This was a request I got awhile ago but I thought it was worth talking about and highlighting a few important considerations.
The focus of the project was on collaboration so the customer did not want to make anything private, but wanted to make records visible to everyone. As needs progressed, we got a request to be able to lock down specific accounts, but keep the rest open.
This isn’t as hard as it sounds, you just need to take a few steps to get it working
- Set Accounts to Private under security settings
- Create a “Lockdown” checkbox field on the Account record
- Create a criteria-based sharing rule that opens the Accounts up to everyone when the Lockdown field is unchecked
And you are done. Even though it sounds like exception based sharing, it’s a lot simpler than it sounds. Here’s what the sharing rule would look like:
When we did this we also flagged that something like this could go “hog wild” with users being able to do this whenever they wanted. To limit things we put a few settings in place
1. Only the Owner or a System Administrator could lock the Account with a validation rule:
ISCHANGED( Lockdown__c ),
Lockdown__c = TRUE,
$User.ProfileId <> ID for System Administrator,
$User.Id <> Owner.Id
2. A Workflow Email to the owner’s manager whenever the Lockdown__c field is changed. This was done by setting a custom email field on the Account via workflow with the Email of the manager for the owner
Caveats to this:
We forgot about one key item when we did this – Implicit Sharing
I encourage everyone who uses private sharing to understand this really well but basically, if you can see an Opportunity, you can see the Account of that same Opportunity, and there is nothing you can do about it. We had made Opportunities public read only as well. This meant that we could write all the rules we want, but everyone was still able to see the Account because they could see the Opportunity.
As a result we wrote a very basic trigger to populate the same Lockdown field on Opportunities whenever it was checked on Accounts. We wrote a similar lockdown sharing rule, and we were able to solve the problem.
Implicit sharing is not to be ignored. Forget about it and it’s only a matter of time before you get burned by it once you get into a complex, enterprise level security model.
The other caveats are really just business and training based. People like to make things private, and over-value the importance of their own secure data. If everything is private you lose a lot of collaboration and end up with big data quality problems. Try to keep things shared as much as possible, but keep it within the guidelines that the company is used to. If people in Asia never deal with any of the customers in North America, then hide them from each other. Not for security, but for noise reduction. Don’t make people wade through items they don’t care about.