What happens under the hood ?
When a user requests access to a record ?
- First, it determines whether a profile, permission set, or organization-wide default setting already give the user the level of access that user is requesting to the record.
- If the user does not have at least that level of access to the record, the system queries the object share table to see if there is a row in which the record’s ID appears in the object ID column and the user’s ID appears in the UserOrGroupId column.
- Next, it queries the group membership tables to identify all the groups that could provide access to the user.
- It then scans the object share table again to see if there is a row in which any of these groups has already been granted access to the record.
- Finally, it compares the level of access granted directly to the user with the levels of access granted to the groups the user belongs to, giving the user the least restrictive level of access from this comparison
When you move a user from one role to another role ?
When you move a user from one role to another role, Salesforce automatically adjusts both the sharing configuration provided by the role hierarchy and the sharing rules associated with the records that the user owns.
If a single user owns more than 10,000 records, as a best practice:
- The user record of the owner should not hold a role in the role hierarchy.
- If the owner’s user record must hold a role, the role should be at the top of the hierarchy in its own branch of the role hierarchy
- User A is assigned a profile which has No access to the Case object. User B who is the owner of a Case manually grants R/W access to User A. Will User A be able to view and edit the Case?