Trail Map β€Ί Use-Case Catalog β€Ί Sharing Rules & OWD
πŸ•ΈοΈ Security Β· Module 13

Sharing Rules & OWD: The Right Records, Not Just the Right Screens

Profiles decide what a user could see across all records of a type. Sharing decides which specific records they actually see. Learn how the two work together.

4
Units
~10 min
Time to Complete
80 pts
Available
1 Badge
Data Visibility Strategist
Unit 1 Β· Business Problem

Why record-level sharing matters

RN
Robin Nakamura Β· RevOps Lead

"We have five regional sales managers. Each one should only see deals in their own region β€” but our VP of Sales needs full visibility across every region, every rep, all the time."

Object-level permission ("can this user read Opportunities at all?") isn't enough here β€” the real requirement is row-level: which specific Opportunities can this user see?

πŸ’‘
Business outcome
Every rep and manager sees exactly the deals relevant to them, while the org's default posture stays the safe, restrictive option β€” access is expanded deliberately, never leaked by accident.
Unit 2 Β· How It Works

Anatomy of the sharing model

Three layers combine to decide exactly which records a given user can see:

LayerWhat it sets
Organization-Wide Default (OWD)The baseline for an object: PRIVATE, PUBLIC_READ, or PUBLIC_READ_WRITE
Role HierarchyWhen enabled on an object, a manager automatically sees every record owned by their direct reports, recursively
Sharing RulesExplicit, criteria-based or manual grants that expand access beyond OWD for specific users or groups
OWD LevelWho can readWho can edit
PrivateOwner onlyOwner only
Public ReadAll org usersOwner only
Public Read/WriteAll org usersAll org users
⚠️
One-directional by design
Sharing Rules can only expand visibility beyond OWD β€” they can never restrict it further. If you need tighter default visibility, lower the OWD itself.

This same visibility resolution β€” SharingService.resolveVisibleOwners() β€” is reused everywhere: record lists, record detail pages, and Reports. Configure it once, and it's enforced consistently across the entire platform.

Unit 3 Β· Hands-On Challenge

Set up regional visibility on Opportunity

Open Opportunity sharing settingsObject Manager β†’ Opportunity β†’ Sharing tab.
Set the OWDChange it to Private β€” the safe, restrictive default.
Enable Role HierarchyToggle "Use Role Hierarchy" so managers automatically see their reports' deals.
Add a Sharing RuleCriteria: region__c = "West", shared with: West Region Manager, access: Read/Write.
Verify as a repLog in as a West-region sales rep and confirm you only see West-region Opportunities in your list.
Unit 4 Β· Knowledge Check

Test what you learned

1. If the OWD for Opportunity is Private, can a Sharing Rule make it stricter β€” say, hiding it even from the owner?
Yes, sharing rules can restrict below OWD
No β€” sharing rules can only expand access beyond OWD, never restrict it
2. What does resolveVisibleOwners() returning null mean?
The user can see no records at all
The user can see all records β€” no restriction applies
An error occurred resolving visibility