Salesforce Sharing Model and Data Security

Salesforce Sharing Model deals with the security and sharing settings of data amongst users or a group of users in the organisation. It offers a flexible and layered sharing and visibility model to provide different data set to a different set of users. Salesforce Sharing Model helps to easily specify which users can view, create, edit, or delete any record or field. You can control access by combining security controls at different levels using Salesforce Sharing Model.

Salesforce Data Security

In Salesforce, the Data Security is broadly divided into four categories, as depicted below.

1. Organization Access
2. Object Access
3. Fields Access
4. Records Access

It can provide secure access to object, field, and individual records, apart from organization access.

Data Access and Authorisation

Profiles, Permission Sets, Roles, and OWD settings together define what a user can access and is authorised to do in Salesforce. Permission sets are an add-on to the profiles and provide additional permissions to specific users. Roles govern what you can see, and Profiles control what you can do.

Salesforce recommends a restrictive data access approach. It provides bare minimum permission and data access by using profiles and OWD settings. Moreover, it expands the access using additional access permission such as sharing rules and manual sharing.

Profile

A profile is a collection of settings and permissions that determine which data the user can see and what the user can do with that data. Profiles usually match up with a user’s job function like VP of Sales will have access to all the Sales objects and will be able to perform functions like pipeline forecasting, manage deal cycle, etc.

Here are some key highlights of the profile:

Mainly, the profile manages what CRED operations can be performed by the user on each object. This ties back to the primary database concepts of CRUD and Salesforce we can call it CRED,

• C – Create
• R – Read
• E – Edit
• D – Delete

In addition to basic CRED permissions, Salesforce also provides ‘View all’ and ‘Modify all’ options on Salesforce objects for data administration.

To provide additional administrative and general user permissions, go to the Administrative and General User Permission section. After that, select the needed permissions.

Roles

Data visibility is also dependent on the organisation-wide defaults, which is set as a baseline for vertical data sharing. Sharing rules are used to extend the access we receive from roles. It gives the admin more flexibility to open up the record visibility horizontally across the hierarchy.

Permission Sets

Permission Sets are add-on permissions (for objects, field-level security, record types, tabs, apps) on top of profiles that can be allocated to individual users. This helps keep a low-profile count and allows users to add specific permissions to meet business requirements.
For instance, if one sales profile user needs to delete leads, we can create a permission set just with delete lead (CRED) permission and assign it to that user.
Admin can also combine permission sets into a group called ‘Permission set groups.’ It helps connect similar permissions and gives more flexibility to create abstract permissions.

Org-Wide Defaults

Org-wide defaults specify the baseline level of access that the most restricted user should have. Use org-wide defaults to lock down your data, and then use the other record-level security and sharing tools (role hierarchies, sharing rules, and manual sharing) to open up the data to users who need it.

Type of OWD access and relative access.
• Private: Read/Edit access to owners of record and anyone above that role hierarchy.
• Public Read Only: Read access to everyone, but only the owner and anyone above that hierarchy can edit.
• Public Read/Write: Read/Edit access to everyone (given they have object-level permission).
• Public Read/Write/Transfer (only for Leads & cases): Read/Edit/Transfer to everyone.
• Controlled by Parent: Inherits OWD sharing from parent record (for tasks, contact, opportunity, order, master-detail, and some other standard objects).

Sharing Rules

The sharing rules in Salesforce are used to grant sharing access to users. It extends record access beyond organization-wide defaults based on criteria such as owner or custom fields. They can be created through Setup and provide additional access to specified users or groups.

There are two types of sharing rules:
• Ownership Based – Share the records owned by specific users with other users or a group of users.
• Criteria Based – Share the records that meet some criteria with other users or a group of users.

Here are some of the key highlights of sharing rules.

Manual Sharing

Manual sharing is an option to share one specific record with another user who does not have access to the record.

Options to share the record has a similar kind of access as OWD:
• Read-only: Provides view access.
• Read/Write: Provides view and edit access.

To Sum Up

Salesforce platform offers a flexible layered data-sharing model for admins to efficiently manage the visibility of the data sets to different sets of users. For example, you can control access to your entire org, a specific field, a specific object, or even an individual record with Salesforce Sharing Model. This helps organisations to reduce the risk of data leakage and data misuse while providing the required access to users.

Choosing the data set each user or group of users can see is one of the critical decisions that affect the security of your Salesforce org. Get updated on the latest Salesforce features with saasguru. Check out our Salesforce Admin Course – get personalized study plans, free mock exams, quizzes, flashcards and much more. You can also explore our 12+ Salesforce certification courses.

Sign Up and upgrade your career to the next level with saasguru.

Frequently Asked Questions (FAQ)

1. What is the Salesforce Data Sharing model?

Salesforce Sharing Model deals with the security and sharing settings of data amongst users or a group of users in the organisation. It offers a flexible and layered sharing and visibility model to provide different data sets to a different set of users. Salesforce Sharing Model helps to easily specify which users can view, create, edit, or delete any record or field. You can control access by combining security controls at different levels using Salesforce Sharing Model.

2. How many types of sharing are there in Salesforce?

There are two primary ways to share records in Salesforce:

1. Sharing rules enables you to extend the access to the records over baseline access for each object. For instance, if you have org-wide sharing defaults of Public Read Only or Private, you can provide access for some users with sharing rules.

There are two types of sharing rules:

a. Ownership Based – Share the records owned by specific users with other users or a group of users.
b. Criteria Based – Share the records that meet some criteria with other users or a group of users.

2. Manual sharing is an option to share one specific record with another user who does not have access to the record.

3. What are Sharing Rules in Salesforce?

The sharing rules in Salesforce are used to grant sharing access to users. The users can be in roles, territories or public groups. Sharing rules give particular users greater access by making automatic exceptions to your org-wide sharing settings.

4. What is the “Grant Access Using Hierarchies” checkbox used for in OWD settings?

Beyond setting the organization-wide sharing defaults for each object, you can specify whether users have access to the data owned by or shared with their subordinates in the hierarchy. For example, the role hierarchy automatically grants record access to users above the record owner in the hierarchy. By default, the Grant Access Using Hierarchies option is enabled for most standard objects, and it can only be changed for custom objects.