The terms “Record-Level Access” and “Sharing” are
interlinked in Salesforce.com. Sharing enables record-level access control for
all custom objects. Sharing can also be enabled for many standard objects such
as (such as Account, Contact, Opportunity and Case).
Levels
of Record Access
View, Edit, Transfer, Share,
and Delete
Default Sharing Access
Default sharing access is set through
organization-wide defaults (OWD).
Additional Record-Level
Access Types
1.
Force.com Managed Sharing
All implicit sharing added by Force.com managed
sharing cannot be altered directly using the Salesforce user interface, SOAP,
API, or Apex.
Record
Ownership
Every record is owned by a user or a queue (in
case of custom objects, cases, and leads). The record owner is automatically granted
Full Access to the record. This enables them to access the record on all levels
(view, edit, transfer, share, and delete).
Role
Hierarchy
If “Role Hierarchy” is enabled, users above
another users in the hierarchy can have the same level of access to records
owned by or shared with users below. This behavior can be disabled for specific
custom objects. Role hierarchy is not maintain with sharing records. Role
hierarchy access is derived at runtime.
Sharing
Rules
With sharing rules, an administrator can
automatically grant users within a given group or role access to records owned
by specific group of users.
2.
User Managed Sharing, also known as “Manual Sharing”
User managed sharing allows the record owner or
any user with Full Access to a record to share the record with a user or group
of users. This is generally done by an end-user, for a single record. Only the
record owner and users above the owner in the role hierarchy are granted Full
Access to the record. It is not possible to grant other users Full Access.
Users with the “Modify All” object-level permission for the given object or the
“Modify All Data” permission can also manually share a record. User managed
sharing is removed when the record owner changes or when the access granted in
the sharing does not grant additional access beyond the object’s
organization-wide sharing default access level.
3.
Apex Managed Sharing
Apex managed sharing provides developers
with the ability to support an application’s particular sharing requirements
programmatically through Apex or the SOAP API. This type of sharing is similar
to Force.com managed sharing. Only users with “Modify All Data
Types
of Sharing in Salesforce
Salesforce has the following types of sharing:
1. Force.com Managed Sharing
Force.com managed sharing involves sharing access granted by Force.com based on record ownership, the role hierarchy, and sharing rules:
1.1 Record Ownership
Each record is owned by a user or optionally a queue for custom objects, cases and leads. The record owner is automatically granted Full Access, allowing them to view, edit, transfer, share, and delete the record.
1.2 Role Hierarchy
The role hierarchy enables users above another user in the hierarchy to have the same level of access to records owned by or shared with users below. Consequently, users above a record owner in the role hierarchy are also implicitly granted Full Access to the record, though this behavior can be disabled for specific custom objects. The role hierarchy is not maintained with sharing records. Instead, role hierarchy access is derived at runtime. For more information, see “Controlling Access Using Hierarchies” in the Salesforce online help.
1.3 Sharing Rules
Sharing rules are used by administrators to automatically grant users within a given group or role access to records owned by a specific group of users. Sharing rules cannot be added to a package and cannot be used to support sharing logic for apps installed from Force.com AppExchange. Sharing rules can be based on record ownership or other criteria. You can't use Apex to create criteria-based sharing rules. Also, criteria-based sharing cannot be tested using Apex. All implicit sharing added by Force.com managed sharing cannot be altered directly using the Salesforce user interface, SOAP API, or Apex.
2. User Managed Sharing, also known as Manual Sharing
User managed sharing allows the record owner or any user with Full Access to a record to share the record with a user or group of users. This is generally done by an end-user, for a single record. Only the record owner and users above the owner in the role hierarchy are granted Full Access to the record. It is not possible to grant other users Full Access. Users with the “Modify All” object-level permission for the given object or the “Modify All Data” permission can also manually share a record. User managed sharing is removed when the record owner changes or when the access granted in the sharing does not grant additional access beyond the object's organization-wide sharing default access level.
3. Apex Managed Sharing
Apex managed sharing provides developers with the ability to support an application’s particular sharing requirements programmatically through Apex or the SOAP API. This type of sharing is similar to Force.com managed sharing. Only users with “Modify All Data” permission can add or change Apex managed sharing on a record. Apex managed sharing is maintained across record owner changes.
1.
If you plan to include public groups in
your sharing rule, confirm that the appropriate groups have been created.
3.
In the Account Sharing Rules related
list, click New.
4.
Enter the Label Name and Rule
Name. The Label is the sharing rule label as it appears on the user
interface. The Rule Name is a unique name used by the API and managed
packages.
■ Based
on record owner—In the owned by members of line, specify the users
whose records will be shared: select a category from the first drop-down list
and a set of users from the second drop-down list (or lookup field, if your
organization has over 200 queues, groups, roles, or territories).
■ Based
on criteria—Specify the Field, Operator, and Value criteria that records must
match to be included in the sharing rule. The fields available depend on the
object selected, and the value is always a literal number or string.
Click Add Filter Logic... to
change the default AND relationship between each filter.Note
To
use a field that’s not supported by criteria-based sharing rules, you can
create a workflow rule or Apex trigger to copy the value of the field
into a text or numeric field, and use that field as the criterion.
2.
In the Share with line, specify
the users who should have access to the data: select a category from the first
drop-down list and a set of users from the second drop-down list or lookup
field.
4.
In the remaining fields, select the
access settings for the records associated with the shared accounts.
Description
|
|
|
(available
for associated contacts, opportunities, and cases only)
|
Users
can’t view or update records, unless access is granted outside of this
sharing rule.
|
Users
can view, but not update, records.
|
|
Users
can view and update records.
|
With sharing
rules, you can make automatic exceptions to your organization-wide sharing
settings for defined sets of users. For example, use sharing rules to
extend sharing access to users in public groups, roles, or territories.Sharing
rules can never be stricter than your organization-wide default settings. They
simply allow greater access for particular users.
You can create
the following types of sharing rules.
Type
|
Based on
|
Set Default Sharing Access for
|
Account owner
or other criteria, including account record types or field values
|
Accounts and
their associated contracts, assets, opportunities, cases, and optionally,
contacts
|
|
Territory
assignment
|
Accounts and
their associated cases, contacts, contracts, and opportunities
|
|
Campaign owner
or other criteria, including campaign record types or field values
|
Individual
campaign records
|
|
Case owner or
other criteria, including case record types or field values
|
Individual
cases and associated accounts
|
|
Contact owner
or other criteria, including contact record types or field values
|
Individual
contacts and associated accounts
|
|
Custom object
owner or other criteria, including custom object record types or field values
|
Individual
custom object records
|
|
Lead owner or
other criteria, including lead record types or field values
|
Individual
leads
|
|
Opportunity
owner or other criteria, including opportunity record types or field values
|
Individual
opportunities and their associated accounts
|
Note
■ You
can’t include high-volume portal users in sharing rules because they
don’t have roles and can’t be in public groups.
■ Developers
can use Apex to programmatically share custom objects (based on
record owners, but not other criteria). This does not apply to User Sharing.
No comments:
Post a Comment