delete records on each object?
  • Field-Level Security — which fields are visible or editable on each object?
  • App Settings — which Salesforce apps appear in the App Launcher?
  • Tab Settings — which tabs are visible in the navigation bar?
  • System Permissions — special abilities like "View All Data", "Manage Users", or "Customize Application"
  • Login Hours and IP Restrictions — when and from where the user can log in

Standard Profiles

Salesforce includes built-in profiles that cover common roles:

Profile NameTypical Use
System AdministratorFull access to everything — setup, data, customization
Standard UserGeneral CRM access — read, create, and edit most objects
Read OnlyView records but cannot create or edit
Solution ManagerManage knowledge base solutions in Service Cloud
Marketing UserAccess to Campaigns and marketing tools
Contract ManagerCreate and manage contracts

Standard profiles cannot be edited. Administrators clone them and customize the copies to create company-specific profiles.

What Is a Role?

A Role controls what data a user can see — specifically, which records are visible to them. Roles form a Role Hierarchy — a tree structure that mirrors the company's reporting structure.

The Role Hierarchy

In the role hierarchy, users higher up the tree automatically see records owned by users below them. This is called record access roll-up.

  CEO
   |
   +── VP Sales (Sees all Sales rep records)
   |      |
   |      +── Sales Manager - North (Sees North rep records)
   |      |       |
   |      |       +── Sales Rep 1 (Sees only own records)
   |      |       +── Sales Rep 2 (Sees only own records)
   |      |
   |      +── Sales Manager - South (Sees South rep records)
   |              |
   |              +── Sales Rep 3
   |              +── Sales Rep 4
   |
   +── VP Support (Sees all support agent records)

Sales Rep 1 sees only their own Opportunities. Sales Manager - North sees Opportunities owned by Rep 1 and Rep 2. VP Sales sees all Opportunities. The CEO sees everything.

Role vs. Profile: The Key Difference

ConceptControlsSimple Way to Remember
ProfileWhat you can do"Can I delete an Account?" → Profile
RoleWhat you can see"Can I see my colleague's Opportunities?" → Role

Public Groups

A Public Group is a collection of users, roles, or even other groups bundled together under one name. Public Groups are useful when you want to share a record or a folder with many people at once. Instead of adding 20 users individually, you add the Public Group that contains all of them.

Queues

A Queue is a holding area for unassigned records. When a new Lead or Case comes in, it can be placed in a Queue instead of assigned to a specific user. Team members pick records from the queue based on availability and expertise. Queues are common in support centers where cases must be distributed across agents.

Key Points

  • Every Salesforce user needs a License (what product they access), a Profile (what they can do), and a Role (what they can see).
  • Profiles control object permissions, field-level security, and system permissions for each user.
  • The Role Hierarchy mirrors the company org chart and controls record visibility — managers automatically see their team's records.
  • Public Groups collect multiple users under one name for easier sharing.
  • Queues hold unassigned records so teams can manage workload distribution.
Previous lessons
Back to courses
Next lessons

Leave a Comment