Sharing settings and organization-wide defaults – User Management and Security

In the previous section of this chapter, we learned how Salesforce profiles, roles, and permission sets can influence Salesforce security related to Salesforce objects and their features. In this section, we will learn about security related to Salesforce data sharing. To do this, we will deep dive into the world feature called Sharing Settings to discover its two core features called Organization-Wide Default (often shortened to OWD) and Sharing Rules. Both features are connected and together create the core on which the Salesforce security is built. Let’s see how those features work in detail.

Organization-Wide Default

From the previous section of this paragraph, we understood that Salesforce profiles and permission sets are responsible for giving access to Salesforce objects. So, profiles and permission sets are controlling this if I see the Lead tab, Account tab, Opportunity tab, or any other standard or custom tab. But which Salesforce feature controls which data I should see in objects I gained access to via profiles or permission sets? The answer is Organization-Wide Default. OWD is a Salesforce feature where the Salesforce administrator can decide if the data from certain Salesforce objects should be visible to the users. OWD helps you set the default organization access to the data related to each object. It enables you to decide who besides the record owners should see the records and edit them. To access OWD, just search sharing settings in Salesforce Setup. Let’s see what options we have when setting up the default sharing setting for Salesforce objects.

Types of object data access in OWD are the following:

• Private – Only records owners and people above them in the Role hierarchy have access to them and can edit them.
• Public Read Only – All Salesforce users have access to all records, but they can only view them not edit them. However, the record owner and those higher in the Role hierarchy can modify the records.
• Public Read/Write – All Salesforce users have access to records and are able to edit them. Here, it does not matter if you are higher in the Role hierarchy or not as everyone in your Salesforce org can see and edit records not owned by them.
• Public Read/Write/Transfer – Used on Leads and Cases. Besides viewing all records with the possibility to edit them, you will be also able to transfer them to other users.
• Controlled by Parent – Used mostly when the object is a child in the Salesforce master-detail relationship where is set to default. It can be also used on some Salesforce standard objects such as Contacts, Orders, or Assets, which gives you the option to base the object’s records visibility on the object that is parent to Contacts, Orders, or Assets.

When setting the default internal access, you will also see the Grand Access Using Hierarchies checkbox on the user interface. This small feature is very important as thanks to it, users above the record owners in the Salesforce Role hierarchy can have access to their records the same way as the owners (can view and edit records).

Besides Default Internal Access, you can also set Default External Access, which is access to the records when showing them to the Salesforce Experience Cloud users. Default External Access must be more restrictive or equal to Default Internal Access.

There is, of course, a strong connection to profiles’ or permission sets settings because even when the Salesforce object OWD is set to Public Read/Write but the user doesn’t have edit permission granted via a profile or permission set, they will not be able to edit the record. Moreover, there are magical permissions that are available on profiles and permission sets that when added can upgrade the record’s visibility of certain users on objects even where the OWD is set to private. They are named View All and Modify All. When you have View All permission related to a certain Salesforce object, you will be able to view all records stored on this object despite any OWD setting. Similarly, when having Modify All, you will be able to see and edit all records stored on this Salesforce object. The Salesforce world can be complicated, I know!