This simple example shows how access to certain data can be controlled by a group and sharing rules.

Let us assume we have a sales team as shown in Figure: Example Sales Team 1. The Sales Manager is the supervisor for Person 1 and 2 which are members of the group “Team A”. 

Let us also assume we would like to have the following rules for Leads implemented:

• Person 1 and Person 2 have the permission to create Leads that are owned by Person 1 or Person 2 or both

• If a Lead is owned by a single Person the other Person will have no access privileges to this Lead

• The Sales Manager has all access privileges to all Leads 

In order to implement these rules, we have to implement the following setup: 

At Default Organization Sharing Access we set the Global Access Privileges for “Leads” to Private: 

This will cause that users cannot access other users Leads.

Create one common profile for Person 1 and 2 and the Sales manager: We need only one profile, called “Sales” that should include all CRUD privileges for Leads. 

Create two roles: 

We need one role for the Sales Manager and one subordinated role for Person 1 and 2. Both roles are based on the “Sales” profile. Since the role of the Sales manager is superior to the role of Person 1 and 2 the Sales manager has all CRUD privileges.

Create one group of users: 

This group is called “Team A” with the members Person 1 and Person 2. Now, if Person 1 or Person 2 creates a Lead they can assign the owner of this Lead. If “Team A” is assigned as the owner of the Lead, Person 1, Person 2 and the Sales manager can access the Lead. When the ownership is changed to any one member in the group (Person 1 or Person 2) then only that member and the Sales manager can access the Lead.