Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Record-Level Security entry
How-to guide

Design record-level security for a new Salesforce object

Start with the most restrictive baseline, then layer the sharing mechanisms that grant exactly the access each user role needs.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 26, 2026

Start with the most restrictive baseline, then layer the sharing mechanisms that grant exactly the access each user role needs.

  1. Set the Org-Wide Default

    Setup, Sharing Settings. Set the new object's OWD to Private. This locks the records to the owner only by default.

  2. Confirm role hierarchy use

    On the same screen, confirm Grant Access Using Hierarchies is checked. Managers will automatically see records owned by reps below them in the role tree.

  3. Create sharing rules for cross-team access

    Sharing Rules section. Create a criteria-based rule that shares records with a public group based on a field value (Region equals EMEA shares to EMEA Reps).

  4. Add team functionality if needed

    For objects with collaborative deal cycles, enable Account Teams or Opportunity Teams. Train users to add team members when they need additional collaborators.

  5. Document Apex Sharing requirements

    For cases declarative tools cannot express, document the requirement and have a developer implement an Apex Sharing trigger. Test thoroughly in a sandbox.

  6. Audit before go-live

    Run the Sharing Settings audit. As a non-admin test user, verify you see exactly the records expected and nothing more.

Key options
Org-Wide Defaultremember

Baseline: Private, Public Read, Public Read/Write, Controlled by Parent.

Role Hierarchyremember

Automatic upward access grant based on the user role tree.

Sharing Rulesremember

Bulk-grant mechanism based on criteria or ownership.

Manual Sharingremember

User-driven one-off share on an individual record.

Teamsremember

Per-record collaborator lists on Account, Opportunity, Case.

Territory Managementremember

Multi-membership geographic or segment-based sharing.

Apex Sharingremember

Programmatic ObjectShare records for cases declarative tools cannot express.

Gotchas
  • Public Read/Write at the OWD level overrides every other share mechanism. Once an object is public, sharing rules and teams add nothing; revert to Private first if you need fine-grained control.
  • View All Data and Modify All Data system permissions bypass record-level security entirely. Users holding them see everything regardless of OWD and sharing rules.
  • Sharing rule recalculation can take hours on large orgs. Bulk owner changes or sharing rule edits should be scheduled outside business hours.
  • Apex Sharing requires the object's OWD to be Private or Public Read. Public Read/Write does not need it and rejects it; if you wrote an Apex sharing trigger and then changed OWD to Public, the trigger fails.

See the full Record-Level Security entry

Record-Level Security includes the definition, worked example, deep dive, related terms, and a quiz.