ObjectStackObjectStack Protocol

Permission Governance

The specification for the 3-Layer Security Model.

ObjectStack enforces a strict security model that cannot be bypassed by client-side code.

1. Profiles & Permission Sets (Functional Access)

Controls what a user can do.

Permission Set

A collection of booleans and grants.

  • Object Permissions: allow_read, allow_create, allow_edit, allow_delete, view_all, modify_all.
  • Field Permissions: read, edit (per field).
  • System Permissions: export_data, manage_users.

Profile

A user can only have one Profile (Base), but multiple Permission Sets (Extensions).

2. Organization-Wide Defaults (OWD)

Controls the baseline visibility of data.

  • Private: Users can only see records they own.
  • Public Read Only: Users can see everything, but only edit their own.
  • Public Read/Write: Open access.

3. Sharing Rules (Record Access)

Opens up access to specific subsets of data beyond the OWD.

Criteria-Based Sharing

"Share all Deals where Amount > 1M with the VP_Finance role."

Manual Sharing

Ad-hoc sharing of a single record (e.g., "Add John to the Sales Team for this deal").

4. Territory Management

A complex sharing model based on geometric or matrix hierarchies (e.g., "North America Sales" vs "Enterprise Sales").

On this page

1. Profiles & Permission Sets (Functional Access)Permission SetProfile2. Organization-Wide Defaults (OWD)3. Sharing Rules (Record Access)Criteria-Based SharingManual Sharing4. Territory Management