Salesforce record sharing is a layered system. Each layer can only open access wider — never restrict it below the previous layer. Understanding this "open-up-only" model makes the whole thing click.
Layer 1: Org-Wide Defaults (OWD)
OWD sets the baseline access for every object. If a user has no other sharing relationship to a record, OWD defines what they can do.
- Private — Only the record owner (and users above them in the role hierarchy) can see it
- Public Read Only — Everyone can see; only owner and above can edit
- Public Read/Write — Everyone can see and edit
- Public Read/Write/Transfer — Everyone can change record ownership (Leads and Cases only)
Start restrictive. Set OWD to Private and open up selectively using the layers below. Never set OWD to Public Read/Write if you later need row-level security — retrofitting it is painful.
Layer 2: Role Hierarchy
Users in a higher role automatically inherit the access of users below them. A VP of Sales sees all Opportunities owned by all Sales Reps in lower roles — without any extra configuration.
The hierarchy is about data visibility, not org chart management. Design it around who needs to see whose records, not who reports to whom.
Layer 3: Sharing Rules
Sharing rules open access to users who aren't in a sharing relationship via the hierarchy. Two types:
- Owner-based — Share records owned by role/group X with role/group Y
- Criteria-based — Share records where field = value (e.g., Region = "EMEA") with a group
Criteria-based sharing rules are underused. They're ideal for territory-style access without setting up the full Territory Management module.
Layer 4: Manual Sharing
Any record owner can manually share a specific record with a user or group. It is ad-hoc and user-driven. Salesforce is gradually deprecating the Share button in Lightning, so do not design processes that depend on users doing manual sharing.
Layer 5: Apex Managed Sharing
When none of the declarative tools can express the sharing logic you need, write it in Apex. Insert AccountShare, OpportunityShare etc. records directly. You own the logic — and therefore the maintenance.
Use Apex sharing only when criteria-based sharing rules cannot express what you need. It adds technical debt in proportion to its flexibility.
Sharing Recalculation
When you change OWD or sharing rules on a large org, Salesforce queues a sharing recalculation job. On orgs with millions of records, this can take hours. Plan changes outside business hours and monitor System Jobs.