Salesforce has two separate OWD columns per object once Communities/Experience Cloud is enabled:
- Internal Default Access — applies to standard internal users in the org.
- External Default Access — applies to community/experience cloud users (Customer Community, Partner Community, etc.).
The external default is always equal to or more restrictive than the internal default. You cannot make external access more open than internal — Salesforce enforces this rule to prevent accidental data exposure.
Common patterns:
- Internal: Public Read/Write. External: Private. (Internal users see everything; partners see only what they own or what's been deliberately shared.)
- Internal: Private. External: Private. (Both restricted, e.g., for HR or sensitive case data.)
How external users gain access beyond their OWD floor:
- Sharing Sets — for High-Volume Portal Users. A sharing set says "give external users access to records where the external user's Account matches the record's Account/Contact field". Replaces sharing rules for HVPU since they don't appear in the role hierarchy.
- Share Groups — extension of Sharing Sets that lets internal users access records that have been shared via a Sharing Set.
- Manual Sharing or Apex Managed Sharing — same as internal users, just applied to the external user/community group.
- Sharing Rules — work for external users in roles, but external "high volume" users (the licence type designed for community scale) don't have roles, so sharing rules don't apply to them.
Common mistake: enabling Communities, leaving the external OWD at the default Private, and then being surprised customers can't see anything. The fix is configuring the right Sharing Sets per Community user type, not loosening the OWD.