Set the org-wide sharing defaults for the user object before opening up access.
|Available in: Salesforce Classic and Lightning Experience|
|Available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions|
|To set default sharing access:||“Manage Sharing”|
For user records, you can set the organization-wide sharing default to Private or Public Read Only. The default must be set to Private if there is at least one user who shouldn’t see a record.
Let’s say that your organization has internal users (employees and sales agents) and external users (customers/portal users) under different sales agents or portal accounts, with these requirements:
- Employees can see everyone.
- Sales agents can see employees, other agents, and their own customer user records only.
- Customers can see other customers only if they are under the same agent or portal account.
To meet these requirements, set the default external access to Private, and extend access using sharing rules, manual sharing, or user permissions.
When the feature is first turned on, the default access setting is Private for external users. The default for internal users is Public Read Only. To change the organization-wide defaults for external access to the user object:
- From Setup, enter Sharing Settings in the Quick Find box, then select Sharing Settings.
- Click Edit in the Organization-Wide Defaults area.
- Select the default internal and external access you want to use for user records.
The default external access must be more restrictive or equal to the default internal access.
- Click Save.
Users have Read access to those below them in the role hierarchy and full access on their own user record.