who sees what when? using dynamic sharing rules to manage access to records
DESCRIPTION
TRANSCRIPT
Who Sees What When?Using Dynamic Sharing Rules to Manage Access to Salesforce Records
John WestenhaverSolution ArchitectSpyrel, Inc.
Salesforce Security Model
Profiles
Roles
Public Groups
Sharing– Setting Up Sharing Rules– Automatic Sharing Rules– Manual Sharing Rules– Master-Detail Sharing Rules– Dynamic Sharing Rules
Profiles
Determine which objects you can read, create, edit, and
delete
Determine which fields you can see on objects you can
see
Determine which applications you can see
Determine which tabs you can see
Determine which record types you can see
Have no effect on access to specific records
Roles
Establish a hierarchy of users– Users belonging to a role can view, edit, and report on all data
owned or shared with users below them in the hierarchy– Unless the Grant Access Using Hierarchies checkbox is un-
checked on the Organization-Wide Defaults list for an object
Establish hierarchical access rights to records, not
position on the company org chart
Are created automatically for customer portal users
Public Groups
Are an arbitrary collection of users
Can be used to set up sharing rules when roles will not
work due to business rules
Sharing Rules
Automatic Sharing Rules– Pros: automatic, configurable, criteria-based rules for custom
objects– Cons: multi-record, inflexible, criteria based rules not available
for standard objects
Manual Sharing Rules– Pros: flexible, configurable– Cons: manual, single-record, cannot use criteria-based rules
Dynamic Sharing Rules– Pros: flexible, automatic, multi-record– Cons: requires programming, cannot use criteria-based rules
Setting Up Sharing Rules
Go to Setup | Security | Sharing Settings
Click the Edit button to set up Organization-Wide
Defaults– If set to Public Read/Write, anyone can see and edit it– If set to Public Read Only, anyone can see it– If set to Private, only record owners and users, roles, and
public groups granted access via sharing rules can see it
Setting Up Sharing Rules
Setting Up Sharing Rules
All custom objects have three options:– Public Read/Write– Public Read Only– Private
Standard objects have special rules
Uncheck the Grant Access Using Hierarchies checkbox
to disable access to records via role hierarchies
Standard Object Automatic Sharing Rules
Go to Setup | Security | Sharing Settings
Scroll down past the Organization-Wide Defaults section
Click the New button for any standard object
Standard Object Automatic Sharing Rules
Select a public group, queue, or role that owns the
records you want to automatically share– This does not work for individual users
Select a public group or role that you want to share
these records with
Select the access rights these users will have
Custom Object Automatic Sharing Rules
Go to Setup | Security | Sharing Settings
Scroll down past the Organization-Wide Defaults
section
Click the New button for any custom object
Choose whether to create an owner-based or criteria-
based sharing rule
Custom Object Automatic Sharing - Owner
Custom Object Automatic Sharing - Criteria
Manual Sharing Rules
For any object with Private or Public Read Only access
permissions, the Sharing button becomes available.
Click on the Share button to manually create sharing
rules for this record.
Manual Sharing Rules
A list of all existing sharing rules is displayed, both
manual and automatic
Click the Add button to add another sharing rule for this
specific record
Manual Sharing Rules
Manual Sharing Rules
Select a public group, role, or user with which to share
this record
Select the access rights you want to share– Standard objects may have special access rights
• When sharing an Account, you can also set access rights to the Opportunities and Cases associated with that Account
– Custom objects only have two options for access rights:• Read Only• Read/Write
Master-Detail Sharing Rules
Apply only to master-detail relationships
Sharing rules defined for the master record define how
access to detail records will be granted, based on this
setting
Sharing rules cannot be defined for detail records in a
master-detail relationship
Dynamic Sharing Rules Demo
User Roles– Salesperson– Project Manager
Requirements– All users will have access only to those records they need to do
their jobs.– Identify the Project Manager for any Installation Opportunity
before it can be closed.– Create a new Installation Project owned by the Project
Manager whenever an Installation Opportunity is closed.– Create a new Installation Case for each Opportunity Product
whenever an Installation Opportunity is closed.
Dynamic Sharing Rules Demo
More Requirements– Automatically add the Project Manager to the Project Team.– Automatically grant the Salesperson read-only access to the
Installation Project.– Automatically grant the Project Manager read-only access to
the Installation Opportunity.– Whenever a new Team Member is added to the Project Team,
grant that user edit access to all Project Cases.– Whenever a new Project Case is added, grant all Project Team
members edit access to that Project Case.
Dynamic Sharing Rules Demo
SharingTools.cls– Sharing constants– doSharingTriggers– Deriving group ID from role name for customer portal roles
opportunityAfterInsertUpdate.trigger
projectAfterInsertUpdate.trigger
teamMemberAfterInsertUpdate.trigger
caseAfterInsertUpdate.trigger
Things To Watch Out For
Criteria-based sharing rules cannot be created
dynamically as of Spring ’11.
If a user has the View All permission, this overrides any
sharing rules. This is why System Administrators
automatically see all records, regardless of sharing
rules.
You cannot use Apex to share a record with the owner
of that record; this results in the barely documented
INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY error.
More Things To Watch Out For
As a best practice, always use the “with sharing”
keywords when writing Apex.
All custom sharing objects are named Object__Share,
with two underscores and no “__c”.
All standard sharing objects are named ObjectShare,
with no underscores.
The field names for all custom sharing objects are
exactly the same; however, the field names for all
standard sharing object are specific to that object.
Sharing Rules & The Customer Portal
Whenever a customer portal user is created, he is
automatically assigned to a role that is created
automatically
If Organization-Wide Defaults are set to private for
objects visible on the customer portal, then sharing
rules must be defined
Customer portal roles have three possible names:– [Account Name] Customer Executive– [Account Name] Customer Manager– [Account Name] Customer User
Sharing Rules & The Customer Portal
By default, the lowest level role (Customer User) is
assigned to new customer portal users
You need to determine which customer portal role will
be necessary to meet your requirements
You may use one, two, or three different customer
portal roles
When creating dynamic sharing rules, you have to
derive the role name and then to look up the Group ID
associated with this role
How Do I Get My Hands On This Code?
Element Value
URL https://login.salesforce.com
User ID [email protected]
Password Passw0rd