function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Hierarchy - single user, not whole role



I need to grant access through hierarchy, but only to one user of the hierarchy above.


Lets say I have the following hierarchy


-Role1 (User A, B)

---Role2 (User C [whose manager is A], D [whose manager is B])


I want A to access records owned by C, but not by D, and the same with B and D.


How can I do this with standard Objects? (take into account that 'Grant access using hierarchy is active and cannot be modified).







For this issue you have to create four different roles for A,B,C,D and then set same A and B on the same level in role hierarchy

then under A user add User C and under B add user D.


It will works.




Yes, but in the future I would have more than 500 users, and there is a limit on the amount of Roles.


(Apart from the fact that a role per user is an ugly solution that I discarded long time ago as it will not be easy to maintain)


Thanks, any other Idea?


P.S. I have also thought about creating a Custom Object for each Standard Object, that is a solution I have discarded.




Other solution is that you create public groups for the users and set standard object OWD sharing setting to private and then share the records which you want to show for the user which is in different groups by sharing rules.


If this post solves your problem/issue/question, please mark it as solution.




But then, if I have 500 users.


wouldn't I need to create

 - 500 public groups

 - 500 sharing rules / private object



there is a limitation of 300 sharing rules / object.


P.S. I know that I can also create the sharing by inserting into __share through triggers, but I don't like it.


Maybe something with Account Teams? You could perhaps have all of your users in the same role, or maybe have all account owners in one role and managers in a peer role (not above owners in the hierarchy), and then have each account owner create their own default Account Team, adding in just the user(s) they want to be able to have access. That way, each account that's assigned to that user, will get the user's default Account Team automatically assigned to it as well.


I have not tested this and I'm not an expert with Account Teams but maybe this will work for you?