OWD sharing

To define the Organization-Wide Defaults sharing settings, go to Setup | Security | Sharing Settings:

A selection of standard objects and all custom objects can be set in this page.

By default, Salesforce uses role hierarchies to grant access to records to the users that belong to roles above a given user hierarchy. This means that if a user owns a record (whose object is set as Private in the OWD, so it should be only visible to its owner), using hierarchies, the manager user who is above that role can access the record as well.

If you change an object's OWD to a wider value (for example, from Private to Public Read-Only) the visibility is updated instantly: users who weren't able to access the records will immediately be allowed to do so.

If you restrict access (for example, from Public Read/Write to Private), Salesforce will start a recalculation that could take hours to complete, depending on the size of the dataset.

The OWD settings have the following values (a selection object has specific values that differ from this list):

• Controlled by Parent: If a record is a child of another kind of record (for example, a contact is parented to an account), you can give this record the same access level as its parent. If a user can edit an account, then they're allowed to edit its children contacts as well. When a custom object is a master-detail child of a standard object, the only available value is Controlled by Parent and it is not editable.
• Private: Only the record's owner and users above their role hierarchy can view, edit, and report on the record.
• Public Read Only: The record is viewable and reportable by any user, but it can only be edited by its owner and users above the owner's hierarchy.
• Public Read/Write: The record is viewable and editable by any user in your organization. Only the owner can delete or manually share the record.
• Public Read/Write/Transfer: Available only on cases and leads, the transfer operation allows a record to be transferred of ownership, but only the owner can delete or manually share it.
• Public Full Access: Available only on campaigns, this allows all users to read, edit, and delete a campaign, regardless of whether they are the owner or not.

A user object has the following two available values:

• Private: A record is accessible by the owner (that is, the same user) and by the users on the hierarchy above it.
• Public Read-Only: The record is accessible by any user in the organization.

In order to improve recalculation performance, you can enable External Organization-Wide Defaults and change the way records are shared with external users (such as customer community users).

Some types of external users are as follows:

• Authenticated website users
• Chatter external users
• Community users
• Customer portal users
• Guest users
• High-volume portal users
• Partner portal users
• Service cloud portal users

It's good practice to set the Default External Access to Private and then extend accessibility using, for example, sharing rules or sharing sets for the external users only.

External access can be set for the following objects:

• Account
• Asset
• Case
• Contact
• Individual
• Opportunity
• Order
• User
• Custom objects

To enable external OWD defaults, click on the Enable External Sharing Model button on the Setup | Security | Sharing Settings page. All external default values are matched with the internal settings.