How to Control Access to Records in Salesforce


Once we set object-level and field-level access permissions, we can move on to the third and final piece of the puzzle → record-level access permissions!

Record-level access enables us to give Users access to certain object records but not others. To get that done, Salesforce offers a plethora of tools:

  • Organization-Wide Defaults
  • Role Hierarchy
  • Manual Sharing
  • Sharing Rules
  • Teams
  • Territory Hierarchy
  • Programmatic Sharing
  • Scoping Rules
  • Restriction Rules
  • User Sharing

We’ll work with the first four tools and explore the rest as we progress.

Record-Level Security

Record-level access determines which object records the User can access and edit. Before setting up the permissions, we need to ask ourselves a couple of questions:

  • Should the User be granted access to every record or only a subset of records?
  • If it’s a subset, what rules should decide whether the User can access the record?

We can control record-level access with the help of four tools. As the image suggests, each tool (layer) results in an increasing level of access.

  • Org-Wide Defaults: OWD refers to the default and most restrictive level of record access.
  • Role Hierarchy: Enables those in a higher rank/role to access records owned by those below them in the hierarchy.
  • Sharing Rules: Enables a particular group of Users to access certain records they usually cannot view.
  • Manual Sharing: Enables the owner of a record to share records with Users who might otherwise not have access to those records.

Diagram Description automatically generated

Let’s summarize how security controls work:

  • A Users baseline permission is determined by their profile and any permission sets assigned to them.
  • The org-wide defaults determine access to records that the User doesn’t own.
  • You can open up access with the help of role hierarchy if the org-wide defaults are anything lower than Public Read/Write.
  • Use sharing rules to open up access to a specific group of Users.
  • The record owner can open up access to other users via manual sharing.

Org-Wide Sharing

Org-wide defaults form the baseline level of access the most restricted User will have. We use org-wide defaults to lock down our data, following which we can use the other record-level security and sharing tools to open up the data as and when necessary.

A picture containing text Description automatically generated

Object permissions form the base level of access for all the records in an object, while org-wide defaults modify those settings for records that the User does not own.

We can set the sharing model for an Object to one of these settings:

Timeline Description automatically generated with low confidence

We know the sharing models an Object can take on, but how do we decide org-wide defaults for our app? We can start by asking ourselves the following questions:

Diagram Description automatically generated

Set Up Org-Wide Sharing Defaults

Let’s get hands-on and set up the org-wide sharing defaults for our orgs.

1. From Setup, enter Sharing Settings in the Quick Find Box, and then click Sharing Settings.

2. Click Edit next to Organization-Wide Defaults.

Diagram, table Description automatically generated

3. Once you’ve locked down your data using org-wide sharing defaults, click Save.



  • Barry Allen

    A Full Stack Developer with 10+ years of experience in different domain including SAP, Blockchain, AI and Web Development.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.