All four bypass the standard sharing model — they grant access regardless of OWD, role hierarchy, or sharing rules. The differences are scope and read-vs-write.
- View All Data (system permission) — read every record on every object in the org. Bypasses all sharing. Bypasses field-level security too in some contexts. Default for System Administrator only.
- View All [Object] (object-level permission) — read every record on a specific object. Use this when a role legitimately needs all-records visibility but only on one object — for example, a finance reporting role that needs all Opportunities but not all HR records.
- Modify All Data (system permission) — read AND edit every record on every object. Strongest possible permission. Default for System Administrator.
- Modify All [Object] — edit every record on a specific object.
When to use each:
- System-level View All / Modify All — only for actual administrators or trusted developers. Be conservative; these bypass everything.
- Per-object View All — common for analyst, executive, and reporting users who need org-wide visibility on one or two objects.
- Per-object Modify All — for data-stewardship roles (lead routing managers, finance ops) that need to fix records owned by anyone.
Ownership: granting any "All" permission also grants the implicit ability to delete records (subject to the standard Delete object permission — having View All on Object plus Delete on the object lets you delete any record on that object).
Audit trail: when these are granted, logged in Setup Audit Trail. Make granting them a deliberate, reviewed event.