Salesforce Sharing & Visibility

1. Implicit Sharing

1.1. ImplicitParent

1.1.1. Access to Contact, Opportunity, Case => Access to parent Account

1.1.2. Contract Owner, Order Owner

1.1.3. Implicit Parent sharing does not apply when access is provided by sharing set!

1.1.4. High Volume Parent for Sharing Group Avoid CC owning contact or casse!

1.2. ImplicitChild

1.2.1. ImplicitPerson

1.2.1.1. The User or Group has access to the contact of a person account via a Contact sharing rule.

1.2.2. Only 3 children: Contact, Opportunity, Case

1.2.3. Only for Account Owners not everyone with account access

1.2.4. Implicit Sharing works with RH

1.2.5. Access level is based on role configuration

1.3. CC+ & PC

1.3.1. Read Access to Parent Account & its Contacts

1.4. CC

1.4.1. Read access to Parent Account and their own Contact

1.4.2. CC has no ImplicitParent or ImplicitChild

2. Ownership

2.1. Guest user should not own records or files

2.1.1. Community -> Admin -> Preferences -> Default Owner of records created by guest users

2.2. CC ownership

2.2.1. CC ownership prevents advanced sharing, even manual sharing

2.2.2. Sharing Group is the only way to get access to those records

2.2.2.1. Admin still has access

2.2.2.2. Guest user sharing rules can share these records

2.2.3. Can't change file owner to a CC user

2.2.4. Can't change case owner to a CC user

2.2.5. Can change owner of a custom object record to a CC user! Verified

2.3. Standard object

2.3.1. Change owner delete Manual Share

2.3.2. Keep account team: UI & SOAP

2.3.3. Keep opportunity Team: UI & SOAP

2.4. Full Access & Manual Share

2.4.1. Record owner & users above in RH had Full Access => Can manually share records

2.4.2. No possible to grant Full Access to others

2.4.3. Users with "Modify All" or "Modify All Data" can manually share records

3. Sharing Architecture

3.1. Objects without sharing table

3.1.1. Public Read & Write Objects

3.1.2. CBP or detail objects

3.1.3. Product OWD: Pub-R

3.1.3.1. No ProductShare

3.1.3.2. Sharing Rule: Only CBS for Guest User, only Read access

3.1.4. Pricebook OWD: Use

3.1.4.1. No PricebookShare

3.1.4.2. Manual Share is the only way!

3.1.4.3. No way to share to CC users

3.1.4.4. LwC + Apex without share

3.1.4.5. Edit access allows users see all pricebooks

3.1.5. Activities

3.1.5.1. No ActivityShare, EventShare, or TaskShare

3.1.6. File

3.1.6.1. No share table. Has its own sharing architecture

3.2. Groups

3.2.1. Group Maintenance Tables

3.2.1.1. System Defined Groups

3.2.1.1.1. Role

3.2.1.1.2. RoleAndSubordinates

3.2.1.1.3. RoleAndInternalSubordinates

3.2.1.1.4. Territory

3.2.1.1.5. TerritoryAndSubOrdinates

3.2.2. Public Group Considerations

3.2.2.1. Avoid 5+ level of nesting

3.2.2.2. Option: Grant Access Using Hierarchies

3.2.2.3. CC users can't be in public group

3.2.3. Queue

3.2.3.1. Guest users can't be queue members

3.2.3.2. Asset can't be in queue. (They can't be shared with ARDSR either)

3.2.3.2.1. Work Order, Service Contract can be queue now 1/7/2022. But they are still not available for ARDSR

3.2.3.3. Does it work with Role Hierarchy? Yes

3.2.3.4. Queue membership is irrelevant to omni channel skilled based routing

3.3. Skews: 10,000

3.3.1. Ownership Skew

3.3.1.1. When users change roles, RH, or groups

3.3.1.2. Do not give a role, do not put in groups

3.3.1.3. But account owner must have a role for account to have community users. Give system owner of accounts a top role and keep it out of groups

3.3.2. Lookup Skew

3.3.2.1. What to do if the lookup record is deleted? Clear the value of this field

3.3.3. Account Skews performance impact

3.3.3.1. When child records change

3.3.3.2. When owner or owner RH changes

3.4. Record Locking Common Reasons

3.4.1. Record ownership change

3.4.2. Users role changes

3.4.3. RH change

3.4.4. Public Group changes

3.4.5. Record Level Locking: Parent Child, Siblings

3.4.6. Large Scale Realignment Tools

3.4.6.1. Deferred Sharing Maintainence

3.4.6.2. Parallel Sharing Rule Recalculation

4. Programatic Sharing

4.1. User Managed Sharing with Apex or Flow

4.1.1. RowCause = "Manual"

4.1.2. Owner change => sharing record removal

4.1.3. Before Update Trigger save the share records and later recover them. Tricky to do. Or create shares again using biz rules.

4.1.4. Use a shadow table to maintain sharing

4.2. Apex Managed Sharing

4.2.1. Need "Modify All Data" permission! => Do this in system mode

4.2.2. Use an Apex Sharing Reason Only available for custom objects

4.3. Share Table

4.3.1. ParentId: Id of the record to be shared

4.3.2. UserOrGroupId

4.3.3. AccessLevel

4.3.4. RowCause

4.3.5. AccountShare: ContactAccessLevel, OpportunityAccessLevel, CaseAccessLevel

4.4. Apex Sharing Recalculation (In Classic)

4.4.1. SF invoke the job when OWD or sharing rules change

4.4.2. Recalculate Apex Sharing button

4.4.3. Database.Batchable

4.5. System Mode

4.5.1. Standard controller repects OWD, FLS, RH, Sharing Rules, not custom controllers.

4.5.2. With Sharing: Enforcing sharing rules

4.5.3. Without Sharing

4.5.3.1. LwC + Apex without sharing

4.5.3.2. CC+ User has no access AccountShare & ContactShare. Use Apex without Sharing

4.5.4. Inherited Sharing

4.5.5. Enforce CRUD and FLS in Apex

4.5.6. SoQL "With SECURITY_ENFORCED"

4.5.7. LwC + Apex in System Model can get External Object records

4.5.7.1. Try to avoid UI hack!

5. File Knowledge Reports

5.1. File 2000 Links per File

5.1.1. File Privacy on Record (Sharing Privacy) Sharing Option

5.1.2. Share Type, Visibility

5.1.3. Library sharing Add user or public group as Viewer, Author, or Admin

5.1.4. Folders can be shared with Public Link only Anyone with this link can view and download the contents of the folder on the internet.

5.2. Report & Dashboard Sharing by Folder

5.3. Data Category 3 Active Category Groups / 5 total 100 categories in a group (soft limit) 5 levels in hierarchy

5.3.1. Data categories are used in Salesforce Knowledge (articles and article translations), Ideas, Answers, and Chatter Answers to help classify and find articles, questions, or ideas. You can use data categories to control access to a particular set of articles, questions or ideas.

5.3.2. Data category visibility can be set with roles, permission sets, permission set groups, or profiles. Data category visibility determines the individual data categories, categorized articles, and categorized questions that you can see.

5.4. Knowledge Standard Sharing

5.4.1. CBS or OBS works

5.4.2. Apex Sharing does not work yet

5.4.3. Is there a way to share to CC users?

5.4.4. Knowledge OWD, OBS, CBS

5.5. Knowledge Sharing

5.5.1. Channel, data category, OLS, topics

6. Programming Security If you write program, security is an concern.

6.1. XSS: Cross Site Scripting > 80% of problems User input gets mixed into JavaScript

6.2. SoQL injection

6.3. Cross-Site Request Forgery

6.3.1. Enable protection in Session Setting

6.4. Locker Service for Lightning Security

6.5. Data validation: Do it in browser, then on backend again

7. Community Sharing

7.1. Advanced Sharing CC+ & PC users < 2mm, 10m with ARO

7.1.1. Delegated External User Admin

7.1.1.1. Can't see user custom fields

7.1.2. Account Switcher

7.1.2.1. Account page External Managed Account related list

7.1.2.2. Account switcher Menu option in community

7.1.3. EAH < 100K

7.1.3.1. Rearrange role hierarchy

7.1.3.2. No replacement for Sharing Set

7.1.4. ARDSR

7.1.4.1. Set up data (AR) & meta data (DSR)

7.1.4.2. Can't share Asset, Service Contract, Work Order, or the Account To account itself

7.1.4.3. Does not work with Person Account

7.1.5. Partner Super User

7.1.5.1. Applied to custom objects

7.1.6. Community Super User

7.1.6.1. Does not apply to custom objects

7.1.6.2. Super user permission works with advanced sharing

7.2. CC Sharing #CC users < 100mm

7.2.1. CC limitations

7.2.1.1. No role, can't be in public groups

7.2.2. Sharing Set

7.2.2.1. 1 per profile per object

7.2.2.2. ACR & RelatedAccount

7.2.3. CC user can access children records (CBP, MD) of a record they have access

7.2.4. Chatter Group 300 / user 30K total

7.2.4.1. Can share file with CC users in chatter group. Tried, it works.

7.2.4.1.1. CollaborationGroup, CollaborationGroupMember

7.2.5. Sharing Group

7.2.5.1. Avoid adding external users to Share Group -- Document is unclear

7.2.5.2. Read & Write Access

7.3. Guest User Sharing

7.3.1. Sharing Setting: [X] Secure guest user record access

7.3.1.1. OWD: Private always

7.3.1.2. Sharing Rule: - Guest user access, based on criteria - Include records owned by high-volume users

7.3.1.3. Can't be in groups or queue

7.3.1.4. No manual share

7.3.1.5. No Apex sharing?

7.3.2. Community -> Admin -> Preferences -> Let guest user see other member of this site

7.4. Community -> Admin -> Preferences

7.4.1. Enable direct message

7.4.2. See other members of this site

7.4.3. Max file size

7.4.4. Allow only these file types

8. OWD

8.1. Internal OWD >= External OWD

8.2. Private

8.3. Public Read

8.4. Public Read/Write

8.5. Lead & Case: Public Read/Write/Transfer

8.6. Controlled by Parent (CBP)

8.6.1. Contract: Always CBP, can filter with Restriction Rules

8.6.2. Contact

8.6.3. Order

8.6.3.1. CBP prevents ARDSR

8.6.4. Asset

8.6.4.1. It's as risky as MD!

8.6.5. Quote: new on the Sharing Settings page

8.7. Public Full Access: Only for Campaign

8.8. Campaign Member

8.8.1. Controlled by Campaign

8.8.2. Controlled by Campaign Member

8.9. Pricebook: No Access ,View Only, Use

8.10. Activity: Private or Controlled by Parent Parent of the activity record is: * Who Id (Name) : Contact and Lead * What Id (Related to) : Account, Opportunity, Asset, Campaign, Case, including custom object with Allow Activities enabled.

8.10.1. Activity Private: Users with read access to the record to which the activity is associated (Name and Related To) can view and report on the activity. But we can apply Restriction Rule.

8.10.2. A user can perform an action (such as view, edit, transfer, and delete) on an activity based on whether he or she can perform that same action on the records associated with the activity.

8.11. Personal Calendar

8.11.1. Hide Details / Show Detail

8.11.2. Hide Detail and Add Event Show Details and Add Events

8.11.3. Full Access

9. Declarative Record Sharing

9.1. Roles & Role Hierarchy

9.1.1. Role Internal: 5K -> 10k External: 5K -> 50K -> 500K

9.1.1.1. Specify: Account Owner Access to Contact, Opportunity, Case

9.1.1.2. Category Group Visibility Sharing

9.1.2. ARO: Good for performance Be careful with sharing by role

9.1.2.1. Sharing Setting: [*] Use person role for first site user The role is he account owner's role!

9.1.3. Best Practice: One role per manager

9.1.3.1. One role per channel manager

9.2. Sharing Settings

9.2.1. Grant Access Using Hierarchy (RH)

9.2.2. Manager Hierarchy != Role Hierarchy (1) Managers Group (2) Manager Subordinates Group

9.2.2.1. User.Manager field defines the manager hierarchy

9.2.2.2. Only for internal users

9.2.2.3. Can't be added to other groups

9.2.2.4. Use Case: custom object for performance reviews with private OWD, with Grant Access Using Hierarchies unchecked, can be shared up the management chain with Managers Group.

9.2.2.5. Use Case: Employee Discipline Issues

9.2.2.6. No need for manager group if we use per manager role!

9.2.2.7. For sharing rules and manual sharing

9.3. Sharing Rules <= 300 (Soft Limit)

9.3.1. OBS

9.3.2. CBS <= 50 (Soft Limit)

9.3.2.1. Can't use Formula, Rollup Summary, or Lookup fields except for User Id or Queue Id

9.3.3. Share to

9.3.3.1. Public Group

9.3.3.2. Role, Role and Internal Sub, Role, Internal & Portal Sub

9.3.3.3. Territories, Territories and Sub

9.3.3.4. Managers Group, Manager Subordinates Group

9.4. Team

9.4.1. Account Team

9.4.1.1. Contact, Opty, Case Access

9.4.1.2. Internal or PC users

9.4.1.3. Custom fields & Trigger

9.4.2. Opty Team

9.4.2.1. Parent implicit sharing, but not account owner, so no children implicit sharing from parent account.

9.4.3. Case Team

9.4.3.1. Internal, PC, CC+ users

9.4.3.2. Contact member: grant no access

9.4.3.3. No new field or trigger

9.4.3.4. No case team if owner is a CC user

9.5. Enterprise Territory Management

9.5.1. Territory Model: up to 100K-1 territories in a hierarchy

9.5.2. Territory Forecast: ETM works with Collaborative Forecasts

10. Other Topics

10.1. Restriction Rule 2 or 5 / object

10.1.1. Contract, Event, Task, custom objects

10.1.2. Examples

10.2. Scoping Rule (beta)

10.3. Customizable User Settings

10.3.1. Hide the "Change password" page on My Setting with "Is Single Sign-On Enabled"

10.4. User Management Settings

10.4.1. Hide Personal Information

10.4.2. [?] Enhanced Personal Information Management

10.4.2.1. Choose whether a User field is PersonInfo or not using a field's Compliance Categorization

10.5. Sharing Settings etc

10.5.1. Manual User Record Sharing Enable to allow users to share their own user record with the Share button

10.6. CSP: Content Security Policy

10.6.1. Need this when putting Chat on a community page

10.7. reCaptcha

10.7.1. Web2Lead & Web2Case need this

11. Profiles and Permmissions

11.1. Profile

11.1.1. Keep admin permissions to admins: View All Data Modify All Data View All Modify All

11.1.2. Delegated Admin

11.1.3. Guest user profiles are in communities

11.2. Permission Set

11.3. Permission Set Group

11.3.1. Muting Permission Set in Group

11.4. Community users can only get READ access on product and Pricebook

11.5. Custom Permission

11.5.1. Works for VR, Formula, Flow, In App Guidance

11.6. OLS

11.6.1. CRUD

11.7. FLS