who sees what when? using dynamic sharing rules to manage access to records
DESCRIPTION
TRANSCRIPT
![Page 1: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/1.jpg)
Who Sees What When?Using Dynamic Sharing Rules to Manage Access to Salesforce Records
John WestenhaverSolution ArchitectSpyrel, Inc.
![Page 2: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/2.jpg)
Salesforce Security Model
Profiles
Roles
Public Groups
Sharing– Setting Up Sharing Rules– Automatic Sharing Rules– Manual Sharing Rules– Master-Detail Sharing Rules– Dynamic Sharing Rules
![Page 3: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/3.jpg)
Profiles
Determine which objects you can read, create, edit, and
delete
Determine which fields you can see on objects you can
see
Determine which applications you can see
Determine which tabs you can see
Determine which record types you can see
Have no effect on access to specific records
![Page 4: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/4.jpg)
Roles
Establish a hierarchy of users– Users belonging to a role can view, edit, and report on all data
owned or shared with users below them in the hierarchy– Unless the Grant Access Using Hierarchies checkbox is un-
checked on the Organization-Wide Defaults list for an object
Establish hierarchical access rights to records, not
position on the company org chart
Are created automatically for customer portal users
![Page 5: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/5.jpg)
Public Groups
Are an arbitrary collection of users
Can be used to set up sharing rules when roles will not
work due to business rules
![Page 6: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/6.jpg)
Sharing Rules
Automatic Sharing Rules– Pros: automatic, configurable, criteria-based rules for custom
objects– Cons: multi-record, inflexible, criteria based rules not available
for standard objects
Manual Sharing Rules– Pros: flexible, configurable– Cons: manual, single-record, cannot use criteria-based rules
Dynamic Sharing Rules– Pros: flexible, automatic, multi-record– Cons: requires programming, cannot use criteria-based rules
![Page 7: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/7.jpg)
Setting Up Sharing Rules
Go to Setup | Security | Sharing Settings
Click the Edit button to set up Organization-Wide
Defaults– If set to Public Read/Write, anyone can see and edit it– If set to Public Read Only, anyone can see it– If set to Private, only record owners and users, roles, and
public groups granted access via sharing rules can see it
![Page 8: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/8.jpg)
Setting Up Sharing Rules
![Page 9: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/9.jpg)
Setting Up Sharing Rules
All custom objects have three options:– Public Read/Write– Public Read Only– Private
Standard objects have special rules
Uncheck the Grant Access Using Hierarchies checkbox
to disable access to records via role hierarchies
![Page 10: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/10.jpg)
Standard Object Automatic Sharing Rules
Go to Setup | Security | Sharing Settings
Scroll down past the Organization-Wide Defaults section
Click the New button for any standard object
![Page 11: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/11.jpg)
Standard Object Automatic Sharing Rules
Select a public group, queue, or role that owns the
records you want to automatically share– This does not work for individual users
Select a public group or role that you want to share
these records with
Select the access rights these users will have
![Page 12: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/12.jpg)
Custom Object Automatic Sharing Rules
Go to Setup | Security | Sharing Settings
Scroll down past the Organization-Wide Defaults
section
Click the New button for any custom object
Choose whether to create an owner-based or criteria-
based sharing rule
![Page 13: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/13.jpg)
Custom Object Automatic Sharing - Owner
![Page 14: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/14.jpg)
Custom Object Automatic Sharing - Criteria
![Page 15: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/15.jpg)
Manual Sharing Rules
For any object with Private or Public Read Only access
permissions, the Sharing button becomes available.
Click on the Share button to manually create sharing
rules for this record.
![Page 16: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/16.jpg)
Manual Sharing Rules
A list of all existing sharing rules is displayed, both
manual and automatic
Click the Add button to add another sharing rule for this
specific record
![Page 17: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/17.jpg)
Manual Sharing Rules
![Page 18: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/18.jpg)
Manual Sharing Rules
Select a public group, role, or user with which to share
this record
Select the access rights you want to share– Standard objects may have special access rights
• When sharing an Account, you can also set access rights to the Opportunities and Cases associated with that Account
– Custom objects only have two options for access rights:• Read Only• Read/Write
![Page 19: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/19.jpg)
Master-Detail Sharing Rules
Apply only to master-detail relationships
Sharing rules defined for the master record define how
access to detail records will be granted, based on this
setting
Sharing rules cannot be defined for detail records in a
master-detail relationship
![Page 20: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/20.jpg)
Dynamic Sharing Rules Demo
User Roles– Salesperson– Project Manager
Requirements– All users will have access only to those records they need to do
their jobs.– Identify the Project Manager for any Installation Opportunity
before it can be closed.– Create a new Installation Project owned by the Project
Manager whenever an Installation Opportunity is closed.– Create a new Installation Case for each Opportunity Product
whenever an Installation Opportunity is closed.
![Page 21: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/21.jpg)
Dynamic Sharing Rules Demo
More Requirements– Automatically add the Project Manager to the Project Team.– Automatically grant the Salesperson read-only access to the
Installation Project.– Automatically grant the Project Manager read-only access to
the Installation Opportunity.– Whenever a new Team Member is added to the Project Team,
grant that user edit access to all Project Cases.– Whenever a new Project Case is added, grant all Project Team
members edit access to that Project Case.
![Page 22: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/22.jpg)
Dynamic Sharing Rules Demo
SharingTools.cls– Sharing constants– doSharingTriggers– Deriving group ID from role name for customer portal roles
opportunityAfterInsertUpdate.trigger
projectAfterInsertUpdate.trigger
teamMemberAfterInsertUpdate.trigger
caseAfterInsertUpdate.trigger
![Page 23: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/23.jpg)
Things To Watch Out For
Criteria-based sharing rules cannot be created
dynamically as of Spring ’11.
If a user has the View All permission, this overrides any
sharing rules. This is why System Administrators
automatically see all records, regardless of sharing
rules.
You cannot use Apex to share a record with the owner
of that record; this results in the barely documented
INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY error.
![Page 24: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/24.jpg)
More Things To Watch Out For
As a best practice, always use the “with sharing”
keywords when writing Apex.
All custom sharing objects are named Object__Share,
with two underscores and no “__c”.
All standard sharing objects are named ObjectShare,
with no underscores.
The field names for all custom sharing objects are
exactly the same; however, the field names for all
standard sharing object are specific to that object.
![Page 25: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/25.jpg)
Sharing Rules & The Customer Portal
Whenever a customer portal user is created, he is
automatically assigned to a role that is created
automatically
If Organization-Wide Defaults are set to private for
objects visible on the customer portal, then sharing
rules must be defined
Customer portal roles have three possible names:– [Account Name] Customer Executive– [Account Name] Customer Manager– [Account Name] Customer User
![Page 26: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/26.jpg)
Sharing Rules & The Customer Portal
By default, the lowest level role (Customer User) is
assigned to new customer portal users
You need to determine which customer portal role will
be necessary to meet your requirements
You may use one, two, or three different customer
portal roles
When creating dynamic sharing rules, you have to
derive the role name and then to look up the Group ID
associated with this role
![Page 27: Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records](https://reader036.vdocuments.us/reader036/viewer/2022070304/54ba21de4a7959a9308b45c9/html5/thumbnails/27.jpg)
How Do I Get My Hands On This Code?
Element Value
URL https://login.salesforce.com
User ID [email protected]
Password Passw0rd