Salesforce Developer Data Security Orgwide Access

salesforce-developer-data-security

TODO: Create a separate page for each specific instruction and link to them.
TODO: Print: https://help.salesforce.com/apex/HTViewHelpDoc?id=security_sharing_considerations.htm&language=en_US
TODO: Print: https://help.salesforce.com/articleView?id=security_sharing_owd_default_settings.htm&language=en_US&type=0

// Salesforce - Developer - Data Security - Organization-wide defaults:

Organization-wide defaults specify the baseline level of access that the most 
restricted user should have. You can use organization-wide defaults to lock 
down your data to this most restrictive level, and then use our other 
record-level security and sharing tools (role hierarchies, sharing rules, 
and manual sharing) to open up the data to other users who need to access it.

Organization-wide sharing settings specify the default level of access to 
records and can be set separately for each type of standard or custom object. 
Object permissions determine the baseline level of access for all records of an 
object. Organization-wide defaults modify those permissions for records users 
don't own. Organization-wide defaults can never grant users more access than 
they have through their object permission.

To determine the organization-wide defaults you need for your app, you need to 
answer the following questions for each object.

1. Who is the most restricted user of this object?

2. Is there ever going to be an instance of this object that this user 
   shouldn't be allowed to see?

3. Is there ever going to be an instance of this object that this user 
   shouldn't be allowed to edit?

See http://bit.ly/2hGdmme (a diagram to help determine appropriate org-wide 
default permissions for a particular object / table).

Based on your answers to these questions, you can set the sharing model for 
that object to one of these settings:

1. Private: Only the record owner, and users above that role in the hierarchy, 
   can view, edit, and report on those records.

2. Public Read Only: All users can view and report on records but not edit them. 
   Only the owner, and users above that role in the hierarchy, can edit those 
   records.

3. Public Read/Write: All users can view, edit, and report on all records.

4. Controlled by Parent: A user can perform an action (such as view, edit, or 
   delete) on a contact based on whether he or she can perform that same action 
   on the record associated with it.

In environments where the organization-wide sharing setting for an object is 
Private or Public Read Only, an administrator can grant users additional access 
to records by setting up a role hierarchy or defining sharing rules. However, 
sharing rules can only be used to grant additional access—they cannot be used to 
restrict access to records beyond what was originally specified with the 
organization-wide sharing defaults.

We cannot set the organization-wide defaults for the Review object. The reason 
is that object is on the detail side of a master-detail relationship, and, a 
detail record automatically inherits the sharing setting of its parent. So in 
our app, the Review object is automatically set to Private.

To define organization-wide sharing defaults for an object / table:

1. From Setup, enter Sharing Settings in the Quick Find box, then select 
   Sharing Settings.

2. Click Edit in the Organization-Wide Defaults area.

   Changing organization-wide sharing defaults will cause all sharing rules 
   to be re-calculated.  This would require significant system resources and 
   time depending on the amount of data in your organization.

   Some standard objects use different org-wide default options.

   Custom object org-wide sharing default options include Private, Public Read 
   Only, or Public Read/Write.

3. For each object, select the default access you want to use.

4. To disable automatic access using your hierarchies, uncheck the 
   "Grant Access Using Hierarchies"  check box next to the corresponding 
   custom object or table that does not have a default access of 
   Controlled by Parent.

In environments where the organization-wide sharing setting for an object is 
Private or Public Read Only, an administrator can grant users additional access 
to records by setting up a role hierarchy or defining sharing rules. However, 
sharing rules can only be used to grant additional access—they cannot be used to 
restrict access to records beyond what was originally specified with the 
organization-wide sharing defaults.

By default, Salesforce uses hierarchies, like a role hierarchy, to automatically 
grant access of records to users above the record owner in the hierarchy. 
Setting an object to Private makes those records visible only to record owners 
and those above them in the role hierarchy. Use the Grant Access Using 
Hierarchies checkbox to disable access to records to users above the record 
owner in the hierarchy for custom objects. If you deselect this checkbox for a 
custom object, only the record owner and users granted access by the 
organization-wide defaults receive access to the records.

If Grant Access Using Hierarchies is deselected, users that are higher in the 
role hierarchy don’t receive automatic access. However, some users—such as 
those with the “View All” and “Modify All” object permissions and the 
“View All Data” and “Modify All Data” system permissions—can still access 
records they don’t own.

Updating the organization-wide defaults automatically runs sharing recalculation 
to apply any access changes to your records. You’ll receive a notification 
email when the recalculation completes and you can refresh the Sharing Settings 
page to see your changes. To view the update status, from Setup, enter View 
Setup Audit Trail in the Quick Find box, then select View Setup Audit Trail.

Once you’ve locked down your data with organization-wide defaults, the 
resulting settings might be too restrictive for some users. You can then use 
the remaining record-level security controls: role hierarchies, sharing rules, 
and manual sharing to open up record access selectively to specific employees 
who'll need it.

Apex managed sharing allows developers to programmatically share records 
associated with custom objects. When you use Apex managed sharing for any custom 
object, only users with the “Modify All Data” permission can add or change the 
sharing on that custom object's records, and the sharing access is maintained 
across record owner changes. For more information, see http://sforce.co/2hxxzYx
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License