Over a million developers have joined DZone.

How to Create a Strong CRM Security Model With Salesforce Sharing Rules

DZone 's Guide to

How to Create a Strong CRM Security Model With Salesforce Sharing Rules

When creating a custom Salesforce security model, find the balance between limiting access to data and providing a convenient access to data for users

· Security Zone ·
Free Resource

Once you’ve learned how to control the level of access to your Salesforce data using Organization-Wide Default (OWD) settings and Role Hierarchy, you can take a look at how to open up horizontal access to records for users. To provide such access, you can use one of the Salesforce security components known as Sharing Rules. Let’s see how to choose the right type of Salesforce sharing rules as well as explain when to use each of them.

When You Need Salesforce Sharing Rules

In Salesforce, OWD settings are used to provide the base level of user access to data, whereas the role hierarchy grants vertical access to data. Still, sooner or later, most companies come across situations when certain users should have access to specific data that they are not able to access by default because of their roles. For example, marketing specialists may need to know all Closed-Won Opportunities though all opportunities are available only to sales reps by default. In such scenarios, companies can make use of Salesforce sharing rules. There are various ways a record can be shared. Let's explore all of them one by one.

Choosing the Right Type of Salesforce Sharing Rules

The basic principle of sharing rules’ implementation is to use them to open up access to data. It means that a company cannot restrict data accessibility using sharing rules. Thus, if you need to maintain a restricted access, you should use another Salesforce security layer instead. In Salesforce, you can find the following types of sharing rules:

Record Ownership-Based Rules

This type of sharing rules is used when a company wants to share the records owned by a user, group, queue, or role with another user, group, or role. For example, let's say John, a sales rep for the Southwest Sales Team, wants to share any accounts that he owns with other members of the Southwest Sales Team. If Ann is a Southwest Sales Team member, any accounts shared by John will be automatically available to her.

Criteria-Based Sharing Rules

A company can use criteria-based sharing rules to share records based on values of a specific field or fields with another user, group or role. Salesforce allows companies to create criteria-based sharing rules for accounts, assets, opportunities, cases, contacts, leads, campaigns, work orders, and custom objects. Let’s have a look at a couple of examples of how criteria-based sharing rules work in Salesforce.

  1. A company’s Account object has a custom picklist field named Market. A Salesforce admin can create a criteria-based sharing rule that shares all accounts with the Market field set to APAC with, say, an APAC Sales team.

  2. A company uses a custom object for job applications, with a custom picklist field named “Department.” Using a criteria-based sharing rule, a company can share all job applications, in which the Department field is set to “Marketing” with all Marketing managers.


  1. A company can create up to 50 criteria-based sharing rules per object.

  2. A company can choose among the following types of fields that may be used to set criteria:

  • Auto Number

  • Checkbox

  • Date

  • Date/Time

  • Email

  • Number

  • Percent

  • Phone

  • Picklist

  • Text

  • Text Area

  • URL

  • Lookup Relationship (to user ID or queue ID)

3. “Text” and “Text Area” criteria are case-sensitive. It means that a criteria-based sharing rule that specifies “Marketing” in a text field won’t share records that have “marketing” in the field. In this case, create a rule with several common cases of a word and enter each value separated by a comma.

Apex Managed Sharing Rules

Sharing rules of this type are used for complex business requirements (e.g., when a company wants to share records on object A based on the criteria met on object B or when it wants to share the record access with users for a few hours or days). To handle such scenarios, companies should ask Salesforce developers to use Apex or Flow with Process Builder.

Manual Sharing Rules

Sometimes it’s impossible to define a static group of users who need access to a particular set of records. In such situations, record owners can use manual sharing to give read and edit permissions to users who would not have access to the record in any other way. Below, we outline a couple of situations that can lead to manual record sharing:

  • An account owner wants to share a private Account with multiple users to collaborate on a large deal.

  • A sales rep wants to give access to an Account for another sales rep with expertise in a specific industry or area even though this person isn’t responsible for this Account.

To give access to another record, a user should meet one of the following requirements:

  • A user should be the record owner.

  • A user should be in a role higher than the record owner.

  • A user should have “full access” permission to the record.

  • A user should be a system administrator.

Best Practices for Sharing Rules in Salesforce

When creating sharing rules in your Salesforce CRM, you should implement the following best practices:

  • Introduce a consistent naming convention for sharing rules. For example, you can use the following sample: <Who has Access>-<Shares>-<Who should see it>.

  • Use the Description box to mention the reason why a particular rule exists. This rule will be helpful once a company’s sharing model becomes more complex.

  • Create groups to simplify sharing. This way, companies can create a public group that will include all the users who need the same level of access to data and then add sharing rules to this group.


Choosing the data set that each user or group of users can see in Salesforce CRM is one of the key decisions that affect a company’s data security. When creating a custom Salesforce security model, a company should find the balance between limiting access to data (to reduce the risk of stolen or misused data) and providing a convenient access to data for users. That is why companies should be well aware of how to use Salesforce sharing rules. 

salesforce ,data security ,security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}