Learn What’s New with Access Control for Winter ’24

Learning Objectives

After completing this unit, you’ll be able to:

View public group members with reports.
Enable faster account sharing recalculation by not storing implicit child share records between accounts and their child case, contact, and opportunity records.
Troubleshoot insufficient access errors with Event Monitoring.
Review guest user object, record, and field access for sites.
Learn who can access records and why.

Important!

In order to maintain your certification, you must complete all five units of this module.

Salesforce Certification

If you hold a Salesforce Architect certification, keep in mind that you need to complete this unit and the other 4 units in this module by the due date to maintain your certification. Another important part of maintaining your certification is ensuring your Trailhead and Webassessor accounts are linked.

Interested in learning more about getting certified? Check out all the Salesforce Architect certifications.

View Public Group Members with Reports

Manage public group membership more easily. Now you can see which users, roles, and other groups have been added to public groups by creating a custom report type. Previously, you clicked in each public group or ran queries to see its members.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How: From Setup, in the Quick Find box, enter Report Types, and then select Report Types. Select Group Member as the primary object. After you deploy the custom report type, users can select it when building reports.

To improve performance, Salesforce is changing the way that automatic account sharing recalculation works behind the scenes. We no longer store implicit share records between accounts and their child case, contact, and opportunity records.

Why: Not storing these implicit child share records speeds up ownership and sharing rule recalculation for accounts. Org-wide defaults, group membership, role hierarchy, and manual sharing operations can all improve.

Not Storing Case and Contact Implicit Child Shares Is Enforced in Winter ’24

Instead of storing implicit child records between Account records and their child Case and Contact records, the system can query at runtime whether users have access to child Case and Contact records.

Account owners can gain access to Cases and Contacts owned by high-volume Experience Cloud site users, depending on the org’s role hierarchy configuration. SOQL queries or Apex tests that query implicit child CaseShare and ContactShare records no longer return results because Salesforce no longer stores these records.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

Not Storing Opportunity Implicit Child Shares Available in Winter ’24

Implicit child share records are no longer stored between Account records and their child Opportunity records. Instead, the system determines whether users can access child Opportunity records when they try to access them. This release update is available starting in Winter ’24.

When: Salesforce enforces this release update in existing production orgs on a rolling basis beginning in Spring ’24. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab. For production orgs and scratch orgs created in Winter ’24 or later, this behavior is enabled by default. For sandboxes, this behavior is enabled on a rolling basis beginning in Winter ’24.

How: To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Enable Faster Account Sharing Recalculation by Not Storing Opportunity Implicit Child Shares, follow the testing steps, and click Apply Update when your org is ready. This release update isn’t visible in sandboxes and production orgs where Salesforce already enabled this behavior. The update also isn’t visible in new production orgs or scratch orgs created in Winter ’24 or later.

SOQL queries or Apex tests that query implicit child OpportunityShare records no longer return results because Salesforce no longer stores these records. For more information, see the knowledge article.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

Troubleshoot Insufficient Access Errors with Event Monitoring

To help you troubleshoot and resolve account, case, contact, and opportunity record access errors, use the new Insufficient Access event type in the EventLogFile object. See when users weren’t able to access or transfer records and the related error messages.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions. This event is available in the API but not in the Event Monitoring Analytics app.

Review Guest User Object, Record, and Field Access for Sites

When you allow public access to your Experience Cloud sites, make sure that unauthenticated guest users are only able to access what you want them to access. Use the Guest User Sharing Rule Access Report page in Setup to quickly see what records are at risk of exposure, so you can quickly adjust access to important data.

Where: This change applies to LWR, Aura, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How: Review results in the new Guest User Sharing Rule Access Report in Setup, and change record access levels as needed in your guest user sharing rules.

Learn Who Can Access Records and Why

Understanding who can access a record is critical to securing record access in your organization. Check out a record’s sharing hierarchy to view who it’s shared with. You can also see the user’s reason for access and find out if a user’s access is blocked by a restriction rule.

Where: This change applies to Lightning Experience in Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: To see a list of users who have access, click Sharing Hierarchy from the Action Menu on the desired record. To learn more about the user’s access, click View next to the user’s name.

All applicable sharing reasons appear, including the names of owner-based and criteria-based sharing rules.

Closeup view of user John Pineapple’s access, and the Reason for Access reads: Custom Objects Sharing Rule - BankBranchSharePGA.

If a restriction rule blocks access to the record, a message appears to confirm that access is blocked.

Closeup view of user John Pineapple’s access, with Reason for Access blank and Relationship column showing “A restriction rule blocks access to this record.”