Salesforce takes data security very seriously and has multiple ways by which it restricts and grants access to data to individuals or groups of users.
In this article, we will focus mainly on sharing rules and how they control access to data.
What are Sharing Rules?
Sharing rules extends access to records to users regardless of their role in the hierarchy. They are created by a System Administrator of a Salesforce Org to extend on the settings done per object on the organization wide default (OWC) section.
Through sharing rules, access can be granted to users when an Objects OWD are set to Public Read Only or Private.
- When OWD are set to Private, then Read or Read/Write access can be granted.
- When OWD are set to Public Read Only, then Read/Write access ca be granted.
Types of Sharing Rules
There are two types of Sharing Rules that can be created:
Differences Between the Two
The main difference between the two types of sharing rules is selecting which records will be shared with users based on what rule:
1. Owner Based Sharing Rules
An owner-based sharing rule opens access to records owned by certain users.
2. Criteria Based Sharing Rules
A criteria-based sharing rule determines with whom to share records based on field values.
Only the following fields can be selected for the rule criteria:
- Auto Number
- Lookup Relationship (to user ID or queue ID)
- Text Area
Similarities Between the Two
The two types of sharing rules have some features in common such as:
Record access granted by both owner based or criteria based sharing rules are extended to the following:
- Public Group
- Roles and Subordinates
- *Portal Roles
- *Portal Roles and Subordinates
- *Roles, Internal and Portal Subordinates
- *Territories and Subordinates
∗ Some categories may only appear based on enabled features or certain objects.
Both types of sharing rules can grant the following sharing access to records:
- Read Only
- *Full Access
∗ Private is only available for contacts, opportunities and cases associated to an account. Full access is only available for campaigns.
How to Create Sharing Rules?
- In Setup, use the Quick Find box to find Sharing Settings. This is the same page used to define org-wide defaults.
- In the Manage sharing settings for drop-down list, choose the object for which to create the sharing rule. Choosing an object in this drop-down list allows you to focus in on the org-wide defaults and sharing rules for a single object at a time rather than looking at all of them in a long page—a useful thing if you’ve got a large org with multiple custom objects.
- In the Sharing Rules area, click New and give your rule a label. The Rule Name text box populates automatically when you click it.
- For the rule type, you can choose whether the sharing rule is based on the owner or based on criteria that records must match to be included.
- For Select which records to be shared, select a category from the first dropdown list, and a set of users from the second dropdown list or lookup field.
- For Select users to share with, specify the users who get access to the data.
- Select a sharing access setting.
- Click Save.
Sharing Rules Limitations
- You can use sharing rules to grant wider access to data. You can’t restrict access below your organization-wide default levels. Restriction rules can be used for custom object to restrict data access.
- If multiple sharing rules give a user different levels of access to a record, the user gets the most permissive access level.
- You can’t use encrypted fields in criteria-based sharing rules.
- Lead sharing rules don’t automatically grant access to lead information after leads are converted into account, contact, and opportunity records.
- Criteria-based sharing rules aren’t available for all objects.
- Contact Access isn’t available when the organization-wide default for contacts is set to Controlled by Parent.
Often times users compare sharing rules with permission set and assume permission sets can be used to open up access to a specific group of people. However, this can only be done by using sharing rules. Permission sets extends profile permissions to users such as create, edit or delete records etc
Apart from Owner based and Criteria based sharing rule, Guest User Criteria Based sharing rules are an additional type of sharing rule available to give record access to guest site users based on record field values similar to criteria based sharing rule.