A blog dedicated to Salesforce Ohana

Salesforce Sharing and Security Cheat Sheet


"Sharing is Caring", right?? That's the attitude I like most about Salesforce Ohana. As I am preparing myself for Sharing and Visibility Designer Architect certification, I thought of sharing some of my study notes regarding Salesforce Sharing and Security.

Security is the main pillar of Salesforce eco system and it is complex. It will give you fine-grained control over data access. So it requires a very good understanding of the concepts to implement in correctly.

I will suggest everyone to go through these below articles to understand it clearly.
I am not going to write everything what is written in these documents, rather I would like to provide a concise, sharp cheat sheet which you can refer anytime. So let's start -

Sharing Metadata Objects/Records:

  • For standard object -> "Object[Share]"
  • For custom object -> "Object__[Share]"
  • Contains three types of sharing -> managed sharing, User managed sharing and Apex managed sharing
  • Fields present in the share object - access level, record ID, user or group ID
  • Share records are not created for OWDs, role hierarchies, or the "View All"/"Modify All"/"View All Data"/"Modify All Data" permissions.
  • If the owner of the record changes, sharing record with reason "Manual" will also be deleted.

Implicit Sharing:

  • This is applicable only for Accounts, Contacts, Cases and Opportunities.
  • Access to parent record - If you have access to one of the child record, you will have Read Only  access to the parent record.
  • Access to child record - If you have access to parent record, you will have access to all child records(Contacts, Cases and Opportunities). 

Organization Wide Defaults (OWD):

  • Grant access using hierarchies is enabled by default for standard objects (You cannot disable the same). For custom objects, you can enable/disable this property.
  • Can't be changed for contacts if person accounts are enabled.

Master Detail:

  • Access is controlled by parent record.
  • Child record will not have any share record of their own.
  • It is not possible to write sharing rule for child object.
  • Only parents in the M:D relationship will have the owner.
  • If the detail object is having more than one master record, then first M:D created will become the primary relationship.

Lookup:

  • Child object can have their own sharing access level and ownership.

Manual Sharing:

  • Removed when owner changes.
  • Removed when OWD becomes at least as permissive as share.
  • Private contacts (without Accounts) cannot be manually shared.

Apex Managed Sharing:

  • Using Apex code to share the record.
  • Requires "Modify All" permission.

Ownership-based Sharing Rules:

  • When you want to share records owned by user, group, queue or role with another user, group, queue or role (including portal users with role).

Criteria-based Sharing Rules:

  • When you want to share records based on values of a specific field or fields with another user, group, queue or role (including portal users with role).

Manual Sharing Rules:

  • When the record owner or someone with "Modify All" permission wants to share individual record with another user, group, queue or role (including portal users with role).

Share Group:

  • You want to share records owned by HVP users with internal users, groups or roles (includes portals users with roles)

Sharing Sets:

  • You want to share records with HVP users. Records should fulfill the below criteria:
    • Object's OWD is different than Public Read/Write.
    • Object is available for Customer Portal.
    • Custom object is having a lookup field to account or contact.

Portal - High Volume Portals (Service Cloud Portals):

  • Include High Volume Customer Portal and Authenticated Website profiles. 
  • They have no roles and can’t participate in “regular” sharing rules.
  • You can share their data with internal users through Share Groups.
  • You can share object records where the object is a child record of the HVP user’s contact or account. This is done with Sharing Sets.
  • They can also access records that are:
    • Available for portals
    • Public R/W OWD or
    • Private OWD and They own the record.
  • They can access a record if they have access to that record’s parent and the OWD is set to “Controlled by parent”.
  • Cases cannot be transferred from non-HVP to HVP users

Large Data Volumes:

  • Defer sharing settings (enabled by logging a case) and group calculation on large data loads and modifications.
If there is anything you think I should put in this list, please mention the same in comment. I will be more than happy to put the same here.

I hope this cheat sheet will give you a very good summary of Salesforce Sharing.


Share:

3 comments:

  1. Thank you for sharing your notes. It is really helpful and I am quite sure it will help others as well. I like the way you share your experience, knowledge in your blog and helping community. Keep up the good work. - Craig

    ReplyDelete
  2. Might want to add Enterprise Territory Management to your cheat sheet as it affects sharing?

    ReplyDelete
    Replies
    1. Absolutely makes sense. I published another post covering Enterprise Territory Management @ https://www.sudipta-deb.in/2019/01/salesforce-enterprise-territory.html

      Delete

Follow Me

Enter your email address:

Delivered by FeedBurner

Popular Posts

Labels

Salesforce (104) Apex (44) admin (27) ADM (20) visualforce (20) dev 501 (19) integration (18) learn salesforce (18) 501 (16) SOAP (13) tutorial (11) Certification. (9) lightning (8) Trigger (7) test class (7) unit testing (7) Sharing and Visibility (6) design pattern (6) report (6) security (6) trailhead (6) Advanced Admin (5) Certification (5) New Features (5) SOQL (5) css (5) dashboard (5) debug (5) developer (5) formula (5) javascript (5) mobile (5) salesforce release (5) service cloud (5) solution management (5) use case (5) JSON (4) Lightning Experience (4) WebSphere (4) best practice (4) cast iron (4) component (4) deployment (4) github (4) html (4) polymer (4) profiles (4) responsive (4) tdd (4) ui (4) Advanced Apex (3) Architect (3) Kitchener Developer Group (3) Live Chat (3) Performance (3) Products (3) Role (3) Sales Cloud (3) Salesforce DX (3) Scratch Org (3) Study Notes. (3) Summer15 (3) Tips (3) dynamic apex (3) event (3) license (3) map (3) mapbox (3) singleton (3) version controlling (3) Bulkify (2) Data Architecture and Management Certification (2) Distributed Version Controlling (2) Eclipse (2) Einstein (2) Enterprise Territory Management (2) Financial Services Cloud (2) Force.com IDE (2) Governor Limit (2) Groups (2) IBM (2) Implicit Sharing (2) JourneyToCTA (2) Lightning Design System (2) Live Agent (2) Metadata (2) Online Event (2) Opportunity (2) Price Book (2) REST (2) SOSL (2) Sharing (2) Spring 15 (2) Summer17 (2) Territory (2) ant (2) automation tool (2) basic (2) chatter (2) coding (2) communication (2) console (2) controller (2) documentation (2) flow (2) git (2) jquery (2) logging (2) permission (2) process builder (2) release (2) salesforce1 (2) strategy (2) xml (2) Action Plan (1) Action Plan Template (1) Agent Productivity (1) Analytics (1) Apex Sharing (1) Asynchronous callout (1) Bots (1) Browser (1) Bulk data load (1) CTA (1) Calendar (1) Canon (1) Case Management (1) Cheat Sheet (1) Classic (1) Community (1) Contact Center (1) Continuation (1) Continuous Integration (1) Convert (1) Cookie (1) Custom Metadata (1) Custom Object (1) Customer (1) Decorator Design Pattern (1) Dev Hub (1) Devops (1) Diwali (1) Email (1) FSC (1) Goals (1) Guide (1) Household (1) Ideas (1) Improvement (1) KPIs (1) Kitchener User Group (1) Large Data Volume (1) LastModifiedDate (1) Manual Sharing (1) Metrics (1) OWD (1) Omni-Channel (1) Partner (1) Person Account (1) Photo (1) Platform Developer I (1) Presentation (1) Product Schedule (1) Profile (1) Public Site (1) Query Plan (1) QuickReference (1) Reports (1) Retrieve (1) Role Hierarchy (1) SFDX (1) Salesforce Optimizer (1) Session (1) Sharing Rule (1) Sharing Sets (1) Site (1) Skills (1) Snap-ins (1) Spring 17 (1) Summer14 (1) Summer16 (1) Switch (1) SystemModStamp (1) User License (1) Users (1) Webservice (1) Winter'15 (1) Winter'17 (1) access (1) agile (1) app (1) approval process (1) aura (1) awesome (1) backup (1) bitbucket (1) book (1) campaign (1) change set (1) code (1) code coverage (1) configuration (1) csv (1) custom button (1) custom settings (1) customization (1) data loader (1) database (1) delegate Admin (1) describe (1) dom (1) dreamforce (1) duplicate (1) dynamic (1) equals (1) error (1) field-level security (1) folder (1) ftp (1) generic (1) gift (1) global describe (1) hashcode (1) import wizard (1) jenkins (1) keynote (1) long running requests (1) monitoring (1) mysql (1) object (1) page layout (1) personal (1) power of one (1) record type (1) relationship (1) request (1) review (1) sub-tab (1) tab (1) username (1) visual workflow (1) workflow (1)

Total Subscribers

Total Pageviews