We often heard that business would like to restrict x number of users to access Account, while open it to rest of users. How we can do that in Salesforce?
However in Salesforce, it is the other way round. You need to specify who can access an object, NOT about who cannot access an object.
If your company decide not to give access to anyone in company (to view or edit an object), Organization-Wide Defaults (OWD) should be set to Private, then add sharing rule for that object based on: Criterias, Public Groups, Roles or 'Roles and Subordinates'.
If OWD is set to Private or Public Read-Only. It will be shared in following rule:
- Role Hierarchy, any user in higher role hierarchy of record owner will be able to access the record
- Sharing Rule, any user and user in higher role hierarchy of users being shared in Sharing Rule will be able to access the record
- Manual Sharing, owner or user in higher role hierarchy of record owner, will be able to share records owned.
To investigate who can access a record, system admin can click on 'Sharing' button in record detail. Then, click 'Expand List' to get more details on user being shared and why they being shared.