I have an odd sharing requirement. I need almost all accounts to be public read/write for all internal users. A few accounts that are marked as private should only be visible to the owner and a few other specific users (basically a public group).
The issue is that the private accounts and their children should NOT be visible to users above those specific users in the role hierarchy.
Contacts and Opportunities are controlled by parent in this org so anything that hides the information for the account at the field level but leaves record level access would not work.
I was planning to do this by setting OWD for Accounts to Private and creating two criteria based sharing rules:
1) share out private accounts with those specific users.
2) share out all non-private accounts with all internal users.
The issue is that there's no way to disable the "grant access using role hierarchies" setting for accounts.
Is there any way to do this without having to take those users out of the role hierarchy?
Best Answer
Greg, it sounds more like a miss use of the Role Hierarchy. It is used for sharing objects and reporting; it is not meant to be the company role hierarchy.
It sounds to me like this is a Real Estate company or something similar and the agents do not want to let control of their clients or maybe for non-compete compliance reasons they shouldn't see each-others accounts.
Unfortunately this is a case where they will not be able to use the Role Hierarchy and you will need to make complex sharing rules or even apex sharing. This will also affect reporting as you will not be able to report on 'My Team' anymore. The customer needs to know these complexities and understand the trade offs.
In some instances there is no getting around this as there is legal reasons around it like conflict of interest, then Role Hierarchy needs reviewing to ensure privacy. If it is just a case that agents want to keep their personal clients, I would push to keep it open as that is the whole point of a CRM.