We set our Account and Contact OWD (Organization-Wide Defaults) sharing to Private. But somehow a user still can view Account not owned by him or sharing to him. Why?
Luckily Salesforce helps us as admin to be Sherlock Holmes to track this.
1. Go to the affected account page layout
2. Click Sharing button, make sure it is added to Account page layout and you login as a system admin
3. Click 'Expand List' button
4. Look for the user able to view the account and click Why? link in this last screen, look for 'Reason for Access'.
In my case, I found that user able to view that Account, because there is a Read/Write sharing rule in the Contact to allow the user to edit the contact. But, somehow Salesforce give Read Only permission for that user to View Account that tagged to Contact where user gets access from Contact sharing rule.
Interesting??? There is so many secrets within Salesforce.