What is OWD in Salesforce
Once users have got access to the Organization and the Objects, it is important to set a baseline level of visibility for each object across the entire organization. The Organization-wide Default or OWD in Salesforce decides what access and permissions users have to the records they do not own. OWD cannot extend the Access user has in their Profile.
Different Access given in OWD
There are mainly four levels of Access which can be set under OWD:
- Public Read/Write/Transfer ( available only for Leads and Cases)
- Public Read/Write
- Public Read/Only
Let us Understand each of the Access in detail with the below example:
Public Read/Write/Transfer: User can View, Edit or change the ownership of the records which they do not own. This access is available only for cases and Leads object. In the above example, users can see, edit and even transfer the ownership of Lead records.
Public Read/Write: Users can view or Edit the records which they do not own but the cannot transfer the ownership. In the above example, users can see and Edit all records of Account and Contracts but they cannot change the ownership.
Public Read Only: Users can view all the records of an object but they cannot edit or change the ownership. According to the above example, User can see contact records which they do not own but cannot modify it.
Private: This is the most restrictive settings where user cannot see records which they do not own. As per the above example, users cannot view or modify any opportunity which they do not own.
Is OWD Required for your Org?
OWD is a way you can provide Record Level Security in the Org. Now is it really necessary to set an OWD for your Org? You can understand this by two important questions.
- Will the user See records which he/she does not own?
- Will the user Edit records which he/she does not own?
Set OWD for your Org
- Go to Setup, use the Quick Find box and enter Sharing Settings.
- Click Edit in the Organization-Wide Defaults to make any changes.
- To remove access using role hierarchies, uncheck Grant Access Using Hierarchies for any custom object that does not have default access of Controlled by Parent.
- Once You save the changes, It takes some time to recalculate the rules for all records and it depends on the amount of data present in the Org.
OWD Scenarios in Salesforce
To understand how OWD works along with Profile it is very important to remember that profile permissions decide the baseline access users have to All Records. Organization-wide defaults then further restrict the permission on records which the user does not own.
Let us take Contact object as an example and understand this in detail with different Scenarios:
|Baseline Object level Access||Records You do not Own|
|CRED||Private||1. User can Create record and Edit and delete record which he/she owns|
|CR||Private||1. Users can Create a new Record.|
2. Users can only see records which they own and on those records users will not have edit or delete permissions.
|CRED||Public Read||1. Users can Create records and Can view all records, even records they do not own.|
2. However Edit and Delete button on contacts which user does not own will cause insufficient privilege error because OWD is Public Read Only.
3. User can edit and delete contact which they own
|No Access||Public Read||1. User cannot see any contact record in the Org|
2. OWD cannot give users more access than they have through their object permissions
|CRED||Public Read/Write||1. User will be able to create new contacts|
2. User will be able to view all contacts in the Org
3. User will have Edit and Delete option on all contacts
|CR||Public Read/Write||1. User will be able to create new contacts|
2. Edit and delete button will not be available on any contact records.
3. OWD cannot give users more access than they have through their object permissions
You can check object level Permissions from Profiles. Below is the Standard and Custom Object Permissions given to System Administrator in my Dev Org.
Limitations of OWD in Salesforce:
There are some object for which you cannot change the Organization-Wide Default:
- Service contracts will always be Private.
- User provisioning requests will always be Private.
- The ability to view or edit a document, report, or dashboard depends on users access to the folder in which it’s stored.
- Users can view forecasts only of users and territories under them in the forecast hierarchy, unless forecast sharing is enabled.
- Organization-wide default of a custom object is set to Controller by Parent if the custom object is on the detail side of a master-detail relationship with standard object. OWD in this case is not editable.
- The Organization-wide default cannot be changed from Private to Public for any custom object if the Apex code in using sharing details related to the object. (This can be done using with sharing keyword). For Instance, If Apex code makes use of user and groups with sharing access on a custom object Obj1__c, you cannot change the Organization-wide default of the object Obj1__c from private to Public.
OWD in Salesforce Interview Questions
We have covered all the aspects of OWD above, Now let us see some of the important interview questions related to OWD.
Answers to all these questions are present in the tutorial above so go through the tutorial once and you can answer each of these questions yourself.
- What is Organization wide Default in Salesforce?
- What are the Different Types of Access provided in OWD?
- Explain how OWD and profile works together
- For Which Object You can set Public Read/Write/Transfer Access?
- Give Few Examples where OWD can be used
- How to configure OWD for an Org?
If you are preparing for Interviews, You must check: