Concrete scenario: an Opportunity has a Deal Lead (full edit), a Deal Lawyer (read only — they need context but shouldn't change financials), and a Deal Sponsor (read/write on selected fields). All three should see the record; their write access should differ.
Approach combines several Salesforce features:
- Opportunity Team Members — the standard team mechanism on Opportunity. You add members with Opportunity Access of Read or Read/Write. This handles the simple Read vs Read/Write split for Deal Lead and Deal Sponsor.
- Field-Level Security via Permission Set — to give the Lawyer read-only on the record but block edit on financial fields specifically, you'd put the Lawyer on a permission set with Read-only FLS on Amount, Discount, Close Date. The Opportunity Team grants record access; the FLS gates which fields they can edit.
- Field-Level Security tightened on the Sponsor's profile/permission set — same principle but with edit access only on the fields the Sponsor should change.
- Apex Managed Sharing or Sharing Set for non-team-supported objects. If the scenario was on a custom object that doesn't support Salesforce Teams, you'd use Apex Managed Sharing with a
RowCauseper role (DealLawyer__c, DealSponsor__c). - Custom Lookup fields for clarity —
Deal_Lawyer__c,Deal_Sponsor__clookup fields on Opportunity, with a flow that updates the Opportunity Team membership when these change.
What you don't do:
- Try to express role-specific access purely through Sharing Rules. Sharing rules grant access to a group, not to a function on a record. They can't say "this user is the Lawyer for this specific deal".
- Try to use Profiles for the differentiation. Profile permissions are blanket — they apply to every record. The differentiation has to live at the record-and-relationship level.
The clean answer is: Teams or Apex Managed Sharing for record-level access by role, plus FLS via permission sets to differentiate field-level edit rights.