Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Field-Level Security entry
How-to guide

How to set up Field-Level Security in Salesforce

Field-Level Security (FLS) controls which fields a profile / permission set can see and edit, independent of the page layout. It's the most-confused part of the Salesforce security model — page layouts dictate visual placement, FLS dictates whether the data is exposed at all.

By Dipojjal Chakrabarti · Editor, Salesforce DictionaryLast updated Apr 20, 2026

Field-Level Security (FLS) controls which fields a profile / permission set can see and edit, independent of the page layout. It's the most-confused part of the Salesforce security model — page layouts dictate visual placement, FLS dictates whether the data is exposed at all.

  1. Decide where to set it: Profile, Permission Set, or Field-by-field

    Modern best practice: grant FLS via Permission Sets, not Profiles. Profile FLS is the floor; permission sets layer on top.

  2. Per-field path: Object Manager → object → Fields & Relationships → [field] → Set Field-Level Security

    Useful when adding one field; lets you tick Visible / Read-Only across all Profiles in one screen.

  3. Per-permission-set path: Setup → Permission Sets → [set] → Object Settings → [object] → Field Permissions

    Better for managing many fields at once. Each row shows Read / Edit checkboxes per field.

  4. Set Visible (Read access)

    Untick to hide the field entirely — UI, reports, list views, API. "Hidden" is total.

  5. Set Read-Only

    Tick to make the field read-only via this profile/permission set. Page layouts can override Read-Only by making the field editable on the layout — confusing but documented.

  6. Save and verify

    Open the record as a user assigned to that profile/permission set. Check the field is hidden / read-only as expected — and that reports don't expose what FLS hides.

Key options
Visibleremember

Read access. Off = field is completely hidden — UI, reports, list views, API.

Read-Onlyremember

User can see but not edit. Page Layout can override this for that layout.

Source: Profile vs Permission Setremember

Profile FLS is the floor. Permission Sets layer on top with grants only — they cannot remove access.

Gotchas
  • FLS hides the field everywhere — including reports, dashboards, Apex SOQL queries (the field returns null for users without access), and APIs. Test reports after changing FLS to make sure nothing breaks.
  • Page Layout's "Read-Only" toggle can override FLS Read-Only for that layout. Layouts can grant Edit even when FLS says Read-Only — common source of "why can this user edit this field?" tickets.
  • Universally Required fields (set at the field definition) override FLS. If a field is required, FLS can't make it invisible — Salesforce treats hidden + required as a contradiction.

See the full Field-Level Security entry

Field-Level Security includes the definition, worked example, deep dive, related terms, and a quiz.