Field-level security: the layer people forget
Most conversations about Salesforce access stop at the record: who can see this Account, who can see that Opportunity. But seeing a record and seeing every field on it are two different things, and the gap between them is field-level security. It is the layer people forget, and it is often the layer that matters most, because the sensitive thing is usually a field, not a whole record.
What field-level security does
Field-level security (FLS) controls, per field, whether a user can read or edit that field, set through profiles and permission sets. It applies on top of record access. A user can have full access to an Opportunity and still not see its Amount, or see an Account but not the field where someone stored a tax ID or a contract rate. FLS is what lets you share the record people need while withholding the specific values they do not.
Why it gets missed
FLS is quiet for a few reasons. It does not show up when you think about “who can see this record,” because it operates one level below that. It is set in two places (profiles and permission sets) and the effective result is the combination, which is harder to picture than a single switch. And it is invisible in the most common test of all: an admin, who usually has broad field access, looks at a record, sees every field, and concludes everything is fine, because for them it is.
The fields that need FLS are also exactly the fields where a miss is expensive: compensation, pricing, personal identifiers, health or financial details, anything regulated. Record-level access can be immaculate and a single field permission can still expose the one value you most needed to protect.
The questions worth asking about fields
Good field hygiene comes down to a few habits:
- For your sensitive fields, who can read them, and is that set as small as it should be?
- When you grant a permission set for record access, does it quietly carry field access you did not intend?
- After a profile or permission set change, did any sensitive field’s read access widen as a side effect?
These are field-first questions, and Salesforce’s screens are mostly record-first, which is why FLS tends to get audited last, if at all.
Seeing access at the field level
Who Sees What treats a field as a first-class thing you can audit. You can ask who can see a specific field, the same way you would ask who can see a record, and get the list of users along with the profile or permission set that grants each one read access. So when someone asks “who can see the salary field?”, the answer is a real list with real reasons, not an admin’s guess based on what they themselves can see. You can confirm a sensitive field is locked down, find the grant that opened it wider than you meant, and check that a permission change did not loosen a field you cared about.
Record access decides whether someone is in the room. Field-level security decides what they can read once they are there. Both deserve the same attention, and the field is where the most sensitive answers usually live. It is worth making sure the last layer is one you can actually see.