subscribe our youtube channel popup

Demystifying Record-level Security in Salesforce
Demystifying Record-level Security in Salesforce

Demystifying Record-level Security in Salesforce: Who Sees What and Why It Matters

Imagine you’re working in a bustling sales team, and one morning you log in to Salesforce only to find that you’re suddenly seeing records you probably shouldn’t. Maybe your manager’s high-stakes deal is visible to everyone on the team, or your sensitive client list is floating in full view. Yikes! This isn’t just awkward—it’s a security risk. And this is exactly where Record-level Security comes into play in Salesforce. Join us to Demystifying Record-level Security in Salesforce: Who Sees What and Why It Matters.

So, join us for an insightful exploration of what Record-level Security is, why it plays a vital role in your Salesforce environment, and how Salesforce admins can confidently master it without unnecessary stress.

Table of contents

What is Record-level Security?

In simple terms, record-level security in Salesforce controls which individual records a user can view, edit, delete, or share. While object-level permissions decide whether a user can access a particular type of data (e.g., Accounts, Opportunities), record-level security gets specific: Can this person see this exact record? Think of it as the fine-grained control beyond just saying “You can access Accounts”—it answers the question: Which Accounts?

Salesforce doesn’t just hand out blanket permissions. Instead, it layers access controls so you can tailor visibility and editing rights precisely, ensuring people see only what they need to do their job—and nothing more.

Sharing and Visibility With Salesforce

The Pillars of Record-level Security

Salesforce uses a neat hierarchy of controls to manage record access. Each layer builds on the previous one, starting from the most restrictive baseline and gradually opening access where needed.

1. Organization-Wide Defaults (OWD)

OWD is the baseline setting for each object. Think of OWD as the default “locked or unlocked” status of every room in the building. It defines the most restrictive level of access:

  • Private: Only the record owner and their managers can access it.
  • Public Read Only: Everyone can view, but editing is restricted. Only the owners can edit.
  • Public Read/Write: Anyone can view and edit.
  • Public Read/Write/Transfer: Users can view, edit, and transfer ownership (available only for specific objects like Cases and Leads).

2. Role Hierarchies

Roles let users move vertically through access, i.e., if person A reports to person B, then person B can access person A’s data. It mirrors the organizational chart. Imagine a pyramid where the CEO at the top can see everything below, while a sales rep at the bottom sees only their own deals. This hierarchy respects your organization’s structure and ensures supervisors have the visibility they need.

3. Sharing Rules

Need to share records across teams? Sharing rules let you grant access horizontally. It’s like inviting another department to peek into your team’s project board. For example, give the Marketing team read-only access to Sales team accounts.

Sharing Rules are automatic exceptions to OWD. They grant access based on record ownership or criteria (e.g., all accounts in Vancouver) to public groups, roles, or territories.

  • Ownership-Based: Share records owned by certain users.
  • Criteria-Based: Share records meeting specific conditions/field values.

Think of sharing rules as VIP passes that open doors for selective groups.

4. Manual Sharing

Users who own a record can manually provide read or edit permissions to specific individuals or groups. It’s like handing out a personal key to a specific room. It is perfect for one-off collaborations, but a nightmare to manage at scale.

Manual sharing lacks automation and involves granting access to one record at a time, i.e., sharing must be done individually for each record. This approach can become inefficient and time-consuming, especially when managing larger datasets.

How to Modify Record-level Security in Salesforce

Let’s walk through how to configure each of the record-level security mechanisms within your Salesforce org.

1. Organization-Wide Defaults

  • Go to Setup > Quick Find: Sharing Settings.
  • Under Organization-Wide Defaults, click Edit.
  • Set the default access level for each object
  • Click Save.

Note: Changes here affect all users and should be made with care

2 Role Hierarchies

  • Navigate to Setup > Quick Find: Roles.
  • Use the role hierarchy tree to create or adjust roles.
  • Assign users to roles via their user profiles.

Note: Make sure the checkbox “Grant Access Using Hierarchies” is enabled (object-specific). This checkbox is found in Setup when you’re configuring Organization-Wide Defaults (OWD) for a specific object.

3. Sharing Rules

  • Go to Setup > Quick Find: Sharing Settings.
  • Scroll to Sharing Rules.
  • Click New next to the object (e.g., Account Sharing Rules).
  • Choose rule type: Owner-based or Criteria-based.
  • Define the users or groups to share with and their access level.
  • Click Save.

4. Manual Sharing

  • Navigate to the record you want to share.
  • Click the Sharing button (visible only if OWD is set to “Private” or “Public Read Only” and the user own the record).
  • Add users or groups and define their access level.
  • Save the sharing settings.

Note: Manual sharing isn’t available for all objects and is not suitable for bulk sharing

How Does Salesforce Decide Who Sees What?

Salesforce evaluates access by combining all these layers, always applying the most permissive access a user is entitled to. But remember, access is also constrained by:

  • Profiles and Permission Sets: Which objects and fields a user can access.
  • Record-level Security: Which specific records within those objects they can see or edit.

If object-level permission says “No access”, record-level settings can’t override that. But if object-level permission says “Read”, record-level security decides which records are visible.

Why Should You Care About Record-level Security?

  • Protect Sensitive Data: Keep confidential information like salaries, contracts, or legal cases away from unauthorized eyes.
  • Improve User Experience: Show users only relevant data, reducing clutter and confusion.
  • Ensure Compliance: Meet regulatory requirements by restricting data access.
  • Enable Collaboration: Share data securely across teams when needed.

So, Who Sees What?

A Day at Blucon: A Story of Record-level Security

Welcome to Blucon, a dynamic company alive with energetic sales teams, creative marketing efforts, and visionary planning. But beneath all the hustle lies a finely tuned access control system—Salesforce’s Record-level Security—that quietly ensures the right people see the right data at the right time.

Let’s meet the team to see how record-level security works in action.

Sally the Sales Rep Sally is a rockstar on the sales floor. In Salesforce, she can see and edit the Opportunities she owns—nothing more, nothing less. She can’t peek into what her colleague John is working on, even if she’s curious about that big client he’s always talking about.Mike the Sales Manager Mike oversees the entire sales team, including Sally. Because Mike sits above Sally in the role hierarchy, he can view all Opportunities owned by his team.  
Mary from Marketing Mary is responsible for running region-specific marketing campaigns. She doesn’t need access to all records in Salesforce—just the Accounts in her assigned region.Carla the CEO As the captain of the ship, Carla keeps an eye on everything—from revenue trends to customer escalations. Positioned at the top of the role hierarchy, she can access all records across the system, regardless of who owns it.
Tom the Temporary Consultant Tom was brought in for a short-term project to help revamp account strategies. He doesn’t need access to everything—just a few key Accounts. 

Now let’s understand the mechanisms at play:

PersonnaRoleRecord-level Security MechanismExplanation
SallySales RepOrganization-Wide Defaults (OWD)OWD is set to Private on Opportunities, so users only see what they own.
MikeSales ManagerRole HierarchyRole Hierarchy grants managers access to their direct reports’ records automatically.
MaryMarketingSharing RulesSharing Rules provide access to groups of users based on criteria like region or record ownership.
CarlaCEORole HierarchyRole Hierarchy, at its highest level, grants full visibility across the organization.
TomTemporary ConsultantManual SharingManual Sharing is ideal for temporary or limited access needs.

Each of these characters has access tailored exactly to their role, responsibility, and project needs. Behind the scenes, Salesforce’s Record-level Security mechanisms—OWD, Role Hierarchy, Sharing Rules, and Manual Sharing—work in harmony to keep data safe, access controlled, and teams productive.

In Blucon, not everything is shared—but everything is shared wisely.

Fun Fact: The “Sharing” Button Mystery

Ever wondered why some records have a Share button and others don’t? It depends on your OWD settings and object configuration When Organization-Wide Defaults are configured as Public Read/Write, access is unrestricted—therefore, the Sharing button is hidden. If it’s more restrictive, the Share button appears to let owners grant exceptions. Here’s the breakdown:

The “Sharing” Button Appears When:

  • OWD is set to “Private” or “Public Read Only” – The access is restricted by default; hence manual sharing is essential to extend visibility.
  • The user owns the record or has Full Access – Owners and those with full control can manually share records with others.

The “Sharing” Button Is Hidden When:

  • OWD is Public Read/Write – Everyone already has access, so sharing isn’t needed.
  • The user does not own the record – You can’t share what you don’t control.
  • Manual Sharing isn’t enabled for the object – Some custom objects might not support it.

Quick Recap Table:

ConditionSharing Button
OWD = Private/Public Read Only & User owns recordVisible
OWD = Public Read/WriteHidden
The user doesn’t own the record or lacks Full AccessHidden
Manual Sharing disabled for objectHidden

Tips and Tricks for Admins: Mastering Record-level Security

  • Start with OWD set to Private, then open up access where necessary.
  • Design your role hierarchy thoughtfully. Mirror your organization’s structure but keep it as flat as possible to avoid complexity.
  • Document your sharing model. You’ll thank yourself later.
  • Avoid over-relying on manual sharing; it’s not scalable.
  • Use sharing rules for cross-team collaboration. Automate access for groups rather than manual sharing whenever possible.
  • Use public groups to organize users in a structured manner (such as grouping them by region like “West Coast Sales”) to streamline the creation of sharing rules.
  • Train users on how and when they can (and can’t) share data.
  • Audit record access regularly.

Wrapping Up

Record-level Security may sound like an intimidating fortress of permissions, but once you understand its layers, it becomes a powerful ally. As a Salesforce Admin, it’s your job to guard the data—making sure users see what they need, and nothing more. It’s like managing keys to a building—you want to keep the right doors open for the right people, and locked tight for everyone else.

Happy sharing—or not sharing!

Share your love
Sheima Latha J
Sheima Latha J
Articles: 31

Related Posts

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *