Pages

Wednesday, July 1, 2020

Salesforce: Sharing Rules via Public Group & Role

Sharing records using Public Groups may or may not rollup via role hierarchies, this is determined by the object setup in Organization-Wide Defaults and also Public Groups setup.

By default, Salesforce standard objects will grant access via hierarchies, meaning users with higher role hierarchy will be able to view or edit records where the records are viewable or editable by any users below that user in the role hierarchy.

While for custom objects, you can configure the  "Grant Access Using Hierarchies" under Organization-Wide Defaults for that object.



In the Public Group setting, you also can configure to enable "Grant Access Using Hierarchies". Let us see a few scenarios as below:



1. Sharing to Public Group for objects enabled for "Grant Access Using Hierarchies"

1A. Public Group is "Grant Access Using Hierarchies" enabled
This will share records to users with the higher role hierarchy.

reason for the user in Public Group

reason for the user with higher role hierarchy


Group Staff 2 only has 1 user which is Song Lee, when I expand the list, it will show all users able to access the record. From the screenshot below, Jack Bob is the record owner, while Maria Ann and Platform User 1 are users with roles higher than Song Lee's in the role hierarchy.



1B. Public Group is not "Grant Access Using Hierarchies" enabled
Let us use the same object as above, but share it with a different group which is without enabled "Grant Access Using Hierarchies". This will NOT share records to users with the higher role hierarchy. 


** This is applicable for standard objects too


2. Sharing to Public Group for objects NOT enabled for "Grant Access Using Hierarchies"

2A. Public Group is "Grant Access Using Hierarchies" enabled
In this testing, we are using a custom object not enabled for "Grant Access Using Hierarchies", then we create a sharing rule to share with the same group with Grant Access Using Hierarchies as in (1B).

As the result, this share will NOT grant access to the users in the higher role hierarchy.



2B. Public Group is not "Grant Access Using Hierarchies" enabled
The result of this sharing is exactly the same with (2A), where the users in the higher role hierarchy are NOT shared.


3. Sharing to Roles for objects enabled for "Grant Access Using Hierarchies"
The result is similar to (1A), users in the higher role hierarchy will get access.


4. Sharing to Roles for objects NOT enabled for "Grant Access Using Hierarchies"
The result is similar to (2A), users in the higher role hierarchy NOT will get access.