User Sharing and Visibility Control

Control Name

User Sharing and Visibility

Recommended Configuration

The default external access must be more restrictive or equal to the default internal access:

Setup>Sharing Settings>Organization-Wide Defaults Edit>Select Default Internal and External Access for user records.

Require permission to view record names in lookup fields:

Setup>Sharing Settings>Organization-Wide Defaults Edit>Require Permission to view record names in lookup fields.

Control Overview

To enforce the principle of least privilege, set the User object’s Organization-Wide Sharing Defaults to "Private" and turn on the "Require Permission to View Record Names in Lookup Fields" setting.

This control makes sure that users can only view other user details or see the names of records in lookup fields when they have explicit sharing access or the "View All Lookup Record Names" permission, preventing unauthorized data exposure across the platform.

Security Risk If Not Configured

Increased risk of unauthorized access to records and objects.Failure to enforce restrictive Organization-Wide Defaults and lookup record name permissions allows users to view sensitive record names and internal user details they are not authorized to see, leading to unauthorized data discovery and potential harvesting of company information.

Threat Scenarios

Malicious users use the broad Organization-Wide Defaults to identify high-profile accounts or internal experts they shouldn't have access to and then exploit the Lookup Field visibility to map out sensitive project names and their associated stakeholders.

By harvesting this internal intelligence through record names and user profiles, they can export a strategic roadmap of the company’s private operation.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Risk severity depends on the type of users, user population size, number of objects and data within objects.

Higher Risk When

Beyond loose Organization-Wide Defaults (OWD) and lookup visibility, several other misconfigurations can significantly amplify the risk of internal data harvesting and unauthorized access:

• Excessive "View All" and "Modify All" Permissions
• Permissive "View All Users" Permission
• Overly Broad Role Hierarchy
• Misconfigured Experience Cloud Guest Access
• Broad permission sets with lack of governance

Low or No Risk When

This control can be considered low risk when one or more of the following are implemented:

• Restriction Rules: setting up filters that go beyond sharing rules. Create rules that prevent users from seeing specific records even if the OWD or sharing rules would normally allow it.
• Field-Level Security (FLS): Even if a user can see a record name in a lookup, use FLS to hide sensitive data fields (like SSN, Salary, or Private Notes) so that the record effectively becomes an empty shell for them.
• Real-Time Transaction Security (Salesforce Shield): Set a policy that blocks a user from exporting a report or querying via API if they attempt to pull more than a specific number of records (e.g., 500+) in a single session.
• Login IP Ranges & MFA: Restrict logins to known corporate IP addresses (VPN) and enforce Multi-Factor Authentication (MFA) for all users. This prevents a user from accessing the system from an unmanaged personal device.

Business and Integration Considerations

Customers should evaluate the business justification for user records access.

Recommended Remediation

Restrict and manage sharing settings with periodic review and require permission to view record enforcement.

Security Health Review Guidance

Security Health Review evaluates the Org-Wide sharing for external users and helps to identify those that are not set up to be private for admins to review, and also makes sure that record names in lookup fields are restricted by requiring permission, in alignment with the zero trust and principle of least privilege.