Sometimes you need to restrict access within Salesforce for certain users or roles. Unfortunately if you are using the default sharing settings, this is not possible as sharing roles can only grant access, not restrict.
The best solution is to do the following:
- Create a public group that includes all roles except for the one(s) with restricted access.
Role Hierarchy:
New Public Group:
- Create sharing rules that mirror the existing Organization Wide Defaults:
Current defaults:
New rules:
The first rule gives Everyone (Excluding Consultants) the Read/Write access to the Sales Consultants’ accounts and opportunities. The Management and Administrative roles will have read/write/transfer access through role hierarchy.
The second rule recreates the existing org wide default sharing rules, but only for the Everyone (Excluding Consultants) group. - Change the org wide defaults for account and opportunity to private (make sure to do this step last).
- Repeat for other objects as needed (process may vary slightly). If you understand role hierarchy this should be pretty straightforward.
When you add new roles to your organization, make sure to add them to your public group, or they will only be able to view their own accounts!
Hi there,
In one of the situation a new user – John Krohn, should be given access to Lead Records where County = Northern Region AND Lead Owner = Maya Sheritt.
Notice, I am trying to give to fulfill 2 goals:-
a) John Krohn access to those LEAD Records where he is not the Lead Owner. Is that possible?
b) John Krohn, should also get access to those lead where he is not the LEAD OWNER *AND* where the County = Northern Region.
Is this possible using Sharing Rules?
Thanks
Sharing rules can accomplish sharing via record owner, so issue A is no problem.
For issue B, sharing rules would not work. I haven’t personally implemented it, but I believe territory management is precisely what you’re looking for.
Cheers,
John
Is there a way to find out if a standard user saved some reports to their personal folder. I know even system admin will not be able to know but just wanted to see if there’s any trick to find out.