Once we set object-level and field-level access permissions, we can move on to the third and final piece of the puzzle → record-level access permissions!
Record-level access enables us to give Users access to certain object records but not others. To get that done, Salesforce offers a plethora of tools:
- Organization-Wide Defaults
- Role Hierarchy
- Manual Sharing
- Sharing Rules
- Territory Hierarchy
- Programmatic Sharing
- Scoping Rules
- Restriction Rules
- User Sharing
We’ll work with the first four tools and explore the rest as we progress.
Record-level access determines which object records the User can access and edit. Before setting up the permissions, we need to ask ourselves a couple of questions:
- Should the User be granted access to every record or only a subset of records?
- If it’s a subset, what rules should decide whether the User can access the record?
We can control record-level access with the help of four tools. As the image suggests, each tool (layer) results in an increasing level of access.
- Org-Wide Defaults: OWD refers to the default and most restrictive level of record access.
- Role Hierarchy: Enables those in a higher rank/role to access records owned by those below them in the hierarchy.
- Sharing Rules: Enables a particular group of Users to access certain records they usually cannot view.
- Manual Sharing: Enables the owner of a record to share records with Users who might otherwise not have access to those records.
Let’s summarize how security controls work:
- A Users baseline permission is determined by their profile and any permission sets assigned to them.
- The org-wide defaults determine access to records that the User doesn’t own.
- You can open up access with the help of role hierarchy if the org-wide defaults are anything lower than Public Read/Write.
- Use sharing rules to open up access to a specific group of Users.
- The record owner can open up access to other users via manual sharing.
Org-wide defaults form the baseline level of access the most restricted User will have. We use org-wide defaults to lock down our data, following which we can use the other record-level security and sharing tools to open up the data as and when necessary.
Object permissions form the base level of access for all the records in an object, while org-wide defaults modify those settings for records that the User does not own.
We can set the sharing model for an Object to one of these settings:
We know the sharing models an Object can take on, but how do we decide org-wide defaults for our app? We can start by asking ourselves the following questions:
Set Up Org-Wide Sharing Defaults
Let’s get hands-on and set up the org-wide sharing defaults for our orgs.
1. From Setup, enter Sharing Settings in the Quick Find Box, and then click Sharing Settings.
2. Click Edit next to Organization-Wide Defaults.
3. Once you’ve locked down your data using org-wide sharing defaults, click Save.