Salesforce 的记录级安全(Record-Level Security)是一个分层控制模型,用来决定谁能访问哪些记录。
主要有三个核心机制:
| 机制 | 作用 | 示例 |
|---|---|---|
| OWD(组织级默认访问) | 定义每个对象的最底层访问基线(Private / Public Read Only / Public Read/Write)。 | 如果 OWD = Private,用户只能看到自己拥有的记录。 |
| Role Hierarchy(角色层级) | 实现纵向共享,上级可访问下属的记录。 | 销售经理可以看到所有销售代表的机会记录。 |
| Sharing Rules(共享规则) | 实现横向共享,将记录开放给同级或特定组用户。 | 市场团队可以访问销售团队的潜在客户记录。 |
此外,还可以使用:
总结一句:
OWD 定义基线,角色层级向上开放,共享规则横向扩展,手动/Apex 共享用于特例控制。
| OWD Setting / 默认值 | Access Level / 访问级别 | Description (EN / 中文说明) |
|---|---|---|
| Private | Most restrictive | Only record owner and higher roles can see records.👉 最严格,仅记录拥有者及上级可见。 |
| Public Read Only | Medium | All users can read, but only owners can edit.👉 所有人可读,只有拥有者可编辑。 |
| Public Read/Write | Least restrictive | All users can read and edit records.👉 最宽松,所有人可读写记录。 |
✅ Key Concept:
“OWD defines the baseline level of access for each object.
It can be Private, Public Read Only, or Public Read/Write depending on business needs.”
👉 “OWD 定义了每个对象的默认访问范围,可设置为 Private、Public Read Only 或 Public Read/Write。”
Salesforce controls record-level security through a layered model that defines who can access which records.
There are three main mechanisms that work together:
| Mechanism | Purpose | Example |
|---|---|---|
| OWD (Organization-Wide Defaults) | Sets the baseline level of access for each object (Private, Public Read Only, or Public Read/Write). | If OWD = Private, users can only see records they own. |
| Role Hierarchy | Opens visibility vertically, so managers can access subordinates’ records. | A Sales Manager can view all opportunities owned by their sales reps. |
| Sharing Rules | Adds visibility horizontally, allowing records to be shared with other roles or public groups based on ownership or criteria. | Marketing team can see Leads owned by the Sales team. |