You are here:
Sharing Considerations for Using Account Role Optimization in Experience Cloud Sites
The combination of role-based sharing and account role optimization (ARO) provides access to records and reports across accounts in Experience Cloud sites. Consider using targeted sharing access when you activate account role optimization. By using ARO and role-based sharing, an account’s records are exposed to other accounts that roll up to the same shared person role.
Here’s an example of how account role optimization can help manage roles.
Acme has a high volume of customer and partner Experience Cloud site accounts. Account role optimization helps minimize the number of Experience Cloud site roles. By using account role optimization, multiple site accounts can share a person role.
Acme has Apex sharing code that shares certain types of records based on roles. Account role optimization combined with role-based sharing exposes these records to site users across multiple accounts in Acme’s org and sites.
Acme admins and devs review the Apex sharing code, triggers, and workflows. They locate every instance where record access is linked to roles, remove role-based sharing, and write code to target sharing access to specific site users.
When using account role optimization, adjust your settings to share directly with account users.
| Consideration | Recommendation |
|---|---|
| Using Apex Sharing Code and Apex Triggers | Review your existing Apex sharing code, triggers, and workflows, and determine if record access is linked to roles. Update your Apex sharing code to target the user instead of a role if an Experience Cloud site user from an account that uses ARO must access specific records. Consider what action to take if a second user is added to the account and a new account role is created. |
| Using Record Access on a Role | If you grant record access by using a role created by ARO, the original user loses access to the record if a second user is added to the account. An Apex trigger or workflow can prevent access loss. Recommendation: Create an Apex trigger or workflow to allow the site user to retain access to records even if a second site user is added. |
| Sharing Records, Folders, or Reports with Experience Cloud Site Accounts | If you want Experience Cloud site account users to have access to:
Use targeted sharing. If you use sharing rules, don’t target the shared person role. Role-based sharing grants access to all accounts that roll up to the shared person role. Recommendations: Create a public group and add the site user to that group. Then make the public group the sharing rule’s target. Another option is to use manual sharing or Apex-managed sharing to share the object directly with a user. Share list views, folders, reports, or dashboards directly with account users instead of using role-based sharing. |
In Salesforce orgs created before February 8, 2024 that enabled digital experiences before the “Enable Secure Roles Behavior and Update Sharing Group References in Production” release update was enforced in Winter ’26, use the Convert External User Access Wizard to reduce the possibility of over sharing data. It converts owner-based or criteria-based sharing rules that include the Roles, Internal, and Portal Subordinates to include the Roles and Internal Subordinates instead. In all orgs created on February 8, 2024 or later and in all orgs that enabled digital experiences after Winter ’26, access is secure by default. Records shared with the Roles and Internal Subordinates group through sharing rules or other mechanisms remain accessible only to internal users.
One final note on sharing. For single user accounts, ARO is incompatible with External Account Hierarchies. External Account Hierarchies uses roles to share data from child accounts to parent accounts. ARO uses a single role that’s shared across several accounts.
