Salesforce Sharing Users Tipsheet
DOWNLOAD
First things first !
To download this implementation guide, click the download button below.
If you need more information about the implementation guide, you can read the Table of Contents below.
UNDERSTANDING USER SHARING
Summary
User Sharing controls access
to user records You can use
the View All Users
permission to grant a user
Read access to all user
records regardless of the
sharing settings System
administrators and users
with the Manage Users
permission automatically get
the View All Users
permission with User
Sharing
What is User Sharing
Note User Sharing is automatically available in new organizations in Winter Existing
organizations can contact Salesforce to enable this feature
User Sharing enables you to show or hide an internal or external user from another user in your organization
With User Sharing you can
Assign the View All Users permission to users who need to see or interact with all users This permission
is automatically enabled for users who have the Manage Users permission
Set the organizationwide default for user records to Private or Public Read Only
Create user sharing rules based on group membership or other criteria such as username and whether
a user is active
Create manual shares to grant access to individual users or groups
Control the visibility of external users in customer or partner portals and communities
Understanding User Sharing
Review these considerations before you implement user sharing
Granting access to a user record makes the users detail page visible to others It also makes the user visible
in lookups list views search and so on
View All Users permission
This permission can be assigned to users who need Read access to all users regardless of the sharing
settings If you already have the Manage Users permission youre automatically granted the View All
Users permission
Organizationwide defaults for user records
This setting defaults to Private for external users and Public Read Only for internal users When the default
access is set to Private users can only read and edit their own user record Users with subordinates in the
role hierarchy maintain read access to the user records of those subordinates
User sharing rules
General sharing rule considerations apply to user sharing rules User sharing rules are based on membership
to a public group role or territory Each sharing rule shares members of a source group with those of the
target group You must create the appropriate public groups roles or territories before creating your
sharing rules Users inherit the same access as users below them in the role hierarchy
Last updated November
Understanding User Sharing
Understanding User Sharing
Manual sharing for user records
Manual sharing can grant read or edit access on an individual user but only if the access is greater than
the default access for the target user Users inherit the same access as users below them in the role
hierarchy Apex managed sharing isnt supported
User sharing for external users
Users with the Manage External Users permission have access to external user records for Partner
Relationship Management Customer Service and Customer SelfService portal users regardless of sharing
rules or organizationwide default settings for User records The Manage External Users permission
doesnt grant access to guest or Chatter External users
Highvolume Experience Cloud site users and Chatter
users
Only users with roles can be included in sharing rules For this reason the user records of highvolume
users Chatter External and Chatter Free users cant be included in sharing rules and these users cant be
granted access to user records via a sharing rule
Automated Process and License Manager users
Some special users created for org or app maintenance such as Automated Process and License Manager
users cant be included in any sharing rules including user sharing rules
User sharing compatibility
When the organizationwide default for the user object is set to Private user sharing doesnt fully support
these features
Chatter Messenger isnt available for external users Its available for internal users only when the
organizationwide default for the user object is set to Public Read Only
Salesforce CRM ContentA user who can create libraries can see users they dont have access to
when adding library members
Standard Report TypesIf the organizationwide default for the user object is Private and the Standard
Report Visibility checkbox is selected a person viewing the report can see the names of users that are
listed in the report To see details such as username and email address the viewer must have access
to the users
User sharing in Chatter
In Chatter there are exceptions where users who arent shared can still see and interact with each other
For example regardless of user sharing in a public Chatter group everyone with access to the group can
see all posts They can also see the names of the users who post and mention users who commented on
a post
For example you set up user sharing so Mary and Bob cant see or interact with each other Mary posts
on a public Chatter group She cant mention Bob because user sharing prevents Bobs name from showing
Understanding User Sharing
OrganizationWide Defaults for User Records
up in the mention dropdown list However Bob can see Marys post and he comments on her post Now
Mary can actually mention Bob in her next comment on her post
There are also exceptions where users who arent shared can still see each other in the mention dropdown
list For example Sue has interacted with Edgar in Chatter by liking or commenting on his post or
mentioning him Then you set up user sharing so Sue cant see Edgar Sue posts on a public Chatter
group She can mention Edgar because due to their previous interaction his name shows up on the
mention dropdown list However if Sue clicks the Edgar mention she gets an error because due to user
sharing she cant see him
OrganizationWide Defaults for User Records
Tip
For user records you can set the organizationwide sharing default to Private or Public Read Only The
default must be set to Private if there is at least one user who shouldnt see a record
Regardless the
organizationwide defaults
Lets say that your organization has internal users employees and sales agents and external users site
or portal users under different sales agents or accounts with these requirements
Administrators and users
with the View All Users
permission retain Read
access to all user
records
Internal users have
ReadWrite access to
their own records
Users have Read access
to user records below
them in the role
hierarchy
This table explains what it means to have Read access on a user record
Read access to the record What can you see
No
Users name only
Yes
Users name profile and detail page You can also see the user in
lookups list views ownership changes user operations and search
Internal users with ReadWrite access can edit the record excluding
fields such as role profile or permissions Portal users cant edit user
records
This graphic illustrates how the organizationwide defaults work with sharing rules manual sharing and
the View All Users permission
Understanding User Sharing
Setting the OrganizationWide Defaults for User Records
Setting the OrganizationWide Defaults for User
Records
Permissions
Youll need the Manage
Sharing permissions to set
the organizationwide
defaults
When the feature is first turned on the organizationwide default is Public Read Only for internal users
and Private for external users
To set the organizationwide defaults
From Setup in the Quick Find box enter Sharing Settings then select Sharing Settings
Click Edit in the OrganizationWide Defaults area
Select the default internal and external access you want to use for user records
The default external access must be more restrictive or equal to the default internal access
Click Save
Users have Read access to those below them in the role hierarchy and full access on their own user
record
Understanding User Sharing
When do I need to use user sharing rules or manual shares
When do I need to use user sharing rules or manual
shares
Tip
Users inherit the same level
of access as users below
them in the role hierarchy
You cant grant a more
restrictive access than your
organizationwide defaults
If a user gains access to a
record by more than one
way for example
organizationwide defaults
and sharing rules the higher
level of access is maintained
User sharing rules grant additional access beyond the organizationwide defaults based on group
membership role groups or territories or other criteria User sharing rules based on membership enable
user records belonging to members of one group to be shared to members of another group
Manual sharing grants additional access to user records but on an individual basis For example you can
use manual sharing in these examples
You want to share your user record on a onetime basis
You want to extend access to your user record to an individual user below you in the role hierarchy
Youre extending access to external users such as highvolume portal or guest users so that internal
users may see them
Note You can extend access to Highvolume portal users and guest users using manual shares
but not sharing rules since they dont have roles Highvolume portal users can be shared with
internal users via manual sharing but not the other way around Guest users can be shared with
internal users via manual sharing and vice versa
Creating User Sharing Rules
Permissions
Youll need the Manage
Sharing permission to create
sharing rules
User sharing rules can be based on membership to public groups roles or territories or on other criteria
such as Department and Title By default you can define up to user sharing rules including up to
criteriabased sharing rules
To create user sharing rules
From Setup enter Sharing Settings in the Quick Find box then select Sharing Settings
In the User Sharing Rules related list click New
Enter the Label Name and click the Rule Name field to autopopulate it
Enter the Description This field describes the sharing rule It is optional and can contain up to
characters
Select a rule type
Depending on the rule type you selected do the following
Based on group membershipUsers who are members of a group can be shared with
members of another group In the Users who are members of line select a category
from the first dropdown list and a set of users from the second dropdown list or lookup field
if your organization has over groups roles or territories
Based on criteriaSpecify the Field Operator and Value criteria that records must
match to be included in the sharing rule The fields available depend on the object selected and
the value is always a literal number or string Click Add Filter Logic to change the default AND
relationship between each filter
Note To use a field thats not supported by criteriabased sharing rules you can create a
workflow rule or Apex trigger to copy the value of the field into a text or numeric field and
use that field as the criterion
Understanding User Sharing
Creating Manual Shares for User Records
In the Share with line specify the users who get access to the user records Select a category
from the first dropdown list and a set of users from the second dropdown list or lookup field
Select the sharing access settings for users
Access Setting
Description
Read Only
Users can view but not update records
ReadWrite
Users can view and update records
Click Save
Creating Manual Shares for User Records
Permissions
You can share your own
record to another user for
whom you have Read
access or you can share any
record if you have the
Manage Users permission
To grant access to a user record
From Setup enter Users in the Quick Find box then select Users Click the name of the user
you want to share
On the User Detail page click Sharing
Click Add
From the dropdown list select the group user role or territory to share with
Choose which users have access by adding them to the Share With list
Select the access level for the record you are sharing
Possible values are ReadWrite or Read Only depending on your organizationwide defaults for users
You can only grant a higher access level than your organizationwide default
Click Save
To change record access on the users Sharing Detail page click Edit or Del
