In addition to the sharing setting defined by the system admin, the Salesforce platform also has built-in sharing behaviors between parent and child records. This sharing is called implicit sharing because it is not configured by administrators but defined and maintained by the platform.
Implicit sharing is automatic. You can neither turn it off nor turn it on — it is native to the platform. In other words, it isn't configurable; however, it's very important to understand how it works.
Parent implicit sharing provides read-only access to parent record (Account) when the user has read/write or read-only access in a child record (Opportunity, Case, or Contact) through child record ownership, sharing rule, or added as a team member (Opportunity Team or Case Team).
For example, Account A has 3 contacts; if user X has access to one (or more) of the contacts of Account A, user X will be able to access the Account as read-only.
If the user has access to the child record via object permission (in Profile or Permission Set), the parent implicit sharing does not apply.
Parent implicit sharing only gives read-only access to the Account; for example, if A is the owner of an opportunity, parent implicit sharing will not give A access to ALL Contacts and Opportunities under the same Account.
Opportunity Contact Role
Parent implicit sharing does not apply by adding Contact Roles in the Opportunity. Adding Contact Roles to the Opportunity will not allow the Contact owner to have access to the Account.
Related Contacts
Related Contacts
Parent implicit sharing does not apply by adding Contact as a Related Contact to an Account (indirect). Adding a contact as a Related Contact will not allow the Contact owner to have access to the Account.
Lookup Relationship
When the user has access to a record from other objects (NOT Opportunity, Case, or Contact) with a Lookup relationship to the Account, the user will see the Account Name only, but not the Account detail—this includes Account lookup to the Parent Account; the child account owner will see the Parent Account Name only.
The same behavior applies to lookup from other objects, including custom objects. For the Master-Detail relationship, the child record does not have an owner, so it is not applicable in this scenario.
If we look from the back end at how this is stored, there is an object called AccountShare. This object stores all the defined and implicit sharing. It also has RowCause, which tells us the reason that this sharing entry exists.
One of the values is ImplicitParent — the User or Group has access because they’re the owner of or have shared access to records related to the account, such as opportunities, cases, contacts, contracts, or orders -- so, it is not always the owner of the record, but as long as the user has access to the child records via sharing rules.
sample query: SELECT Id, AccountId, UserOrGroupId, AccountAccessLevel, CaseAccessLevel, ContactAccessLevel, OpportunityAccessLevel, RowCause FROM AccountShare WHERE UserOrGroupId = '0053400000AAkhz' AND AccountId = '0013400001RhrP3'
Lookup Relationship
When the user has access to a record from other objects (NOT Opportunity, Case, or Contact) with a Lookup relationship to the Account, the user will see the Account Name only, but not the Account detail—this includes Account lookup to the Parent Account; the child account owner will see the Parent Account Name only.
The same behavior applies to lookup from other objects, including custom objects. For the Master-Detail relationship, the child record does not have an owner, so it is not applicable in this scenario.
If we look from the back end at how this is stored, there is an object called AccountShare. This object stores all the defined and implicit sharing. It also has RowCause, which tells us the reason that this sharing entry exists.
One of the values is ImplicitParent — the User or Group has access because they’re the owner of or have shared access to records related to the account, such as opportunities, cases, contacts, contracts, or orders -- so, it is not always the owner of the record, but as long as the user has access to the child records via sharing rules.
sample query: SELECT Id, AccountId, UserOrGroupId, AccountAccessLevel, CaseAccessLevel, ContactAccessLevel, OpportunityAccessLevel, RowCause FROM AccountShare WHERE UserOrGroupId = '0053400000AAkhz' AND AccountId = '0013400001RhrP3'
No comments:
Post a Comment