Security & access
⏱ ~3-min readAceMark GuideWhat this topic is really about
With "Grant Access Using Hierarchies" enabled (default for standard objects), users higher in the role hierarchy automatically gain access to records owned by subordinates, even when OWD is Private. Manual sharing would be impractical at scale, and permission sets/validation rules do not grant record-level sharing.
Organization-Wide Defaults set the baseline (most restrictive) record access for users who do not own a record; access can then be opened up via role hierarchy, sharing rules, and manual sharing. Profiles control object/field permissions, not record-level baseline sharing.
See the mechanism
Sharing rules grant access ABOVE the org-wide default. A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
A user belongs to a public group included in a sharing rule. The org-wide default for Account is Private. What access does the sharing rule give?
- Identify what the question tests: A user belongs to a public group included in a sharing rule..
- Sharing rules grant access ABOVE the org-wide default.
- With Account=Private, the user gets exactly what the rule specifies — Read Only or Read/Write.
- Modify All Data is a profile permission, not granted by sharing rules.
Traps the examiner sets
- Organization-Wide Defaults set the baseline (most restrictive) record access for users who do not own a record; access can then be opened up via role hierarchy, sharing rules, and manual sharing.
- Manual sharing would be impractical at scale, and permission sets/validation rules do not grant record-level sharing.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Security & access and see it stick.
Practice more of this topic →