Part 4 – Manual Sharing
If you’ve made it this far, you have likely seen it all. In previous blog posts, we’ve discussed the best practices for setting up your Salesforce baseline security using OWD, reviewed the power of structuring a Role Hierarchy, and modeled how to hack your way around the 3 Golden Rules using Sharing Rules. Now, it’s time to climb the final hurdle and conquer the Record Access Pyramid.
Manual sharing might seem like a no-brainer at first glance, and in most scenarios, you’d be correct in that assumption. When the owner of a record sees a button labeled “Sharing”, the user is able to share the record with a single person or a group of users by selecting:
- With whom to share it — Single User, Roles, Public Group, or Role with Subordinates
- The Level of Access — Read-Only, Read/Write
However, don’t be fooled by the simplicity of this process. Under the hood, there is a lot more than meets the eye. There are a couple of questions that are worth asking first.
When is the “Sharing” button available?
Below is a screenshot of the visible Sharing button. To enable it to show on the detail page of a record, set the OWD for the object to any setting more restrictive than Public/Read-Write.
In this case, I’ve set the OWD for the Lead Standard Object to “Private”.
Also, if you set a related object’s OWD to either Private or Read-Only, the Parent record will show the sharing button. For example, setting the OWD to “Private” in Opportunities will make the button show in the Opportunity detail page, and also in the Account detail page:
Except when it doesn’t. The “Sharing” button will NOT display if you are viewing a detail page for a record that is on the “Detail” side of a Master-Detail relationship, or the security settings of the child you are viewing are set to “Controlled By Parent”.
Who is able to see the “Sharing” button?
If your answer to this question was “The record owner and System Admins” you are partially right, but also:
- Anyone above the owner in the Role Hierarchy
- Any user granted “Full Access” to the record, via “Apex Manage Sharing”
- Any user associated with a Profile or Permission set that has “Modify All” for the object
What is happening under the hood?
You might not know it, but Salesforce has a bunch of “secret” tables or objects. (You might have suspected it!) Most major Standard and all Custom objects have a secret Share table. For example, the Account object has an AccountShare table, and if you create a custom Service__c object it will have a Service__Share table.
The Share objects are where Salesforce actually tracks who has access to a specific record and how they have gained access to it. No matter if you are the owner of the record, someone above the owner, or granted access to the record by a sharing rule, there will be a row in this object validating your access. Otherwise, you will get an “Insufficient Access” error when you try to see the record.
Let’s take a look at these example rows of the AccountShare table:
In the picture above, we are seeing 10 share rows for an Account record. There are a few things to note:
- AccountAccessLevel: what the person granted access can do with the record
- AccountId: which specific account is being shared
- RowCause: the reason why the record is being shared; some interesting values to mention are:
- “Rule” – the record was shared because of a Sharing Rule
- “ImplicitParent” – or what I call a hierarchical reason. Basically, the user or Group** receiving access is above the owner in the Role Hierarchy
- UserOrGroupId: who is gaining access to the record. Notice that some values on this column start with “005” (this refers to a single user), and others start with “00G” (this refers to a Group)
**Did you know: For all Roles you configure in the Role Hierarchy, a Group is created. This is how Salesforce can reference the “Role” in the Share object to grant access to records.
That’s it! You’ve just conquered the last step on the Record Access Pyramid in Salesforce. If you followed along, you are set up for success in all aspects of the Salesforce Sharing Model. Congratulations!
Clara Perez is a Salesforce MVP and Lead Developer at Great Wave who loves teaching Salesforce concepts.