Organization-Wide Default

Organization-Wide default or Organization-Wide sharing settings determine the baseline level of access for all records of an object. Organization-wide defaults can never grant users more access than they have through their object permissions.

Organization-Wide defaults should be most restrictive in record level security because other record-level security implementations only grant additional accesses, they cannot restrict the access of records provided by Organization-Wide defaults.

Organization-Wide defaults can be set to any of the 3 below:

1. Public Read/Write:

All users can view, edit, and report on all records.

2. Public Read-Only:

All users can view and report on records but not edit them. Only the owner, and users above that role in the hierarchy, can edit those records.

3. Private:

Only the record owner, and users above that role in the hierarchy, can view, edit, and report on those records.

To determine the Organization-wide default of an object consider the below diagram:

The data may be too restrictive for some users according to org-wide defaults but it can be opened for users who need it using role-hierarchies, sharing rules, and manual sharing. A sharing recalculation gets started to apply access changes to records whenever an update is made for Organization-Wide Default settings. An email is sent by Salesforce whenever it gets completed or we can see the update on Setup Audit Trail as well.

Let’s move ahead and learn about the Role Hierarchy