With sharing rules, you are, in effect, setting automatic extensions to your organization-wide sharing settings for particular sets of users. As shown in the following screenshot, this can be considered to open up visibility and access to records for these users:
Sharing rules apply to:
Sharing rules extend the access specified by OWDs and the role hierarchy.
Note
Sharing rules can never be stricter than your OWD settings and allow wider data access for the included users or groups of users. To define sharing rules, navigate to Setup | Security Controls | Sharing Settings. Now, scroll down to the lower part of the page to reveal the Sharing Rules sections.
The following screenshot shows you the Sharing Rules page where there are sections to set the sharing rules for the various standard objects within the application, such as Lead, Account, and Contact, as well as any custom objects in your organization:
Within the Sharing Rules setup section, the following object sharing rules can be applied.
Account sharing rules are based on the account owner or other criteria, including account record types or field values, and set the default sharing access for accounts and their associated Contract, Asset, Opportunity, Case, and (optionally) Contact records.
Account territory sharing rules are based on territory assignment and set the default sharing access for accounts and their associated Case, Contact, Contract, and Opportunity records.
Campaign sharing rules are based on Campaign owner and set the default sharing access for the individual Campaign records.
Case sharing rules are based on the Case owner or other criteria, including case record types or field values, and set the default sharing access for the individual case and associated account records.
Contact sharing rules are based on the Contact owner or other criteria, including contact record types or field values, and set the default sharing access for the individual contacts and associated account records.
Lead sharing rules are based on the Lead owner and set the default sharing access for the individual lead records.
Opportunity sharing rules are based on the Opportunity owner or other criteria, including opportunity record types or field values, and set the default sharing access for the individual opportunity and their associated account records.
User sharing rules are based on group membership (described later in this chapter) or other criteria and set the default sharing access for the individual user records.
Custom object sharing rules are based on the custom object record owner or other criteria, including custom object record types or field values, and set default sharing access for individual custom object records.
Groups allow you to simplify the setting up of OWD sharing access via a sharing rule for sets of users or for individual users to selectively share their records with other users.
Public groups are sets of users that only administrators are permitted to create and edit. However, when created, public groups can be used by everyone in the organization.
Public groups can contain individual users, users in a particular role or territory, users in a specified role along with all the users below that role in the role hierarchy, or other public groups.
When you add a new sharing rule, the access levels for the sharing rule are calculated, and you are provided with a warning confirmation dialog message, as shown in the following screenshot, indicating that this operation could take a significant time:
Changing or deleting sharing rules as well as the transferring of records between users causes reevaluation of appropriate record access for the impacted users.
The following list outlines what changes can be done to Sharing Rules and the consequence of applying these changes:
- When you change the access levels for a sharing rule, all existing records are automatically updated to reflect the new access levels
- When you delete a sharing rule, the sharing access created by that rule is automatically removed
- When you transfer records from one user to another, the sharing rules are reevaluated to add or remove access to the transferred records as required
- When you modify which users are in a group or role, any sharing rules are reevaluated to add or remove access to these users as required
- Users who are higher in the role hierarchy are automatically granted the same access that users below them in the hierarchy have from a sharing rule
To manually recalculate sharing rules, navigate to Setup | Security Controls | Sharing Settings. Now, scroll down to the lower part of the page to reveal the Sharing Rules sections and in the Sharing Rules related list for the object you want, click on Recalculate, as shown in the following screenshot:
Criteria-based sharing rules are used to control which users have access to records based on specified field values on the records. For example, the account object has a custom picklist field named Market. You can create a criteria-based sharing rule that shares all accounts in which the Market field is set to US with, say, a North American Sales team in your organization, as shown in the following screenshot:
Although criteria-based sharing rules are based on values in the records and not the record owners, a role or territory hierarchy still allows users higher in the hierarchy to access the records.
You can create criteria-based sharing rules for Account, Opportunity, Case, Contact, and Custom object.
For example, a custom object has been created for Newsletter. You can create a criteria-based sharing rule that shares all newsletters in which the name is set to International with the International Sales team in your organization, as follows:
Text and text area fields must be exactly specified, as they are case-sensitive. For example, a criteria-based sharing rule that specifies International in a text field would not share records with "international" in the field.
There is a restriction on the type of field that can be used for sharing as part of the Criteria-based sharing. Along with record types, this list of fields can be set as criteria for sharing: Auto Number, Checkbox, Date, Date/Time, E-mail, Number, Percent, Phone, Picklist, Text, Text Area, URL, and Lookup Relationship (to either User or Queue).
Users can manually share certain types of records with other users within the Salesforce CRM application. Some objects that are shared automatically include access to all other associated records. For example, if a user shares one of their account records, then the granted user will also have access to all the opportunities and cases connected to that account.
Manual sharing rules are generally used either on a one-off basis to share a record or whenever there is a difficulty trying to determine a consistent set of users, groups, and the associated rules that would be involved as a part of an organization-wide sharing setting. To be able to grant sharing access to a record, the user must either be the record owner, a system administrator, a user in a role above the owner in the hierarchy, or any user who has been granted full access; alternatively the OWD settings for that object must be allowed access through hierarchies.
Users grant access simply by clicking on the Sharing button found on the Record Detail page, as shown in the following screenshot:
You can specify whether the Sharing button, used to grant others access to the user's own user record, is displayed on user detail pages.
To hide or display the user sharing button for all users, navigate to Setup | Security Controls | Sharing Settings. Now, click on Edit in the Organization-Wide Defaults area and scroll to the bottom of the page.
To hide or display the sharing button on user detail pages, select the Manual User Record Sharing checkbox, as shown in the following screenshot, and then click on Save.
Queues allow groups of users to manage shared records.
A queue is a location where records can be routed to await processing by a group member. The records remain in the queue until a user accepts them for processing or they are transferred to another queue.
When creating a new queue, you must specify the set of objects that are stored. Permitted objects for queues are leads, cases, service contracts, and custom objects. You must also specify the set of users that are allowed to retrieve records from the queue.
Records can be added to a queue either manually or through an automatic case or lead assignment rules.
Once records are added to a queue, they remain there until they are either assigned to a user or retrieved by one of the queue members. Here, any queue member or any user located above a queue member in the role hierarchy can take ownership of records in a queue.
Many security options work together to determine whether users can view or edit a record. First, Salesforce checks whether the user's profile has object-level permission to access that object. Then, Salesforce checks whether the user's profile has any administrative permissions, such as View All Data or Modify All Data. Finally, Salesforce will check the ownership of the record. Here, the OWDs, role-level access, and any sharing rules will be checked to see whether there are any rules that give the user access to that record.
The following flow diagram shows you how users are affected by the different security options associated with record ownership and sharing models and rules that can be set:
In addition to the check to determine whether a user can view a record, shown in the previous screenshot, their profile (or permission set) must be set with the view permission for the relevant object.
In addition to the check to determine whether a user can edit a record, shown in the previous screenshot, their profile (or permission set) must be set with the edit permission for the relevant object.