Salesforce evaluates record access in layers. Each layer can only open up access — the model is additive once you set the floor.
- Org-Wide Defaults (OWD) — set the floor. Per object you choose Public Read/Write, Public Read Only, Private, or Controlled by Parent. Private locks records to the owner; everyone else needs a higher layer to see them.
- Role Hierarchy — managers automatically see and edit records owned by users beneath them in the hierarchy, if the object has Grant Access Using Hierarchies enabled (the default for most standard objects, optional for custom).
- Sharing Rules — declarative criteria-based or owner-based rules that grant Read or Read/Write to a Public Group, Role, or Role-and-Subordinates. Usually the workhorse for cross-team access.
- Manual Sharing — a record owner or anyone with Modify All can click Share and grant access to one specific user or group. Used for one-offs.
- Apex Managed Sharing — programmatic sharing via the SharingRule and __Share objects. Use when business rules can't be expressed declaratively.
- Implicit Sharing — invisible Salesforce-managed sharing, most often between Account and its child Contacts/Opportunities/Cases — if you can see the parent Account, you can usually see its children.
For Cases and other objects that support it, Teams (Account Team, Opportunity Team, Case Team) and Territory Management also grant access. Permissions like View All and Modify All override the entire sharing model for that object — granting one of these via a permission set effectively bypasses sharing.