Record level Security in Salesforce
Introduction to Record Level Security in Salesfoce:
Once you done with the object and field level access permissions, you can also configure access settings for the actual records themselves. Record level security lets you give users access to some record of an object, but not others. Every record is owned by a person or a queue. The owner of the record has full access to the record. If Roll hierarchy setup in to the org then in the roll hierarchy, users higher in the hierarchy always have the same access to users below them in the hierarchy. This access applies to records owned by persons and records shared with them.
To specity record-level security, first set up your Org Wide Default (OWD) sharing settings and define a hierarchy, and then create sharing rules.
It is easy that with roles, we can modify profile or permission set in Salesforce Org. With the profile or permission set are configured to control the objects of the user as well as field level access permission. The roles basically control the user’s record-level security via role hierarchy and the sharing rules.
How many ways sharing is happening?
- Organization-Wide Defaults
- Role Hierarchy
- Sharing rules
- Manual Sharing
- Apex programming
1. Organization-Wide Defaults:
This setting is applicable for whole org not for single group or single person and data will share to others based on the “Default Sharing Settings”.
We have different variety of OWD setting: Private:
Private: Whenever the OWD setting is set to Private, no one can see other records, means Opportunity is set to private and I created one opportunity in the org, no body have access on that record.
Public Read/Write: Whenever the OWD setting is Public Read/Write, everyone get access on every record with read and write record.
Public Full Access: When the OWD setting is Public Full Access, everyone in the org get access on each and every record with full access.
Public Read/Write/Transfer: Everyone in the org get the access on each and every record with read, write and transfer access(to other user in the org) on that record.
Controlled by Parent: This setting is enabled only for child records in the case of only master details, everything is controlled by its master (parent) record.
How to go to OWD: Setup->Administer->Security Controls->Sharing Settings
2. Role Hierarchy (Grant Access Using Hierarchies):
How to go to Grant Access Using Hierarchies: Setup -> Security Controls -> Sharing Settings -> Edit -> Grant Access Using Hierarchies
– Sharing will get based on role hierarchy, which means if I (SalesRep) create one campaign record and his manger will get access on that record.
– By Default Salesforce standard objects does not have edit option available on Grant Access Using Hierarchies.
– If we uncheck for the Salesforce custom object then no one get the access on those records.
3. Sharing Rules
How to go to Sharing Rules: Setup > Security Controls > Sharing Settings > Sharing rules > click on new > create.
If you want to share the records with defined groups or roles, then we can user criteria based rules.
There are two types for Sharing Rules:
a. Based on record owner: you can provide which user’s records to whom and provide the access to what level like read only or read/write.
b. Based on criteria: Here you can define a criteria with object’s fields, like Merchandise Stock > then 10000 or opportunity name contains with specified string (phone)
Ownership based Sharing
Criteria based Sharing
4. 4 Manual Sharing
Manual Sharing: Manual sharing allows users to grant one-off access to their individual records for users, public groups and roles.
Manual sharing is available:
- To the record owners, their managers in the role hierarchy, and administrators.
- For objects set as public read-only or private in organization-wide defaults.
5. Apex programming: We can share the records via apex code to the defined groups, roles and users. First three methods are useful when the sharing is at the org level and group’s level even to the individual users but not on action performed on record.
Example:
Let’s take an example if Owner has changed to someone and get the READ access to the previous owner.
Note: we cannot achieve this one with above first 3 methods. So we will go for trigger and write apex programming to achieve it.
trigger OpportunityShare on Opportunity ( after update){ List optyShrList = new List(); for(Opportunity oppty: trigger.new){ if(oppty.ownerId != trigger.oldMap.get(oppty.id).ownerId){ OpportunityShare opptyShare = OpportunityShare(); opptyShare.UserOrGroupId = trigger.oldMap.get(oppty.id).ownerId; opptyShare.ParentId = oppty.Id; opptyShare.AccessLevel = ‘READ’; opptyShare.Rowcause = Schema.OpportunityShare.Rowcause.manual; optyShrList.add(opptyShare); } } insert optyShrList; }
Scenario based Examples:
Record Level Security defines the ability of a user to see a particular record for an object, if he has the access to the object and fields via the Object Level Security.
So let’s say that we want all users to only be able to view the records that they own, that is the owner field on those records is set to their own user.
So since we want the user to be able to see the records of the object, we need to give him the necessary object and field level permissions. But in order to only give him access to his own records, we need to use record level security. We can achieve this by setting the OWD settings of all the particular objects to private so that records are only visible to their owners by default.
So we go to the OWD settings and turn the OWD for Account/Contract to from Public/Read only to Private :
Once changed the OWD will look like this :
And when I log in as my first user Salesforce Drillers, we can access an Account record :
Since the owner is set as Salesforce Drillers, if we login as another user in our system called Admin 2 and we would not be able to access this record as this second user because the OWD has been set to private and this record is not available to the second Admin 2 owner.
If we want to manually share this record from the page, we can use the Sharing button on the record level.
And manually provide access to the Admin 2 user so that they can access this record.
Alternatively, you can also use the role hierarchy to provide access to the user. Go to Setup -> Role, and set up the roles :
Now assign the CEO role to your Salesforce Drillers user and CFO Role to the second Admin 2 User.
Now since the CEO user is above the CFO user in the heirarchy, the record will now be visible to the Admin 2 user as well.
NOTE : As a change, previously this Sharing button did not show up on the Account record level if the OWD was set to Public. But now, this Sharing button is available on the record level irrespective of the OWD settings.