DEV Community

Cover image for Building Skill Align - Part 4 - Roles, OWD, Sharing & Record-Level Governance
Rubasri Srikanthan
Rubasri Srikanthan

Posted on • Edited on

Building Skill Align - Part 4 - Roles, OWD, Sharing & Record-Level Governance

#sideprojects #salesforce #beginners #security

After defining objects, users, profiles, and permission sets in Skill Align, the next critical layer was not functionality — but visibility.

Because defining what users can do without defining what they can see leads to overexposure.

In Salesforce, record-level security operates in layered form:

  • Organization-Wide Defaults (OWD) → Baseline visibility

  • Role Hierarchy → Vertical access expansion

  • Sharing Rules → Controlled horizontal exceptions

Profiles and Permission Sets define object-level permissions.

This phase I focused purely on record-level governance.

Important: Role Hierarchy and Sharing Rules can only expand access. They can never be more restrictive than OWD. OWD is always the foundation.

Organization-Wide Defaults (OWD)

What is OWD?

OWD defines the most restrictive level of access to records.

Common values:

  • Private → Only the record owner can access

  • Public Read Only → Everyone can view, only owner can edit

  • Public Read/Write → Everyone can view and edit

Security begins here.

OWD Configuration in Skill Align

I intentionally started restrictive and expanded access only where required.

Object OWD Reason
Employee Private Sensitive employee data
Project Private Allocation decisions must remain controlled
Skill Public Read Only Shared reference data
Employee Skill Private Skill ownership tied to employee
Project Skill Requirement Private Controlled requirement metadata
Project Candidate Private Shortlisting is sensitive
Project Assignment Private Final allocation must be governed

What This Means Practically

Because most objects are Private:

  • Users can only see records they own.

  • Access expands only through hierarchy or administrative override.

  • Exposure is controlled by design — not by accident.

Role Hierarchy

What is Role Hierarchy?

Role Hierarchy provides vertical record visibility.

When:

  • OWD = Private

  • “Grant Access Using Hierarchies” is enabled

Users higher in the hierarchy automatically gain access to records owned by users below them.

Important distinction:

  • Profiles → Control object permissions

  • Roles → Control record visibility

In Skill Align:

Managers and Employees share the same profile.

They differ only by role — and that drives visibility.

Role Structure 

   HR
    ↑
Project Manager
    ↑
Employee
Enter fullscreen mode Exit fullscreen mode

Visibility follows structure.

How Visibility Works in Skill Align

Scenario 1: Employee Skill Record

An Employee updates their Skill record.

  • The Employee can see and edit their record (owner).

  • The Project Manager can see it because they sit above the Employee in the hierarchy.

  • HR can see it due to administrative permissions.

This enables skill verification without exposing peer data.

Scenario 2: Project Assignment

Project Assignment records are owned by the Project Manager to reflect accountability.

  • The Project Manager can view and manage the record (record owner).

  • HR can see and modify it due to administrative permissions.

  • Employees cannot automatically see it because:

    • OWD is Private.
    • Their role sits below the Manager role.
    • Ownership represents responsibility.

Governance is embedded into ownership.

HR and Administrative Override

HR uses the System Administrator profile, which includes:

  • View All Data

  • Modify All Data

These permissions override OWD and hierarchy.

HR visibility is administrative — not inherited.

This separation ensures:

  • Structural governance through roles

  • Oversight through administrative control

Sharing Rules

What Are Sharing Rules?

Sharing Rules allow access to be extended horizontally — outside reporting lines.

Used for:

  • Cross-team allocation reviews

  • Governance committees

  • Audit visibility

They expand access but never restrict it.

Did Skill Align Use Sharing Rules?

Not in this phase.

Because:

  • Upward visibility is already handled via Role Hierarchy.

  • Manager-owned records are intentionally restricted.

  • Governance is preserved through restrictive OWD.

If employee visibility into Project Assignments becomes necessary, a controlled sharing rule can be introduced — without redesigning the architecture.

The foundation is scalable.

Final Visibility Flow

Employee

  • Can see only records they own.

  • Cannot see peer records.

  • Cannot see Manager-owned Project Assignments.

Project Manager

  • Can see Employee-owned records below them.

  • Owns and governs Project Assignment records.

  • Controls allocation lifecycle.

HR

  • Full record visibility.

  • Administrative oversight.

  • Can verify skills and confirm allocations.

Top comments (0)