Record-Level Security in Salesforce is a fundamental component of the platform's security model that controls which individual records users can view and edit after they have object-level access. While object-level security determines what types of data users can access, record-level security provi…Record-Level Security in Salesforce is a fundamental component of the platform's security model that controls which individual records users can view and edit after they have object-level access. While object-level security determines what types of data users can access, record-level security provides granular control over specific records within those objects.
There are four main mechanisms that govern record-level security:
1. Organization-Wide Defaults (OWD): These settings establish the baseline level of access for all records of each object. Options include Private, Public Read Only, Public Read/Write, and Controlled by Parent. Private is the most restrictive, limiting record access to only the record owner and users above them in the role hierarchy.
2. Role Hierarchy: This structure allows users higher in the hierarchy to access records owned by users below them. Managers can view and edit records owned by their subordinates based on their position in the hierarchy.
3. Sharing Rules: These extend access beyond what OWD provides. Criteria-based sharing rules grant access based on field values, while ownership-based sharing rules grant access based on record ownership. Sharing rules can open up access but cannot restrict it below OWD settings.
4. Manual Sharing: Record owners and administrators can manually share individual records with specific users or groups when needed for exceptional circumstances.
Additional features include Apex Managed Sharing for programmatic sharing, Teams for collaborative record access, and Territory Management for sales-focused sharing scenarios.
Best practices include starting with the most restrictive OWD settings and then opening access as needed through sharing rules and role hierarchy. Administrators should regularly audit sharing settings to ensure data security compliance. Understanding record-level security is essential for Platform Administrators to properly configure data access and maintain appropriate security boundaries within their Salesforce organization.
Record-Level Security in Salesforce
Why Record-Level Security is Important
Record-Level Security is a critical component of Salesforce's security model that determines which specific records a user can access. While object-level security controls whether users can see an object at all, record-level security fine-tunes access to individual records within those objects. This ensures that sensitive data is protected and users only see information relevant to their role, maintaining data privacy and compliance with organizational policies.
What is Record-Level Security?
Record-Level Security operates on the principle of least privilege, meaning users start with minimal access and are granted additional access as needed. Salesforce uses several mechanisms to control record access:
1. Organization-Wide Defaults (OWD) - The baseline level of access for all users to records they don't own 2. Role Hierarchy - Users higher in the hierarchy can access records owned by users below them 3. Sharing Rules - Automatic sharing based on record ownership or criteria 4. Manual Sharing - One-off sharing of specific records 5. Teams - Account Teams, Opportunity Teams, and Case Teams 6. Territory Management - For complex sales territory structures 7. Apex Managed Sharing - Programmatic sharing for complex requirements
How Record-Level Security Works
Organization-Wide Defaults (OWD) set the most restrictive baseline: - Private: Only the record owner and users above in hierarchy can view/edit - Public Read Only: All users can view, but only owner can edit - Public Read/Write: All users can view and edit - Controlled by Parent: Used for detail objects in master-detail relationships
Opening Up Access Once OWD is set to Private or Public Read Only, you can open access using:
- Role Hierarchy: Managers inherit access to records owned by their subordinates (can be disabled for custom objects) - Sharing Rules: Owner-based rules share records owned by certain users/roles; Criteria-based rules share records meeting specific field criteria - Manual Sharing: Record owners can share individual records with specific users or groups
Key Concepts to Remember
- You can only open up access from OWD, never restrict it further - Sharing rules can grant Read Only or Read/Write access - Role hierarchy access can be turned off for custom objects but not standard objects - Public Groups can be used in sharing rules to simplify administration - Implicit sharing occurs with parent-child relationships (e.g., Account to Contact)
Exam Tips: Answering Questions on Record-Level Security
1. Start with OWD: Always identify what OWD should be first. Ask yourself: what is the most restrictive access needed? That becomes your OWD.
2. Remember the Hierarchy: If a question mentions managers needing to see subordinate records, consider whether role hierarchy alone solves the problem.
3. Choose the Right Sharing Mechanism: - For automatic sharing based on ownership → Owner-based Sharing Rules - For automatic sharing based on field values → Criteria-based Sharing Rules - For one-time, individual record sharing → Manual Sharing - For team collaboration on specific records → Teams feature
4. Watch for Keywords: - 'All users' or 'everyone' often indicates OWD settings - 'Managers' or 'supervisors' points to Role Hierarchy - 'Automatically share when' suggests Criteria-based Sharing Rules
5. Eliminate Wrong Answers: If an answer suggests restricting access below OWD, it is incorrect. Remember you can only open access, not close it further.
6. Consider Maintenance: The exam often favors solutions that are easier to maintain. Sharing Rules are preferred over Manual Sharing for ongoing requirements.
7. Master-Detail Relationships: Child records in master-detail relationships always inherit the sharing settings from the parent record.