I am working with an object called Scope Library
. I want users to have read access by default. I want the group Presales
to have read, edit and create access on the object.
To give users read only acces I set the org wide defaults as in this picture below:
To give Users in the Presales
group edit and create access, I created a sharing rule on the Scope Library
object. The criteria is Role and internal subordinates
for the CEO
role. This is so that everyone at or below the CEO level will be considered in the criteria (ie. Everyone at the company). Then, in the Share with
field I select the Presales
group. The picture of this sharing rule is below:
Finally, everyone in the Presales group will have the Standard
user profile. The object settings for the Scope Library
object in this profile is below (the 2nd column is 'object permissions'):
I would expect that when I login as a user who belongs in the Presales
group, I would have edit and create access but I do not. Does anyone know what I'm missing? Thanks and if you need any additional info please let me know
Best Answer
The "CRUD" (Create, Read, Update, and Delete) permissions at the profile level allow users to create, read, update, and delete records at all. Without those permissions, it doesn't matter what sharing says.
As an analogy, imagine a secure building and you have a security badge. Your badge will allow you to enter the building, and certain rooms inside the building.
In this analogy, the badge is a profile, the building is an object, and certain rooms are specific records. If your badge doesn't allow you in the building, it doesn't matter what rooms you have access to. Similarly, if you don't have access to an object permission, it doesn't matter what sharing says you can do with that record.
Make sure you give your users the C, R, and U permissions for the object. Sharing will prevent them from editing records they should not.