When working with what people can see within Salesforce there are four key considerations and in this blog we will work through each one of these four, exploring how they control what users can see within Salesforce (not what they can do – this is controlled by user profiles and permission sets)! The four key features controlling what people can see are as follows; Organisation Wide Defaults (OWDs), Record Ownership, Role Hierarchy and Sharing Rules.
Organisation Wide Defaults
So let’s start at the top with OWDs. OWDs can be found under Setup – Security Controls – Sharing Settings and with OWDs you have four options; Private, Public Read Only, Public Read / Write, and Public Read / Write / Transfer. The best advice here is to lock these down so they are as restrictive as possible – but of course still let people do their jobs! So if we take a look at an example of a Case record within Salesforce. The question you need to ask yourself when setting up OWDs is do you want users to have the ability to see and edit all case records (Public Read/ Write), see all records (Public Read) or just have the ability to modify cases that they own (Private).
Why is record ownership so important? Every record within Salesforce has an owner (either a user or a queue) and this impacts on who can see the record! If a system admin was to import a number of accounts in to Salesforce and set themselves as the owner of all of the imported accounts and your OWD is set to private then none of the true owners of the account records will be able to see these records due to a combination of the record ownership and the OWD.
The role hierarchy is similar to a company org chart (but please remember that these two do not always match!) The role hierarchy will show you within Salesforce how your users relate to each other when assigned a role. A role within Salesforce can have one or multiple users. In the example to we have here two users at the same level, for example the director, channel sales and the director, direct sales would not be able to see each other’s records if the OWD was set to private. However staff higher up in the hierarchy would be able to see records owned by users beneath them in the hierarchy.
There may be occasions where the OWDs need to be extended. This is where sharing rules can help! For example members of the services team may need to be able to view all case records when they are closed. Therefore if your OWD for cases is private they would currently only be able to see their own records. A sharing rule can be based on criteria and state that any case with a status of closed can be viewed by any member of services team role. When using sharing rules your only option is to open up access further and not to restrict access! So there you have it. The four key considerations and features to use when setting up your Salesforce instance to ensure that your users can see the right records at the right time! Understanding not only these four in isolation but also how they relate to each other is key in having a secure