Loading

Prepare for Changes to “Role and Subordinates” Group (roleAndSubordinates)

Data pubblicazione: Apr 3, 2026
Descrizione

What is changing?

To prevent unintended access for external site users if you enable digital experiences, Salesforce is securing access to records. The default sharing group available for roles and subordinates before you enable digital experiences is now displayed as Roles and Internal Subordinates instead of Roles and Subordinates. As a result, you must update code and customizations that reference the Roles and Subordinates group to instead reference Roles and Internal Subordinates.

 

Salesforce enforced this change in production orgs in Winter ’26 via the “Enable Secure Roles Behavior and Update Sharing Group References in Production” release update. 

 

Salesforce enforced this change in sandboxes in Summer ’25 via the “Enable Secure Roles Behavior and Update Sharing Group References in Sandboxes” release update. 

 

Note: If you enabled the sandbox version of this release update in your production org using the test run (and you didn’t disable the test run), no further action was required.

 

Risoluzione

What do I need to do?

You must review your code, customizations, and applications for any references to the “roleAndSubordinates” or “RoleAndSubordinates” group, which must be updated to “roleAndSubordinatesInternal” or “RoleAndSubordinatesInternal”. Potentially affected areas include SOQL queries, Apex code, flows, Lightning components, API integrations, Metadata API deployments, and installed applications.

 

See the “How do I identify and fix references that must be updated?”  section of this article for more information.

 

When does this change occur?

This change was enforced in production orgs in Winter ’26 and in sandboxes in Summer ’25. 

 

Salesforce dynamically updates remaining “RoleAndSubordinates” references to “RoleAndSubordinatesInternal” in SOQL and remaining “roleAndSubordinates” references to “roleAndSubordinatesInternal” in Metadata API deployments to minimize issues in case of missed references that still must be fixed. Currently, there is no plan to stop updating these references dynamically (though it was initially communicated that these updates would stop in API version 66.0 (Spring ’26) and later). If Salesforce later decides to stop updating these references, we'll communicate the timing of this change in this knowledge article. It's still recommended to fix references when you’re able to do so.

 

Who is affected?

The release update was enforced in all production orgs created after February 8, 2024 that hadn't enabled digital experiences.

 

The following orgs weren't impacted by the release update, because they already had the Roles and Internal Subordinates group by default:

 

  • Production orgs that have digital experiences enabled and Experience Cloud site users created with external account roles (other than a shared person account role).
  • Production orgs created after February 8, 2024.
  • Production orgs where the “Enable Secure Roles Behavior and Update Sharing Group References in Sandboxes” release update was enabled using the test run.
  • Sandboxes that haven’t been refreshed since the behavior was enabled in Summer ’25.

How do I identify and fix references that must be updated?

Review these potentially affected areas for references that must be updated:

 

  • Apex code
  • API integrations
  • Custom reports
  • Flows
  • Formula fields
  • Global picklists
  • Lightning components
  • SOQL queries
  • Validation rules
  • Visualforce pages
  • Workflow rules

 

Depending on the area, the capitalization of the value will be either roleAndSubordinates or RoleAndSubordinates. 

 

Any reference to roleAndSubordinates or RoleAndSubordinates in other areas can cause potential issues and must be fixed manually, even if not specified in the above list.

 

Depending on the feature and your tool preferences, you can review these features in Setup, query for references using the Developer Console, or use Salesforce CLI or Visual Studio Code to search for references. Update any identified references and make sure to carefully test any updates that you make.

 

Other considerations:

 

  • If you identify issues with installed applications while you test these changes, contact the application developers and instruct them to update the apps.

  • If you deploy Metadata API changes (such as for sharing rules, groups, or queues) between a sandbox org that has the updated role groups and an org that isn’t updated (or vice versa), you can see an error like "sharedTo not allowed:roleAndSubordinates" or "sharedTo not allowed:roleAndSubordinatesInternal". Make sure that the XML files reference the correct role groups available for the org. You can make manual edits after you retrieve your files so that you can later deploy your changes without issue.

 

Reference: Role Sharing Groups in Winter 26

Note: After the release updates are enforced, Salesforce dynamically updates remaining “RoleAndSubordinates” references to “RoleAndSubordinatesInternal” in SOQL and remaining “roleAndSubordinates” references to “roleAndSubordinatesInternal” in Metadata API deployments. If you query the old value, results are returned with the updated “roleAndSubordinatesInternal” or “RoleAndSubordinatesInternal” value.

Group Name

Corresponding Metadata API Field

Corresponding SOAP/REST API Value

Description

Role

(no changes)

role

Role

Users in the role plus users in roles above it in the hierarchy. Available by default.

Roles and Internal Subordinates

roleAndSubordinatesInternal

RoleAndSubordinatesInternal

Users in the specified role plus all of the users in roles below that role, excluding site and portal roles. Available by default in all orgs.

Roles, Internal and Portal Subordinates

roleAndSubordinates

RoleAndSubordinates

Users in the specified role plus all of the users in roles below that role, including site and portal roles. Only available when digital experiences is enabled for your org and Experience Cloud site users are created with external account roles other than a shared person account role.

Roles and Subordinates

roleAndSubordinates

RoleAndSubordinates

Previously used for users in the specified role plus all of the users in roles below that role.

 

Use Roles and Internal Subordinates instead.

Numero articolo Knowledge

002628970

 
Caricamento
Salesforce Help | Article