in implementation guides ~ read.
Salesforce Sharing Users Tipsheet

Salesforce Sharing Users Tipsheet

DOWNLOAD

First things first !
To download this implementation guide, click the download button below.
If you need more information about the implementation guide, you can read the Table of Contents below.

Download

UNDERSTANDING USER SHARING

Summary
User Sharing controls access
to user records You can use
the View All Users
permission to grant a user
Read access to all user
records regardless of the
sharing settings System
administrators and users
with the Manage Users
permission automatically get
the View All Users
permission with User
Sharing

What is User Sharing
Note User Sharing is automatically available in new organizations in Winter Existing
organizations can contact Salesforce to enable this feature
User Sharing enables you to show or hide an internal or external user from another user in your organization
With User Sharing you can
Assign the View All Users permission to users who need to see or interact with all users This permission
is automatically enabled for users who have the Manage Users permission
Set the organizationwide default for user records to Private or Public Read Only
Create user sharing rules based on group membership or other criteria such as username and whether
a user is active
Create manual shares to grant access to individual users or groups
Control the visibility of external users in customer or partner portals and communities

Understanding User Sharing
Review these considerations before you implement user sharing
Granting access to a user record makes the users detail page visible to others It also makes the user visible
in lookups list views search and so on
View All Users permission
This permission can be assigned to users who need Read access to all users regardless of the sharing
settings If you already have the Manage Users permission youre automatically granted the View
All Users permission
Organizationwide defaults for user records
This setting defaults to Private for external users and Public Read Only for internal users When the
default access is set to Private users can only read and edit their own user record Users with
subordinates in the role hierarchy maintain read access to the user records of those subordinates
User sharing rules
General sharing rule considerations apply to user sharing rules User sharing rules are based on
membership to a public group role or territory Each sharing rule shares members of a source group
with those of the target group You must create the appropriate public groups roles or territories
before creating your sharing rules Users inherit the same access as users below them in the role
hierarchy
Manual sharing for user records
Manual sharing can grant read or edit access on an individual user but only if the access is greater
than the default access for the target user Users inherit the same access as users below them in the
role hierarchy Apex managed sharing isnt supported

Last updated February

Understanding User Sharing

Understanding User Sharing

User sharing for external users
Users with the Manage External Users permission have access to external user records for Partner
Relationship Management Customer Service and Customer SelfService portal users regardless of
sharing rules or organizationwide default settings for User records The Manage External Users
permission doesnt grant access to guest or Chatter External users
Highvolume Experience Cloud site users and Chatter users
Only users with roles can be included in sharing rules For this reason the user records of highvolume
users Chatter External and Chatter Free users cant be included in sharing rules and these users cant
be granted access to user records via a sharing rule
Automated Process and License Manager users
Some special users created for org or app maintenance such as Automated Process and License
Manager users cant be included in any sharing rules including user sharing rules
User sharing compatibility
When the organizationwide default for the user object is set to Private user sharing doesnt fully
support these features
Chatter Messenger isnt available for external users Its available for internal users only when the
organizationwide default for the user object is set to Public Read Only

Salesforce CRM ContentA user who can create libraries can see users they dont have access

to when adding library members
Standard Report TypesIf the organizationwide default for the user object is Private and the
Standard Report Visibility checkbox is selected a person viewing the report can see the names of
users that are listed in the report To see details such as username and email address the viewer
must have access to the users For more information on user sharing with standard and custom
report types and Public and Private organizationwide defaults see Control Standard Report
Visibility
User sharing in Chatter
In Chatter there are exceptions where users who arent shared can still see and interact with each
other For example regardless of user sharing in a public Chatter group everyone with access to the
group can see all posts They can also see the names of the users who post and mention users who
commented on a post
For example you set up user sharing so Mary and Bob cant see or interact with each other Mary posts
on a public Chatter group She cant mention Bob because user sharing prevents Bobs name from
showing up in the mention dropdown list However Bob can see Marys post and he comments on
her post Now Mary can actually mention Bob in her next comment on her post
There are also exceptions where users who arent shared can still see each other in the mention
dropdown list For example Sue has interacted with Edgar in Chatter by liking or commenting on
his post or mentioning him Then you set up user sharing so Sue cant see Edgar Sue posts on a
public Chatter group She can mention Edgar because due to their previous interaction his name
shows up on the mention dropdown list However if Sue clicks the Edgar mention she gets an error
because due to user sharing she cant see him

Understanding User Sharing

OrganizationWide Defaults for User Records

OrganizationWide Defaults for User Records
Tip

For user records you can set the organizationwide sharing default to Private or Public Read Only The
default must be set to Private if there is at least one user who shouldnt see a record

Regardless the
organizationwide defaults

Lets say that your organization has internal users employees and sales agents and external users site
or portal users under different sales agents or accounts with these requirements

Administrators and users
with the View All Users
permission retain Read
access to all user
records

Internal users have
ReadWrite access to
their own records

Users have Read access
to user records below
them in the role
hierarchy

Employees can see everyone
Sales agents can see employees other agents and their own customer user records only
External customers can see other customers only if they are under the same agent or account
To meet these requirements set the default external access to Private and extend access using sharing
rules manual sharing or user permissions
This table explains what it means to have Read access on a user record
Read access to the record What can you see
No

Users name only

Yes

Users name profile and detail page You can also see the user in
lookups list views ownership changes user operations and search
Internal users with ReadWrite access can edit the record excluding
fields such as role profile or permissions Portal users cant edit user
records

This graphic illustrates how the organizationwide defaults work with sharing rules manual sharing and
the View All Users permission

Understanding User Sharing

Setting the OrganizationWide Defaults for User Records

Setting the OrganizationWide Defaults for User
Records
Permissions
Youll need the Manage
Sharing permissions to set
the organizationwide
defaults

When the feature is first turned on the organizationwide default is Public Read Only for internal users
and Private for external users
To set the organizationwide defaults
From Setup in the Quick Find box enter Sharing Settings then select Sharing Settings
Click Edit in the OrganizationWide Defaults area
Select the default internal and external access you want to use for user records
The default external access must be more restrictive or equal to the default internal access
Click Save
Users have Read access to those below them in the role hierarchy and full access on their own user
record

Understanding User Sharing

When do I need to use user sharing rules or manual shares

When do I need to use user sharing rules or manual

shares
Tip
Users inherit the same level
of access as users below
them in the role hierarchy
You cant grant a more
restrictive access than your
organizationwide defaults
If a user gains access to a
record by more than one
way for example
organizationwide defaults
and sharing rules the higher
level of access is maintained

User sharing rules grant additional access beyond the organizationwide defaults based on group
membership role groups or territories or other criteria User sharing rules based on membership enable
user records belonging to members of one group to be shared to members of another group
Manual sharing grants additional access to user records but on an individual basis For example you can
use manual sharing in these examples
You want to share your user record on a onetime basis
You want to extend access to your user record to an individual user below you in the role hierarchy
Youre extending access to external users such as highvolume portal or guest users so that internal
users may see them
Note You can extend access to Highvolume portal users and guest users using manual shares
but not sharing rules since they dont have roles Highvolume portal users can be shared with
internal users via manual sharing but not the other way around Guest users can be shared with
internal users via manual sharing and vice versa

Creating User Sharing Rules
Permissions
Youll need the Manage
Sharing permission to create
sharing rules

User sharing rules can be based on membership to public groups roles or territories or on other criteria
such as Department and Title By default you can define up to user sharing rules including up to
criteriabased sharing rules
To create user sharing rules
From Setup enter Sharing Settings in the Quick Find box then select Sharing Settings
In the User Sharing Rules related list click New
Enter the Label Name and click the Rule Name field to autopopulate it
Enter the Description This field describes the sharing rule It is optional and can contain up to
characters
Select a rule type
Depending on the rule type you selected do the following
Based on group membershipUsers who are members of a group can be shared with
members of another group In the Users who are members of line select a category
from the first dropdown list and a set of users from the second dropdown list or lookup field
if your organization has over groups roles or territories
Based on criteriaSpecify the Field Operator and Value criteria that records must
match to be included in the sharing rule The fields available depend on the object selected and

the value is always a literal number or string Click Add Filter Logic to change the default AND

relationship between each filter
Note To use a field thats not supported by criteriabased sharing rules you can create a
workflow rule or Apex trigger to copy the value of the field into a text or numeric field and
use that field as the criterion

Understanding User Sharing

Creating Manual Shares for User Records

In the Share with line specify the users who get access to the user records Select a category
from the first dropdown list and a set of users from the second dropdown list or lookup field
Select the sharing access settings for users
Access Setting

Description

Read Only

Users can view but not update records

ReadWrite

Users can view and update records

Click Save

Creating Manual Shares for User Records
Permissions
You can share your own
record to another user for
whom you have Read
access or you can share any
record if you have the
Manage Users permission

To grant access to a user record
From Setup enter Users in the Quick Find box then select Users Click the name of the user
you want to share
On the User Detail page click Sharing
Click Add
From the dropdown list select the group user role or territory to share with
Choose which users have access by adding them to the Share With list
Select the access level for the record you are sharing
Possible values are ReadWrite or Read Only depending on your organizationwide defaults for users
You can only grant a higher access level than your organizationwide default
Click Save
To change record access on the users Sharing Detail page click Edit or Del

***