Sharing rule
To open record-level access for groups of users, role, or role and subordinates outside of the OWD, you can use the sharing rule. The sharing rule is used to open up access; you can't restrict the access using the sharing rule. Salesforce has the following types of sharing rules:
- Criteria-based sharing rule: If you want to share the records based on the field values in the record, then you have to use a criteria-based sharing rule. For example, let's say you use a lead object to better manage prospects. A criteria-based sharing rule could share all lead records in which the Country field is set to
India
with all sales reps from APAC. You can have a maximum of 50 criteria-based sharing rules per object. - Owner-based sharing rule: If you want to share the records based on the owner of a record, then you have to use an owner-based sharing rule. For example, let's say you use an account object to better manage customers. An owner-based sharing rule could share all account records in which the
owner
belongs to a public groupAPAC
with another public groupEMEA
. - Manual sharing: When the OWD is set to Private or Public Read Only for any object, then a Sharing button will be enabled in the record detail page, using which the record owner, or users who are at a higher position in the role hierarchy, can share records with other users. Visibility of the buttons can be controlled with help of page layout.
- Apex managed sharing: If you have a very complex business requirement, and you want to share the record access with users for a few hours or days, then you can use Apex-managed sharing. You can either use Apex or Flow with Process Builder to handle such scenarios. To access the sharing object programmatically, you must use the share object associated with the standard or custom object with which you want to share.
Criteria-based sharing rule
A business scenario: Alok Sinfal is working as system administrator in Universal Containers. His manager Brigette Hyacinth wants every user in the organization to be able to view the lead records, but only a group of users ( that is, a public group: Global Sales) can edit it if the lead Country field is set to India
.
Perform the following steps to solve this requirement:
- First of all, change the Lead object Organization-Wide Sharing Defaults Edits to Public Read Only by following the path Setup (gear icon) | Setup | SETTINGS | Security | Sharing Settings. This way, all users from the organization can view the lead records:
- Now create a public group Global Sales and add users as per the business requirement.
- The next step is to create a sharing rule by following the path Setup (gear icon) | Setup | SETTINGS | Security | Sharing Settings and navigating to the Lead Sharing Rules list:
- Click on New, and it will redirect you to a new window where you have to enter the Label, Rule Name, and Description (always write a description so that other administrators or developers know why this rule was created).
- Then for the Rule Type, select Based on criteria. For the criteria by which records are to be shared, create a criteria such as Country equals
India
. - Then select the public group with whom you want to share the records, in this case select Global Sales
- The final step is to choose the level of access for the users. For the preceding business requirement, select Read/Write from the dropdown.
When you have reached the end, your screen should look like the following screenshot:
- Once you are done, click Save.
Manual sharing
When the OWD is set to Private or Public Read Only for any object, then a Sharing button will be enabled in the record detail page. From here, the record owner or users who are at a higher position in the role hierarchy can share records with other users. Currently, Lightning Experience doesn't support the manual sharing feature, so if you want to use manual sharing then switch back to Salesforce Classic:
To manually share the record, click on the Sharing button and it will redirect you to a new window. Then click on the Add button and you are ready to share records with the following:
- Public groups
- Users
- Roles
- Roles and subordinates
- Personal groups
- Manager groups
- Manager subordinate groups
The final step is to select the access type. Once you have done this, click Save. It will look like the following screenshot:
Note
The Lead and Case Sharing buttons will be enabled when OWD is set to Private, Public Read Only, and Public Read/Write.
Apex managed sharing
When all other sharing rules can't fulfill your requirements, then you can use the Apex sharing method to share records. Using the Apex managed sharing rule, you can be able to handle complex sharing. For example, say you want to share the case record access with a field support worker for a few hours or days; in this scenario, you can use Apex managed sharing. You can either use Apex or Flow with Process Builder to handle such scenarios. To access the sharing object programmatically, you must use the share object associated with the standard or custom object for which you want to share. We will talk more about how we can use Flow and Process Builder to create Apex managed sharing in Chapter 8 , Automating Complex Business Processes.
Defer sharing calculations
If you are changing the organization-wide access for an object, such as from Public Read Only to Public Read/Write, your changes take effect after the recalculation is run, and recalculation may take one minute to several hours depending on whether customization happens in your Salesforce organization. The same thing happens if you change the user role; on the backend, Salesforce will run all sharing rules. For each update, it has to recalculate all the access rights and sharing rules, and if a user has lots of accounts and other records, then it will take a long time. It means that if the recalculation runs in the background, then you are not allowed to create a new sharing rule or modify any security settings (such as the organization-side default or the sharing rule) in Salesforce:
If you want to overcome such a scenario, then you have to enable one limited feature by raising a support ticket called Defer Sharing Calculations . If you have an object that utilizes sharing and has a large volume of records (such as more than three million leads), and you need to make a bulk change (such as a periodical realignment requiring a hierarchy change), then there is a limited feature that can be enabled by Salesforce support to defer automatic sharing calculations. By default, every single change to the role hierarchy, groups, sharing rules, territory hierarchy, user roles, team membership, or ownership of records can initiate automatic sharing calculations. When a bulk change is made, it causes many automatic sharing recalculations to begin. By suspending these temporarily, you can make the change and then have the sharing calculations happen all at once. Enable this feature when you need to suspend sharing calculations during maintenance windows to have a minimal impact on users.