Skip to main content TDX, the developer conference for the AI agent era is happening now. Watch live on Salesforce+ for exclusive digital content, a revolutionary keynote, and more.
GroupsRecord Access (Sharing)
Group

Record Access (Sharing)

Announcements and discussions about existing Record Access (Sharing) features. Record Access includes (but are not limited to): Organization Wide Defaults (OWD) Sharing Rules (including Public Groups) Restriction Rules Sharing Sets Sharing Hierarchy (why someone has access through Sharing) Manual Sharing Queues Scoping Rules
Ask a question...
Asma Abbas (Salesforce Senior Functional Consultant at Datacom)
Aug 22, 2023, 1:26 PM
Restrict activities access on the account

Requirement

 

My client has multiple Business Units and all BUs need Read Only access to ALL accounts but these BUs are competitive in nature and they should not be able to view each other activities. I understand if they have access to account they can see all activities but I want to restrict the visibility of all activites tasks, events and emails based on the BUs.

 

I can only create 2 restriction rules per object, therefore, can't use all the BUs to restrict activities. Also can I restrict visibility of emails using restrictions rules?

 

What other solutions I can provide my client to meet this requirement?

6 answers
  1. Rosanna Klein (Fresenius Kabi)
    Jan 30, 9:37 AM

    A quick correction to what was mentioned above for future readers: 

     

    OWD "private" for Activities does in fact NOT hide them from everyone but the owner (and role hierarchy). See documentation for "private" on Activities: "Only the activity owner, and users above the activity owner in the role hierarchy, can edit and delete the activity; users with read access to the record to which the activity is associated can view and report on the activity." 

     

    Which means, if the Account was shared with multiple BUs they would see each others Activities, too. 

Write an answer...
0/9000
Blake Anson
Jan 3, 12:20 AM
Restricting Opportunity Access within shared Accounts

I belong to a Business Unit that needs to restrict User access to specific Opportunities within shared Accounts, e.g. Account X has many Opportunities and some of them should only be viewed or accessed by certain Users.  Is this possible and what would be the best/simplest way forward?  Could the sensitive Opportunities be tagged with a custom field and then Restriction Rules be established to limit which Users can view/edit said Opportunities?  If so, any advice on how a relatively naïve user could start this process (there are literally hundreds of Restriction Rule videos out there and advice on filtering them would be appreciated)?  If Restriction Rules is not the way to go, any advice on how to proceed?

Thanks in advance!

1 answer
  1. Vuk Stajic (MVRK Inc.) Forum Ambassador
    Jan 3, 12:25 AM

    Please see a similar question with relevant answer:

     

    https://trailhead.salesforce.com/trailblazer-community/feed/0D54V00007T4NDeSAN

Write an answer...
0/9000
Larry Tung (Product Manager, Platform (focused on Record Access) at salesforce.com)
Sep 10, 2021, 4:45 PM

Hello Trailblazers!  As we go GA in Winter ‘22, we want to hear your feedback. 

 

Standard objects may have unique behaviors that we need to ensure are working with Restriction Rules. I have created a set of ideas based on feedback shared in the trailblazer community for standard objects; this way, the object owners can see and respond to your feedback.  Please follow these links to upvote and and comment.

 We are also interested in what areas you’d like to see additional investment in and what use cases this will unlock for you. Where should we invest in Restriction Rules such that the user or record criteria supports:

========

(original post tweaked) On Sept 10, from 11:15am -12:30pm PDT, we'll be answering your questions live during the Winter '22 RRL Admin Preview!  We’ll cover the latest enhancements for Flow, Dynamic Interactions, Security Center, restriction rules, + more!  Register here #AwesomeAdmins #AwesomeAdmins #AwesomeAdmins #AwesomeAdmins#AwesomeAdminshttps://sforce.co/2Vokqte

https://www.salesforce.com/form/event/release-readiness-winter-22/

9 comments
  1. Anne Nguyen (Idea Science)
    Oct 24, 2024, 4:31 AM

    Cross object lookup, Multi-Picklist and CONTAINS please! 

    We are unable to achieve one of our requirements where users can access to all Accounts but only allowed to access Contracts that belongs to the Business Unit (Public Group) the User is assigned to. The Contract has a flag field of the business unit it belongs to but User can be in multiple business units. So they should see all the Contracts within the business units they are assigned.

Write a comment...
0/9000
Larry Tung (Product Manager, Platform (focused on Record Access) at salesforce.com) posted in #Salesforce Admin
Apr 15, 2024, 3:53 AM

Hi folks!

Did you catch @Cheryl Feldman talking about The Future of User Access at TDX ’24? Were you inspired by @Jamin Hall sharing how Einstein Copilot saves you time troubleshooting (see timestamp 27:35-28:37)?

 

Help us help you, by telling us how you would interact with Einstein Copilot in this survey.

 

Thank you,

Larry Tung

@The Future of User Management

 

#Salesforce Admin@Admin Trailblazers @Record Access (Sharing) @Tuhina Koppikar @Sanghoon Oh

Write a comment...
0/9000
Kendra Ramey (Salesforce Consultant at Kicksaw)
Apr 11, 2024, 12:34 PM
How can I share leads with user that created the record, regardless of current owner?

For use in an experience cloud site, I want users to be able to submit leads and track them as they go through the internal sales process.

1 answer
  1. Sushil Kumar (UKG) Forum Ambassador
    Apr 11, 2024, 12:48 PM
    Potential solution could be using flow or apex to create leadshare record for record creator when lead is created. Only challenge here is that when lead owner changes, lead share record gets deleted, so you will need another process or same flow to recreate the record when owner changes.
Write an answer...
0/9000
Daniel Min (Software Engineer at Oktana)
Mar 28, 2024, 1:20 AM
I'm owner of a record created by another user but cannot see it, from partner community

I'm a partner community user (usertype = PowerCustomerSuccess) and I became owner of a custom object record created by another user.

 

The object OWD is private and my profile has read access to the object and my permission set has the additional create/edit access on the object. So, I should be able to create records of that object, see records of that object that I own (record.ownerid = my-user-id) but not to see records owned by others.

 

In the partner community, there is a list view (LWC) that shows the list of records of that object that belongs to my account. The corresponding apex controller has "with sharing" setting and all subsequent classes have "inherited sharing" setting.

 

The soql query doesn't have the 'WITH SECURITY_ENFORCED' portion of the query; it just query the id, name and few more fields and the filter condition is by record type name. There is only and only one record type as today.

 

I (now I'm admin user) recalculated the sharing rule of that custom object, reviewed with soql query the state of the sharing table (customObjectName__share) and verified that I (as partner user) am owner of the record, even though it was created by another user (createdbyid still figures out as another user id, obviously)

 

Then, I expect to see the new record I've become owner of from the list when I refresh the browser but it doesn't show up.

 

But if I change the controller sharing setting from "with sharing" to "without sharing", then I see the record. But I don't prefer using "without sharing" setting for apex; whenever possible, I prefer to use "with sharing".

 

No Restriction Rule, no Scoping rule were configured. Recap: Just the OWD (private), the profile (read) and permission set (create/edit), apex (with sharing for main controller and inherited sharing for sub/child classes), no "WITH SECURITY_ENFORCED" for soql, Recalculation triggered and sharing table were updated correctly with my id as the new owner.

 

What else could be missing to review to troubleshoot this issue?

 

Thanks in advance.

4 answers
  1. Petr Svestka (Deloitte)
    Apr 2, 2024, 9:49 AM

    Hi @Daniel Min, a few other thoughts on this:

    1. How do you determine you don't have access to the record? If by not seeing in the the List View results, check if there are filters defined on the LV. What happens you if try to access the record via id in the URL directly?
    2. Anyone else in your context reporting the same problem?
    3. What license has the creator/previous owner of the record?
    4. Is it a record of a custom object or standard object? If a CO, there are restrictions on accessing records of 10 number of COs only. I believe these restrictions are contractual only, but maybe they have changed it.
Write an answer...
0/9000
Larry Tung (Product Manager, Platform (focused on Record Access) at salesforce.com)
Mar 15, 2022, 4:55 PM

Could you share your thoughts on Modify ALL Data, View All Data (MAD/VAD) versus Modify All (Records), View All (Records) on individual objects?

 

Restriction Rules currently are bypassed if a user has:

  • MAD/VAD

I'd like to make a product change (in Summer '22) to also bypass Restriction Rules if a user has 

  • MAR/VAR (since the permission for that object says "Modify All" or "View All."

 

I understand that some customers might have granted a user VAR or MAR and then used Restriction Rules to filter access. Although this currently works, it does sound a bit counter-intuitive. If you're a customer who currently does this or has strong feedback on why we shouldn't make MAR/VAR like MAD/VAD, please comment in this post. Thank you.

 

Cc:

@Dan Sheehan (He/Him)

1 comment
  1. Gabriela Amundarain (Globant)
    Feb 23, 2024, 4:49 PM

    Hello, bit late to the discussion but there's an use case for users with regular app management permissions (in Industries for example) that also need to be able to add campaign members with different owners and currently that's only possible if they're given the Modify All Data permission unfortunately. So, it would be great to either be able to apply Restriction Rules for these users or isolate the actual permissions needed for a person to add campaign members to something a bit less drastic than full access to everything.

Write a comment...
0/9000
Larry Tung (Product Manager, Platform (focused on Record Access) at salesforce.com)
Feb 6, 2024, 7:22 PM

Salesforce Record Access Resolutions for 2024 (12 min video)

  • Are you ... doing your annual realignment?
  • Making big changes to your role hierarchy?
  • Making a large number of public group membership or territories?

If you large record volumes, check it out!

 

And if you have feedback on how long it takes regarding sharing/record access related changes, please let me know!

 

@Record Access (Sharing) @Record Access (Sharing) Pilots & Betas @Admin Trailblazers

Write a comment...
0/9000
健 小林 (consultant at リベラルワーク)
Jan 16, 2024, 3:25 AM
What is a user with group-based access?

Hi, all,

 

I am learning sharing and visibility, especially Account Team.

 

A help regarding Account Access via Team, it states, "Suppose that a user with group-based access adds account team members. If the account owner is changed, the team members added by users with group-based access are removed from the team, even if the Keep account team option is selected."

https://help.salesforce.com/s/articleView?id=sf.accountteam_def.htm&type=5

 

I cannot understand "Suppose that a user with group-based access adds account team members." What is "a user with group-based access"? Can anyone understand this?

3 answers
  1. Ashwini Garwandha (Salesforce)
    Jan 16, 2024, 3:41 AM

    Hi @健 小林,

    "A user with group-based access" refers to a user who has access to records based on their group membership.

     

    Suppose that a user with group-based access adds account team members means that if the owner of a account changes, and the person who added team members belongs to a group-based access system, those added team members may be removed automatically, regardless Keep account team option.

     

    Checkout:https://help.salesforce.com/s/articleView?id=sf.fsc_admin_data_model_group.htm&type=5

    https://help.salesforce.com/s/articleView?id=sf.security_sharing_rules_group.htm&type=5 

     

    Hope this helps you. Thanks

Write an answer...
0/9000
健 小林 (consultant at リベラルワーク)
Jan 14, 2024, 2:28 PM
How can I realize record sharing by only a Public Group?

Hi, all,

I am learning Sharing on this document.

https://developer.salesforce.com/docs/atlas.en-us.246.0.dat.meta/dat/dat_components.htm

 

In this document, regarding Public Groups Use Cases, it describes 'Groups also have the ability to protect data shared in the group from being made accessible to people in the role hierarchy above the group members. This (and dealing with the access of record owners and their management hierarchy) allows the creation of groups in which very highly confidential information can be shared—the data will be accessible ONLY to group members, and nobody else in the organization. This is accomplished by using the Grant Access Using Hierarchies setting.'

 

But I cannot imagine how this can be realized by using the Grant Access Using Hierarchies setting? Can anyone come up with any ideas to realize this? (My understanding is that when we use Grant Access Using Hierarchies setting, users in upper roles can see the records which are defined to be shared by only a specific Public Group by Sharing Rule.)

2 answers
  1. Jennifer Prather (self employed)
    Jan 14, 2024, 10:22 PM

    There is a specific setting you can check when creating the public group. Unchecking it prevents users from higher in the hierarchy from seeing the data. 

    IMG_0029.png
Write an answer...
0/9000