Salesforce Hierarchical Sharing Structure and Record Visibility concepts

In Salesforce, access to data is controlled through a layered, hierarchical sharing structure. Rather than a single setting, record visibility is determined by a combination of six interconnected concepts: Sharing Models (the baseline default access across the org), Profiles (user-level permissions), Roles and Hierarchy (positional access inheritance), Record Types (segmenting records by business use), Page Layouts (controlling which fields are visible on a page), and Field-Level Security (restricting access to individual fields). Together, these layers determine exactly what data a given user can see, edit, or report on at any point in time

Salesforce's sharing structure is based upon the following Salesforce concepts:

Sharing Model :Your Organization's sharing model sets the default access that users have to each other's data. The four sharing models are:

Private
Public Read Only
Public Read / Write
Public Read / Write / Transfer

Private : Only the record owner, and users above that role in the Hierarchy, can view, edit, and report on those records.

Example: If Tom is the owner of an account, and he is assigned to the role of Regional Manager, reporting to Carol (who is in the role of Vice President), then Carol can also view, edit, and report on Tom's accounts.

Public Read Only : All users can view and report on records but not edit them. Only the owner, and users above that role in the hierarchy, can edit those records.

Example: Sara is the owner of an Account called ABC Corp. Sara is also in the role Regional Manager, reporting to Carol, who is in the role of Vice President. Sara and Carol have full read/write access to ABC Corp. Tom (another Regional Director) can also view and report on ABC Corp, but cannot edit it. This is because Tom is at the same level as Sara, not above her in the hierarchy.

Public Read/Write : All users can view, edit, and report on all records.

Example: If Tom is the owner of the Account Trident Inc., all other users can view, edit, and report on the Trident account. However, only Tom can alter the sharing settings or delete the Trident account.

Public Read/Write/Transfer : All Users can view, edit, transfer, and report on all records (Only available for Cases or Leads).

Example: If Alice is the owner of the Account ACME case number 100, all other users can view, edit, transfer ownership, and report on that case. But only Alice can delete or change the sharing on case 100.

Profiles :A profile defines a User's permission to perform different functions within Salesforce. Profiles also control the following:

Which Page Layouts the User sees.
The Field-Level Security access that the User has to view and edit specific fields.
Which tabs the User can view.
Which Record Types are available to the User.
The hours and IP addresses from which the User can log in.
Administrators and Users with the "Manage Users" permission, can create, edit, and delete Profiles.

Roles (User Roles) : Every user must be assigned to a role, or their data will not display in Opportunity reports, Forecast rollups, and other displays based on roles.

All users that require visibility to the entire organization should be assigned the highest level in the hierarchy.
It is not necessary to create individual roles for each title at your company. Rather, you want to define a hierarchy of roles to control access to the information entered by users in lower-level roles.
When you change a user's role, any relevant sharing rules are reevaluated to add or remove access as necessary.

Record Types : If your Organization uses Record Types, edit it to modify which picklist values are visible. You can also set default picklist values based upon the record type for various Business Units, or Record Uses.

Page layouts :This controls which fields appear in the layout, and their orientation on the page.

Field Level Security :Field-Level Security settings let System Administrators restrict the following:

Users
Access to view and edit specific fields on detail and edit pages.
In related lists
List views
Reports
Offline Edition
Search results
Email and mail merge templates
Custom Links
When synchronizing data.

The fields that Users see on detail and edit pages are a combination of Page Layouts and Field-Level Security settings. The most restrictive field access settings of the two always apply.

Example: If a field is required in the Page Layout and 'read-only' in the Field-Level Security settings, the Field-Level Security overrides the Page Layout and the field will be 'read-only' for the User.