With sharing rules, you are in effect setting automatic extensions to your organization-wide sharing settings for particular sets of users. As shown in the funnel diagram at the beginning of this chapter, this can be considered as opening up visibility and access to records for those users.
Sharing rules apply to:
- All new and existing records owned by the specified role or group members.
- Both active and inactive users.
Sharing rules extend the access specified by organization-wide defaults and the role hierarchy. To define sharing rules, follow the path Your Name | Setup | (Administration Setup) | Security Controls | Sharing Settings. Now scroll down to the lower part of the page to reveal the Sharing Rules sections.
The following shows the sharing rules page where there are sections to set the sharing rules for the various standard objects within the application, such as lead, account and contacts, as well as any custom objects in your organization:
The following object sharing rules can be applied:
These rules are based on the account owner or other criteria, including account record types or field values, and set the default sharing access for accounts and their associated contract, asset, opportunity, case, and (optionally) contact records.
These rules are based on territory assignment and set the default sharing access for accounts and their associated case, contact, contract, and opportunity records.
These rules are based on campaign owner and set the default sharing access for the individual campaign records.
These rules are based on case owner or other criteria, including case record types or field values and set the default sharing access for the individual case and associated account records.
These rules are based on contact owner or other criteria, including contact record types or field values and set the default sharing access for the individual contact and associated account records.
These rules are based on lead owner and set the default sharing access for the individual lead records.
These rules are based on opportunity owner or other criteria, including opportunity record types or field values and set the default sharing access for the individual opportunity and their associated account records.
These rules are based on the custom object record owner or other criteria, including custom object record types or field values and set default sharing access for individual custom object records.
When you add a new sharing rule, the access levels for the sharing rule are calculated and you are provided with a warning confirmation dialog message indicating that this operation could take a significant time:
The effects of changing or deleting sharing rules, as well as the transferring of records between users, cause re-evaluation of appropriate record access for the impacted users.
The following change and effects are experienced:
- When you change the access levels for a sharing rule, all existing records are automatically updated to reflect the new access levels
- When you delete a sharing rule, the sharing access created by that rule is automatically removed
- When you transfer records from one user to another, the sharing rules are re-evaluated to add or remove access to the transferred records as necessary
- When you modify which users are in a group or role, any sharing rules are re-evaluated to add or remove access to these users as necessary
- Users higher in the role hierarchy are automatically granted the same access that users below them in the hierarchy have from a sharing rule
To manually re-calculate sharing rules, follow the path Your Name | Setup | (Administration Setup) | Security Controls | Sharing Settings. Now scroll down to the lower part of the page to reveal the Sharing Rules sections and, in the Sharing Rules related list for the object you want, click on Recalculate as shown:
Criteria-based sharing rules are used to control which users have access to records based on specified field values on the records. For example, the account object has a custom picklist field named Market. You can create a criteria-based sharing rule that shares all accounts in which the Market field is set to US with, say, a North American sales team in your organization:
Although criteria-based sharing rules are based on values in the records and not the record owners, a role or territory hierarchy still allows users higher in the hierarchy to access the records.
You can create criteria-based sharing rules for accounts, opportunities, cases, contacts, and custom objects.
For example, a custom object has been created for newsletters. You can create a criteria-based sharing rule that shares all newsletters in which the name is set to International with the International sales team in your organization:
Text and Text Area fields must be specified exactly as they are case-sensitive. For example, a criteria-based sharing rule that specifies International in a text field would not share records with "international" in the field.
Record types and the following list of fields can be set as criteria for sharing:
Auto Number; Checkbox; Date; Date/Time; E-mail; Number; Percent; Phone; Picklist; Text; Text Area; URL.
Lookup relationship can also be set as criteria, either related to user or to a queue.
Users can manually share certain types of records with other users within the Salesforce CRM application. Some objects that are shared automatically include access to all other associated records. For example, if a user shares one of their account records, then the granted user will also have access to all the opportunities and cases connected to that account.
Manual sharing rules are generally used either on a one-off basis to share a record or whenever there is a difficulty trying to determine a consistent set of users, groups, and the associated rules that would be involved as part of an organization-wide sharing setting. To be able to grant sharing access for a record, the user must either be the record owner, a system administrator, a user in a role above the owner in the hierarchy, any user that has been granted full access, or the organization-wide settings for that object must allow access through hierarchies.
Users grant access simply by clicking on the Sharing button found on the Record Detail page:
Many security options work together to determine whether users can view or edit a record. First, Salesforce checks whether the user's profile has object level permission to access that object. Then, Salesforce checks whether the user's profile has any administrative permissions like View All Data or Modify All Data. Finally, Salesforce will check the ownership of the record. Here, the organization-wide defaults, role-level access, and any sharing rules will be checked to see if there are any rules that give the user access to that record.
The following flow diagram shows how users are affected by the different security options associated with record ownership and sharing models and rules that can be set:
