【前言】:本篇將記錄工作中有關RLS相關的所有Exception,以便更準確理解官方指南。
同時附帶總結sharing相關的技術要點,供學習參考(倒序排列)
7、【Salesforce共享記錄的21種方式】:
6、【Profile如何通過設定OLS來影響RLS】:
類型:CRED + View All(查看org所有記錄,忽略sharing) + Modify All(RED org所有記錄)
a. CRED on owned records.
b. CRED on others owned records access but respect sharing.
解讀b:假設用戶的Profile爲CRED,但是OWD爲Private,那麼該用戶對自己的記錄擁有CRED,但是對其他人記錄的CRED需要遵循sharing,而OWD Private說明對他人記錄訪問受限,所有無法CRED他人的記錄。
5、【設定OWD訪問級別的鐵律】:
第一步:找到需要最少訪問的用戶;
第二步:分配匹配該用戶訪問權限的訪問權限。
示例:A用戶不能看其他人的記錄;B用戶需要讀寫其他用戶的Lead記錄。
結果:遵循A用戶的訪問權限,設置OWD爲Private。
4、【實例矩陣解讀OWD 與 Profiles相互作用下用戶的RLS】:
對Del的考慮:如果OWD爲Public Read Write,Profile爲CRED,則該用戶無法刪除其他人的記錄;如果需要刪除其他人的記錄,declarative方法只能在該用戶的Profile上勾選Modiffy All。
OWD | Profile | Result(僅關注RE,未考慮CD) |
Private | CRED | My records: Read / Edit |
Private | CR | My records: Read |
Private | - | No access |
Public Read Only | CRED | My records: Read / Edit Other records: Read |
Public Read Only | CR | My records: Read Other records: Read |
Public Read Only | - | No access |
Public Read Write | CRED | My records: Read / Edit Other records: Read / Edit |
Public Read Write | R | My records: Read Other records: Read |
Public Read Write | - | No access |
Public Read Only | R | My records: Read Other records: Read |
Public Read Only | CRED / View All | My records: Read / Edit Other records: Read |
Public Read Write | CRED / View All | Read / Edit all records |
Private | CRED / View All | My records: Read / Edit Other records: Read |
Public Read Write | CR / View All | My records: Read Other records: Read |
Public Read Only | CR / View All | My records: Read Other records: Read |
Public Read Only | Modify All | Read / Edit all records |
Public Read Write | Modify All | Read / Edit all records |
Private | Modify All | Read / Edit all records |
3、【RLS權限優先級】:
a. Profile > Sharing Rule: Profile A的Lead權限爲Read,通過Sharing Rule將無權限的Lead1 以Read/Write形式Share給該Profile的User u,此時u對Lead1只讀,不可編輯。
2、【User基於條件的Sharing Rule】:Criteria Based Sharing rules: Allow Lookup/formula/dynamic values and user field
用例:現存系統需要從主Role Hierarchy上開一個新部門,爲了避免兩個部門間的User可以互相看見,需要將原User的OWD從Public Read Only改爲Private,並通過Sharing Rule來還原原部門user share logic,同時滿足新部門的需求,即各個部門內的internal user間Read Only。
方案:我們已經新建了兩個Group:A Internal Users / B Internal Users,並在新部門B的User上維護Department字段,計劃用Department和UserType來實現Internal User在部門內部間Read Only。由於Share條件無法選擇到Std UserType,所以需要通過自定義Text字段 + Workflow Field Update來解決。
1、【Campaign Sharing Rue注意事項】:Share Camps | Sharing Considerations | Camp Mgmt Implementation Guide
Q1. Camp OWD Private前提下通過Sharing Rule授予Full Access或R/W權限,被shared人無法編輯(無Edit按鈕)該記錄?
A1: 被Shared人需要分配Marketing User的Feature License;
未完待續........