Sharing Rules in Salesforce: When and How to Use Them

Sharing Rules in Salesforce let you give users access to records they don’t have access to by default. In this guide, you’ll learn what they are, when to use them and to set them up step by step.

Sharing Rules let you give users extra access to records beyond the default Org-Wide Defaults (OWD). They’re used to help teams work together without the need to change record ownership or roles.

Importantly, Sharing Rules always extend access; they cannot restrict it. This functionality supports Salesforce’s comprehensive security model while encouraging seamless teamwork across different roles and departments.

• Criteria-Based Sharing Rules: extend access to records that match specific field conditions (e.g., Stage, Amount, Status), regardless of who owns them, and share those records with a chosen group.
• Owner-Based Sharing Rules: extend access to all records owned by a specified role, queue, territory, or public group and share them with another group you define.
• Guest User Sharing Rules: a criteria-based subset that grants read-only access to the unauthenticated guest user of an Experience Cloud site, intended only for public, non-sensitive data.

These are common cases where giving extra visibility helps teams work better together. For further details on data security and how it complements Sharing Rules, check our Data Security article.

Prerequisite: Create a Public Group (if needed)

• In setup search for “Public Groups”

• Select “New”
• Enter a Label / Rule Name and (optional) description
• From the Search dropdown, choose Users, Roles, Roles and Subordinates or Public Groups
• Select the members on the left, click “Add” to move them to Selected Members
• Click “Save”

In setup search for Sharing Settings

Click “New” in Sharing Rules section

Enter a clear Label / Rule Name and description (optional).

Select a Rule Type: Owner-Based, Criteria-Based, or Guest User (a criteria variant).

Owner-Based specifics:

• Which records: choose the owning Role, Role & Subordinates, Queue, Territory, or Public Group.

• Share with: pick the target Role, Territory, or Public Group.

• Access: Read Only or Read/Write.

Criteria-Based specifics:

• Which records: build field filters (Field + Operator + Value); add multiple criteria and filter logic if needed.

• Access: Read Only or Read/Write.

Click “Save” and confirm the recalculation prompt; Salesforce updates permissions and emails you when finished.

Sharing Rules only grant additional visibility meaning they cannot restrict existing access. Attempting to use Sharing Rules as a workaround for restricting access leads to mistakenly believing data is protected when it remains accessible, creating risks of unintended data exposure and confusion. For properly restricting access, use OWD/Role Hierarchy/Restriction Rules (record-level), Profiles & Permission Sets (object-level) and Field-Level Security (fields).

Failing to keep Public Groups up to date can cause serious issues in record access. Users who no longer need access may still see sensitive data, while new team members might be blocked from the records they need. This can lead to confusion, stalled processes, or even compliance risks. Regularly reviewing and updating group memberships helps ensure that access stays aligned with current roles and responsibilities.

Too many specific Sharing Rules can slow down your org down. Each rule adds sharing calculations, which hurts performance as your data grows. Additionally, Salesforce has a limit on the number of rules per object, so a common recommendation is to combine similar rules. This also helps keep your setup efficient and manageable.

Guest User Sharing Rules grant record access to unauthenticated users who visit your Experience Cloud Site. If not handled carefully, this can lead to public exposure of internal data. These rules should only be used for non-sensitive objects and limited-use cases. Regular checks help make sure guest users only see what they should.

• Use Public Groups: They’re easier to manage than individual users, especially when teams change or people move roles.
• Maintain Documentation: Record every Sharing Rule clearly in an admin wiki or document repository for easy auditing and troubleshooting. Good documentation saves time and helps your admin team stay on the same page.
• Enter a clear Label / Rule Name. Avoid vague or overly generic names.
  Not OK: Rule1 or Test123 – unclear and hard to maintain later.
  OK: Share_High_Value_Opportunities – clearly describes what the rule does.

• Regular Reviews: Audit and update rules quarterly to keep your sharing model efficient and aligned with organizational changes. Audits help identify outdated rules and ensure rules remain aligned with current business practices.
• Audit Access with XL-Connector: Tools like XL-Connector by Xappex allow quick audits of record access. Export data directly to Excel for easy analysis and visibility checks, helping you quickly identify and resolve potential security issues.

Sharing Rules in Salesforce effectively extend record access beyond your default settings, promoting better collaboration without compromising security. Always carefully select between owner-based and criteria-based rules, maintain clear documentation, and perform regular audits. Tools like XL-Connector significantly make it easier to audit and manage sharing, keeping your salesforce setup simple and secure.