function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Geoff Davenport 1Geoff Davenport 1 

Roles interacting with groups and Queues?

I'm having a hard time understanding how groups and queues impact sharing.

I'm attempting to implement a role hierarchy that restricts access to cases.  Here is what I have done so far:
  1. Set org-wide sharing for Cases to private (access is granted access using hierarchies by default)
  2. Created a hierarchy, but placed all users at the bottom level (BottomRole).  BottomRole is set with "Users in this role cannot access cases that they do not own that are associated with accounts that they do own"
  3. I have created zero Case Sharing Rules
I was expecting this to lock things down so that users could only view cases they own.  Instead, users (with profile access to cases) can see and edit all cases, independent of ownership.

Now, we've been using Salesforce for many years without using Roles.  We have numerous groups and queues set up for various purposes.  I suspect this is at play, but can't find an explanation (that I understand) of the interplay between groups, queues, and roles.  

I've done some testing.  I created a brand new User (User5), and a brand new Profile (TestProfile) to eliminate any quirks related to an existing user's permissions.  I have figured out a few things:
  1. We have a pre-existing group named EmployeesGroup.  This is to separate paid staff from volunteers, interns, etc.  When I place User5, with TestProfile and BottomRole, into EmployeesGroup, User5 can see all cases, regardless of ownership.  When I take User5 out of EmployeesGroup, the cases are no longer visible.
  2. Changing the Profile doesn't impact record-level visibility.  Whether I use TestProfile, or any of the other profiles that have case access, nothing changes.  
  3. When I leave User5 in EmployeesGroup, but remove our SystemAdministrator (me) from EmployeesGroup, 50% of the cases disappear.  
  • I don't see any correlation with case ownership, though.  About 75% of our cases are owned by Queues.  The number of visible cases in each queue shrunk dramatically.  And, all the cases owned by SystemAdministrator disappeared, which would be expected.
  • I don't see any correlation with the User who created the case.
  • I don't see any correlation with the User who owns the Account of the primary Contact on the case
So this appears to have something to do with group membership.  But I have no idea how or why.  I have not turned on any Case Sharing Rules that would share across EmployeeGroup.  What else could cause this?  I'm completely stuck.