The Layered Security Model
Salesforce record access is controlled by four layers that work together. Each layer can only open up access — you cannot use a lower layer to restrict access granted by a higher one. The layers in order are: OWD → Role Hierarchy → Sharing Rules → Manual Sharing.
1. Organisation-Wide Defaults (OWD)
OWD is the baseline access level for every record in an object. It answers: "What can a user see if they have no other reason to access this record?" Options are:
- Private — only the record owner (and those above in the role hierarchy) can access it
- Public Read Only — everyone can view, only the owner can edit
- Public Read/Write — everyone can view and edit
Always set OWD to the most restrictive level your business needs, then open up access with the layers below.
2. Role Hierarchy
The role hierarchy grants managers access to all records owned by users below them in the hierarchy. This is enabled by default for standard objects. Users at higher roles can view and edit records owned by subordinates — useful for sales managers seeing their team's opportunities.
3. Sharing Rules
Sharing rules extend access to groups of users who need it, without changing OWD. There are two types:
- Owner-based — shares records owned by specific users or roles with other users or groups
- Criteria-based — shares records meeting specific field criteria (e.g., all Accounts in the "Healthcare" industry)
Sharing rules can only grant Read Only or Read/Write access — they cannot restrict access below the OWD level.
4. Manual Sharing
Record owners and admins can manually share individual records with specific users or groups via the Sharing button on the record. This is the most granular and ad-hoc method. It scales poorly across large organisations and should be the last resort.
Apex Sharing (for Developers)
When none of the declarative options are sufficient, developers can create sharing records programmatically using Apex. A custom sharing object (e.g., AccountShare) can be inserted to share a specific record with a specific user. This requires the with sharing / without sharing keyword to be used correctly in Apex classes.