Sharing Model
The sharing model defines how record-level privileges are granted to users who do notown the record. Configuring the sharing model is a two-part process. Organization-wide
defaults are used to establish the most restrictive level of access for each object. Sharing
reasons override the defaults to grant access to individual records.
Organization-Wide Defaults
Every object that allows record ownership has an organization-wide default setting dictating
how records are shared between the owner and other users. Custom objects have
several default settings:
Private: Records belong to the owner and only the owner.With the exception of
the data administration-level privileges View All and Modify All, records are accessible
only to their owners.
Public Read-Only: Any user can view records in this object but cannot edit or
delete them. Only the owner and users with administrative privileges have rights to
edit and delete.
Public Read/Write: Any user can view, edit, and delete records in this object. All
newly created custom objects default to this setting.
Controlled by Parent: This option is available only to child objects in Lookup
relationships. It delegates record-sharing decisions to the parent record.The child
records behave as if they lack an owner. Objects with this default setting have the
same record-sharing behavior as children in a Master-Detail relationship.
When setting organization-wide defaults, begin with the user to receive the minimum
access to data. Set the organization-wide default settings with this user in mind. All users
then have at least this level of access to records.
To configure organization-wide defaults, click Setup. In the Administration Setup area,
click Security Controls -->Sharing Settings.
The rightmost column of check boxes called Grant Access Using Hierarchies determines
whether the role hierarchy is used on this object to propagate permissions upward
to superior roles. By default, this behavior is enabled. Disabling it causes roles to function
like public groups. Record permissions are shared only between a pair of roles, never
aggregated up the role hierarchy.
No comments:
Post a Comment