Sharing and Visibilities — the basics

Hello from Belgium ! ‘WHY’ is it this way?

Let’s make this straight right from the start, I am sharing my view. For official documentation just visit trailhead.

Fact 1 : Salesforce has an underlying Database

Have you ever opened an Excel file?
I’ll picture Salesforce first concepts with it !

1. You need access to it
   Like a protected file, if you don’t have the password you won’t be able to open the file. If you don’t have a username and password you won’t be let in a salesforce org.
2. It has different sheets
   The sheet are the different Objects.
3. Each sheet has columns
   Imagine you take the ‘Account’ sheet. Account have a name, Id, etc. hence one of the column will be ‘name’, another one will be ‘Id’, etc.
4. Data lies in the rows
   When an Contact is created in the interface, a row is created in the appropriate sheet in by filling the columns with the appropriate information.

Fact 2 : Salesforce differentiate between object accessibility and record visibility

In this definition, objects are ‘only’ the definition of their respective structure. To continue with my analogy : the name of the tabs (object accessibility) and the title of the columns (field level security) in of each of these tabs in your excel file. The records are the data that lies across the different tabs.

Object accessibility can be granted : Read, Create, Edit, Delete

Each object has related field level security : Read , Edit

Fact 3 : Data is the new Gold

WHY: Salesforce is a CRM. Nothing new under the moon. Those who access it should only see the information they are entitled to see. One thing is to allow someone to view accounts, another one is to determine which ones ! Salesforce thus has quite straightforward ways to make objects accessible while having potentially very complex ways to make records visible.

Sales reps gets bonuses when they sign deals. We don’t want them to spy each others’ leads. Partners need to support their clients. We don’t want them to target each others’ clients. Protecting the records is protecting the gold, and gold theft, among those who have access to the CRM.

• Manage Object accessibility with Profiles and Permission Sets
• Record visibility is managed with: Org Wide Defaults, Role Hierarchy, Public Groups, Sharing Rules, Manual Sharing, APEX Sharing, Territory Management, Opportunity & Account Teams. Moreover these are different for External users that use community licenses.

Fact 4 : APEX Development bypass by default sharing and visibility

WHY: When it gets to custom APEX development, developers usually perform operation to accelerate/automate business processes. They thus create records on the fly or fill in fields. The fact that the user who clicked the button has access or not does not suppress the need for automation. As such, unless explicitly coded by developers, sharing and visibility will NOT be enforced.

• Enforce record visibility with with sharing, without sharing, and inherited sharing keywords when making a query to the database (SOQL).
• Enforce object access with schema DescribeSobjectResult and DescribeFieldResult class, with the help of isAccessible() isCreatable() isUpdatable() and isDeletable()

Fact 5 : In salesforce you setup for giving access to records, not to restrict

WHY: Imagine you have a house full of doors that have different keys. Would you rather:

• Leave all doors open and provide people keys so they can lock themselves the doors of rooms they should not visit?
• Lock all doors and provide keys for room they are allowed to visit?

Well you nailed it. Salesforce is just the same. Org Wide Default is your default strategy for all records of a certain object. You’ll then use the different features salesforce provide to give the keys to the relevant peoples so they can open the relevant doors.

Your default setup is for everyone. Yes Everyone.

Everyone but strangers in fact means No one but those I know. Even if you know a lot of people ! If the door is open, then everyone can get in. If just one cannot, then you need to lock the door and provide the key to everyone but that guy !

Closing words

This one stops here. If you already understood these basic WHY then you’ll be ready to dig deeper into the technical possibilities of salesforce. I may even at some point write some deeper details about them !