Tuesday, November 7, 2017

Access Grants : Record Access Calculation in Salesforce

Salesforce always check record accessibility whenever user view record in order to maintain data visibility as per sharing settings specified in org. Record access can be granted based on role hierarchy, sharing rules, in-built sharing etc.

Imagine a large scale implementation which involve large number of roles, sharing rules and customized apex managed sharing. In order to determine user access for record by considering  this scenario will take lot of time and will result in performance issue.

In order to avoid this kind of performance issues, Salesforce doesn't calculate record access in real time but it calculate record access whenever any configuration change occurs and store that information. This helps in calculating the record access in real time instead of traversing all hierarchies, applying all sharing rules or analyzing other available record sharing mechanism.

Access Grants

Salesforce uses Access Grants in order to identify how much access user have to object records. This comes into picture only when OWD for object is either PRIVATE or PUBLIC READ ONLY.
Access Grant also specify the sharing tool (like sharing rule, teams,roles etc) responsible for providing record access to user.

There are four types of access grants used by Salesforce:
  • Explicit Grants
Salesforce uses explicit grants when records are shared directly to user or groups. Below are few scenarios which are considered under this:
    1.  Teams : When user is part of account, sales or case team.
    2. When user or queue becomes record owner. All users under that queue get access to record.
    3. When record is shared by using sharing rule, apex manage sharing and manual sharing.
    4. When record is shared with user or queue based on assignment rule or territory rules share record with territory. All users under that territory get access to record.
Note: If you are using Enterprise Territory management, user can not share record manually to territory and while using sharing rules or apex managed sharing, record can not be shared with territory groups.
  • Implicit Grants
This is called as built-in sharing in salesforce. These are predefined record sharing behavior for  Sales, Service and portal applications. For example:
    1. User can view parent account record if they have access to child opportunity, case or contact record.
    2. If user has access to parent account, then they can access child opportunities, cases and contact records.
  • Group Membership Grants
This grant comes into picture when user, personal or public group, queue, role or territory is a member of group that has explicit access to record. So it means all user users or group which are part of public group with which any record is shared, the all group members and members present in sub-group  will get access to records.
  • Inherited Grants
This comes into picture when user get access to records because of role hierarchy, territory hierarchy or inherit access through group hierarchy.


Sharing database Architecture

Salesforce store access grants in three types of tables:
  • Object Record Tables
This table indicate which user, group or queue own each record.
  • Object Sharing Tables
This table store information like which record is shared with which user or group either by apex manage sharing rule or declarative sharing when object OWD is not PUBLIC READ/WRITE.

This table store data that supports explicit and implicit grants.
  • Group Maintenance Tables
This table store data that supports group membership grants and inherited grants. 




3 comments:

  1. I appreciate your efforts because it conveys the message of what you are trying to say. It's a great skill to make even the person who doesn't know about the subject could able to understand the subject . Your blogs are understandable and also elaborately described. I hope to read more and more interesting articles from your blog. All the best.
    Dandruff Shampoo

    ReplyDelete
  2. Cool stuff you have got and you keep update all of us. patronato genova

    ReplyDelete
  3. I like that you decided to write all the information so shortly. I believe, that nobody wants to read long articles. Am I right?

    ReplyDelete