Basic data permissions are usually carried business email list on a permission medium, such as permission sets, functions, etc. It usually consists of two parts, object-level permissions and field-level permissions.
In short, object-level permissions can control whether a user can see a certain business menu or business tab, that is to say, the user may not even know that this type of data exists in the system. The design of object-level permissions will include the following parts.
Of course, for different enterprises, there may be more refined management, such as data transfer, lock/unlock and other basic functions can and need to be controlled.
Regarding "query all associations" and "modify all associations", his permission priority is higher than other permission rules. For example, business objects such as business opportunities, orders, and quotations are associated with customers. If "Query All Associations" is set on the customer, the object-level permissions set by the specific associated business entity will be overwritten.
According to business needs, even if you can see a business object, you still need to perform data permission processing on some privacy fields. For example: contact phone number, salary and other information will not be available to everyone.