Salesforce - Control Access Records

In this chapter, we will learn about the Control Access Records in Salesforce. Many times, beyond the access restriction for the objects and fields, we also need to restrict access to certain records of an object. This requires setting up of access restriction for a user based on the values in the records.

Record Ownership

A unique feature of Salesforce is the ownership of every stored record. Every record in every object has a field which marks the ownership of that record. A user who needs access to this record becomes part of the profile which is same as the profile of the owner of that record.

Restriction Mechanism

Access is granted at multiple levels like Object, Field and Records. Conflicts might come up between the access levels. There may be a read access on a record but the object containing it might not have read access for a user. In such case, the access type which is more restrictive (gives less access) will be applied. So a record without access permission will remain inaccessible even when the object containing it is accessible and an Object without access permissions will remain inaccessible even when it has some records to which the user has read access.

Record Sharing Mechanism

The Saleforce platform provides four distinct mechanisms to share the records of an object with the users.

  • Organization-wide defaults
  • Manual sharing
  • Role hierarchies
  • Sharing rules

Organization-wide defaults

In this mechanism, a minimal access level is created and granted to all the users. So every user who is part of the organization, gets access to these records. Then, the access for additional records is customized by clubbing the users into role hierarchies, sharing rules and also through manual sharing with each of the user.

There are four types of sharing models which implement the organization-wide default settings.

Sr.No Settings & Result

Public Read/Write

All users can view, edit, and report on all records.


Public Read Only

All users can view and report on records but not edit them. Only the owner, and users above that role in the hierarchy, can edit those records.



Only the record owner, and users above that role in the hierarchy, can view, edit, and report on those records.


Controlled by Parent

A user can perform an action (such as view, edit, or delete) on a contact based on whether he or she can perform that same action on the record associated with it.

Manual Sharing

In this access model, the record owners give the read and edit permissions to specific users. So it is a manual process in which individual or group of records are handled by the record owners. This is to be done for each user profile that needs the access.

In our subsequent chapters, we will discuss role hierarchies and sharing rules.