Sharing rules are the unsung heroes (and villains) of Salesforce data security. In my decade managing enterprise orgs across healthcare, finance, and SaaS, I’ve seen teams waste weeks fixing access issues that could’ve been prevented with proper sharing configuration. Let’s cut through the confusion: who actually sees what, and why getting this wrong costs real money.
The Core Mechanics: OWDs, Roles, and Rules
Everything starts with Organization-Wide Defaults (OWDs). If Account OWDs are set to "Private" (the most secure default), users only see their own records by default. That’s where sharing rules come in—they grant exceptions to OWDs. Crucially, sharing rules work on top of the role hierarchy. If you share a record with a role, it flows down the hierarchy (e.g., sharing with "Regional Manager" makes all managers below them see it).
Real-World Examples That Break
Here’s where things go sideways in practice:
Public Group Overkill: A SaaS client created a "FullAccess" public group for all sales reps. They then shared all opportunities with this group via a rule. Result? Marketing saw sensitive pricing data. Fix: Replace the group with a role-based rule targeting only "Account Executives" for specific account types.
Role Hierarchy Ignored: In a healthcare org, OWDs for Patient records were "Private," but the "Nurse" role wasn’t below "Physician" in the hierarchy. Nurses couldn’t see patients assigned to their physicians. Fix: Adjust the role hierarchy to nest "Nurse" under "Physician" before adding sharing rules.
Legacy Rule Bloat: A financial services org had 12+ sharing rules for Leads, many overlapping. Running a
SELECT Id, RuleName FROM SharingRule WHERE Object = 'Lead'exposed redundant rules. Fix: Consolidate into 2 role-based rules and delete the rest.
Why This Isn’t Just "Security Theater"
Bad sharing rules directly impact revenue and compliance:
Compliance Risk: In healthcare, sharing patient data with the wrong group (e.g., billing staff seeing medical history) violates HIPAA. One client faced a $50k fine for misconfigured rules exposing 10k+ records.
Productivity Drain: When sales reps can’t see leads assigned to their manager (due to missing role hierarchy), they spend 10+ hours/week requesting access. At 500 reps, that’s 5,000 hours/year wasted.
System Performance: Each sharing rule adds calculation overhead. A client with 500+ rules on Accounts saw profile page load times spike from 2s to 15s during peak hours.
Don’t rely on guesswork. Audit your sharing rules quarterly using this SOQL query to spot gaps:
SELECT Id, RuleName, Type, ParentId, SharingCriteria
FROM SharingRule
WHERE Object = 'Account'
AND (RuleName LIKE '%Team%' OR Type = 'Role')
When rules are correctly configured, your sales team closes deals faster, security teams sleep soundly, and compliance auditors stop asking for the "access matrix." It’s not about complexity—it’s about precision. Misconfigured sharing isn’t a "nice-to-have" fix; it’s a direct line to financial risk and wasted productivity.
Stop letting shadow access be your org’s secret problem. Run a free Salesforce Health Scan with Org Scanner to identify dangerous sharing rules, redundant permissions, and compliance gaps before they cost you. Get your scan now—it takes 5 minutes and saves weeks of firefighting.
📚 Recommended Resource: Salesforce for Dummies — great for anyone learning Salesforce.
📚 Recommended Resource: The Phoenix Project — great for anyone IT management.
📚 Recommended Resource: NIST Cybersecurity Framework Guide — great for anyone security frameworks.
Need a second opinion on your Salesforce org? Request a diagnostic.
Top comments (0)