This example shows how access to certain data can be controlled by groups with sharing rules.

Let us assume we have a sales team as shown in Figure: Example Sales Team 2. The Sales Manager is the supervisor for Person 1, 2 and 3, 4 all organized in Team A and B. We also have a sales assistant who supports the sales teams. 


Let us also assume we would like to have the following rules for Leads implemented:

  • Person 1-4 have the permission to create Leads that are owned by any person or by Team A or B

  • Person 1-4 have Read/Write privileges to Leads regardless of who owns it.

  • The Sales assistant has Read/Write privileges to Leads of Team A.

  • Members of the “Team A” have no CRUD privileges to Accounts and Contacts owned by “Team B” and vice versa.

  • The Sales Manager has all access privileges to all Leads, Accounts, and Contacts

In order to implement these rules we set the following privileges:

At Default Organization Sharing Access we set the Global Access Privileges for “Accounts & Contacts” and “Leads” to Private: 

This will cause that users cannot access other users Accounts, Contacts or Leads. The access to related potentials, tickets, quotes, sales orders, purchase orders, and invoices is also set to private.

Create one common profile for all Persons and the Sales manager: 

We need only one profile, called “Sales” that should include all CRUD privileges.

Create three roles: 

We need one role for the Sales Manager, one for the Sales assistant and one subordinate role for all Persons. All roles are based on the “Sales” profile.

Create three groups of users: 

We create a group called “Team A” with the members Person 1 and Person 2 and a group called “Team B” with the members Person 3 and Person 4. We create a group called “Assistant” with the user Sales assistant as the only member. 

As described in Section: Custom Access Privileges sharing rules cannot be specified to share data between users. Since we would like to use sharing rules for the Sales assistant we have to create an additional group with only one member.


Set Custom Access Privileges for Leads: 

From Group “Team A” to Group “Team B” we set the access privilege with Read/Write permission. From Group “Team B” to Group “Team A” we set the access privilege with Read/Write permission. From Group “Assistant” to Group “Team A” we set the access privilege with Read permission.

Now, if any person creates a Lead they can assign the owner of this Lead. Regardless of the owner, all Persons and the Sales manager have Read/Write permissions to a Lead. The Sales assistant has Read permissions to the Leads from “Team A”. However, there are no shared Accounts or Contacts between the two groups or between members of groups.

Admin Manual
Developer Manual