+ Start a Discussion
Ram Shiva KumarRam Shiva Kumar 

OWD VS PROFILES

hi,

i have set the OWD to public read/write and  profile is read only .  i have a sharing rule ( with read/ write)in which  user A wants to share that record to the another user B (in the same profile) .here i have doubt is whether the second user can edit the records or not.

1)and my secod question is profile over rides the OWD....? 

 
Best Answer chosen by Ram Shiva Kumar
Medhya MahajanMedhya Mahajan
Hi Ram, 

OWD - Controls Record Access.
Sharing Rule - Controls Record Level Access.
Profile - Object Level Access

According to your first question, no the user cannot edit the records for other user ( sharing rule will not be created, will give an error that profile is read only) . However they can see each others record.

See Link : http://salesforce.stackexchange.com/questions/60656/profile-permissions-v-s-org-wide-defaults

Coming to your second question :

Profile works on object and OWD on record ( they are two different things ). 
It won't be a good idea to say that profile over rides OWD. But yes, Profile level permisson have a high preference, hence Profile permission will stand.

Consider a case where
OWD - Private
Profile - Read /Write
In this case he users will not be able to edit each others record due to OWD being private.

However, in your scenario due to profile access being Read Only users cannot edit each others data.

Mark as solved if it helps.

Regards
Medhya Mahajan
 

All Answers

Medhya MahajanMedhya Mahajan
Hi Ram, 

OWD - Controls Record Access.
Sharing Rule - Controls Record Level Access.
Profile - Object Level Access

According to your first question, no the user cannot edit the records for other user ( sharing rule will not be created, will give an error that profile is read only) . However they can see each others record.

See Link : http://salesforce.stackexchange.com/questions/60656/profile-permissions-v-s-org-wide-defaults

Coming to your second question :

Profile works on object and OWD on record ( they are two different things ). 
It won't be a good idea to say that profile over rides OWD. But yes, Profile level permisson have a high preference, hence Profile permission will stand.

Consider a case where
OWD - Private
Profile - Read /Write
In this case he users will not be able to edit each others record due to OWD being private.

However, in your scenario due to profile access being Read Only users cannot edit each others data.

Mark as solved if it helps.

Regards
Medhya Mahajan
 
This was selected as the best answer
Ram Shiva KumarRam Shiva Kumar
Hi Medhya,


Thanks alot. And i have one more, so sharing rules shoud obey the profile permissions....?
 imean if  the profile is read only then sharing rule also should be read only access......? even if try to craete will i get the error.......?



and   for view all/modify all in Profile can i crate the sharing rule with out error......? (even it is over ridden by the profile)
Medhya MahajanMedhya Mahajan
Ram, 

Yes you won't be able to create a sharing rule with Read/write access if your profile is Read Only. Also, if your profile is read only, your sharing rule will give read only access only.


For you second question :
Consider a scenario :

OWD - Public ReadWrite
Profile - View All/ Modify All

In this case you would not need a sharing rule in the first place. Since your OWD ensures that you can edit other person's record.

Scenario 2:

OWD - Private
Profile - View All/ Modify All

Here you would need a sharing rule since OWD is private.

Remember the following :
  • Profile is OBJECT LEVEL.
  • OWD is RECORD LEVEL and so is Sharing Rule. So, first you will see if the person has the access to the object ( Profile ) and then you will go on to see if they can access the record of that object (OWD or Sharing Rule).
  • OWD is used to restrict the level of access for each record of a particular object.
  • Sharing rules are use to open up access to the records in case you OWD is restrictive (Private , Read Only).
Regards
Medhya Mahajan

 
Ram Shiva KumarRam Shiva Kumar
Hi Medya,

In the above as per your second scenario, OWD is private and profile is ' Modify all ' then how the sharing rules will be applicable here since sharing rules will be overriddn by the profiles Modifi All....?

and if the OWD is priavte and profile level is modify all then what is the need of the OWD (private)  since total data(records)  in the particular object is in modifyall  option. .so we can modify all the records of all the uers...with out use of the OWD.?

1) and if the OWD is private and the profiel is read only . in this cas even owner of the record also can't create the record....(no sharing rules here) .?

Regards,
siva. 


 
Siva Anand 19Siva Anand 19
Shiva,

Let me answer your question. This is a topic on which everybody gets confused or mixed up. No wonder you have these questions.

So here is your answer in a simple way..
Each user in your org hava a profile associated with it that determines the access they have to an object. If OWD is not defined, this would be the maximum access that a User can get on all the records on the Object.

Now comes the restrictive part.
Roles are used to control the access that profiles have given to all the users on an object. Roles act based on the owner ship.

​Scenario 1
If you have lets say CRED on Account thru profile and there is no OWD defined. Every user of this profile have Public Read/Write without any issue. When you define a OWD, the restriction comes into picture.
Lets say OWD is Read Only. In this case the owner of the record will have full permissions but all others have only read only though their profile mentions Public Read Write..
The case owner can extend the record access to others using Sharing rules(Manual or Criteria based). This extents upto the profile permision.
i.e the case owner can give Public Read Write to the other uses as the upper limit(Profile permission) is public Read/write.

Scnario 2
Profile  is set to CR i.e create and Read and Role is set to private
In this case none of the users except the owner have permissions on the object though profile gives CR to the users.
In this case the case owner can exend using sharing rules to Create, Read, Edit or Delete to other users but as the other users have on CR, they cannot do Edit or Delete. i.e Profile defines the higher limit upto which permssions can be given

Scenarion 3. Role has public read/write and profile has CRED.
In this case as the lower limit(role) and upper limit(Profile) have both have similar access, there is no need of any sharing as everybody have access.

Scenario 4
Profile is Read Only and OWD public read/write
Guess what happens. If OWD is not defined, everybody has readonly access to Account. Owner has full permissions.
If owner wants to give public read/write permisions to other users by sharing rules, he can give them but the profile doesnt allow them as Profile has only Read Only permisison and they cannot do anything more than reading Account.

Hope this clarifies
Alberto







 
Siva Anand 19Siva Anand 19
Here when I say owner means Record owner.
Siva Anand 19Siva Anand 19
BTW Medhya answers are bang on target.. Cheers
Johny SinsJohny Sins
Very nice information. I am johny sins from Plumbers In Oklahoma (https://johnysins136.livejournal.com/profile)
raj_sfdccraj_sfdcc
Hi ,
Find the below link to understand complete Step by Step Object Level Access Vs Record Level Access in Salesforce

Object Level Access Vs Record Level Access (https://salessforcehacks.blogspot.com/2020/01/object-level-access-vs-record-level.html)
akki kingakki king
ere is Updated information of Latest State and Central Government schemes Kalia yojana list  (https://www.fresherscloud.com/kalia-yojana-list/)
Deepanshu BhardwajDeepanshu Bhardwaj
Hi Ram Shiva Kumar &all, 

If OWD is private and profile is "Modify all" then firstly you will have access to all records and can modify(read, edit, delete, sharing) except create if it is unchecked in profiles section.