Sharing Rules vs Permission Sets in Salesforce: A Complete Guide
Understanding Salesforce’s security model can be challenging, especially when it comes to distinguishing between Sharing Rules and Permission Sets. Both are essential components of Salesforce security, but they serve completely different purposes. In this guide, we’ll break down the differences, provide real-world examples, and help you understand when to use each one.
The Core Difference
Before diving into details, here’s the fundamental distinction:
Sharing Rules control which records users can access (record-level security)
Permission Sets control what actions users can perform (object and field-level security)
Think of it this way: Sharing Rules determine which doors you can open, while Permission Sets determine what you can do once you’re inside the room.
What Are Sharing Rules?
Sharing Rules are used to extend record access beyond your organization’s default settings. They work alongside Organization-Wide Defaults (OWD) and the role hierarchy to grant users access to records they wouldn’t normally see.
Key Characteristics of Sharing Rules:
- Can only grant additional access, never restrict it
- Operate at the record level
- Based on record ownership or field criteria
- Extend access beyond OWD settings
- Answer the question: “Who can see this record?”
Common Use Cases for Sharing Rules:
- Regional Collaboration: Share all accounts in the Western region with the Western sales support team
- Management Visibility: Give managers access to all records owned by their team members
- Cross-Department Access: Allow marketing to view accounts owned by sales
- Priority-Based Sharing: Share all high-priority cases with the escalation team
Real Example: Sales and Marketing Collaboration
Scenario: Your marketing team needs visibility into accounts owned by the sales team to coordinate campaigns, but sales reps should maintain ownership and primary control.
Solution: Create a Sharing Rule that shares all Account records owned by users in the “Sales” role with the “Marketing Team” public group with Read Only access.
Result: Marketing can view account details for campaign planning, but they cannot edit or delete these records.
What Are Permission Sets?
Permission Sets grant users additional permissions beyond what their profile provides. They’re a flexible way to extend access to objects, fields, and system features without creating multiple profiles.
Key Characteristics of Permission Sets:
- Grant additional permissions beyond the user’s profile
- Control object, field, and system-level access
- Define what users can do with data
- Stackable (users can have multiple permission sets)
- Answer the question: “What can this user do?”
Common Use Cases for Permission Sets:
- Feature Access: Grant specific users API access or import capabilities
- Object Permissions: Give accounting team access to custom financial objects
- Field-Level Access: Allow managers to edit fields that are read-only for other users
- App Access: Provide access to custom applications on a user-by-user basis
- System Permissions: Grant abilities like “View Setup and Configuration” or “Manage Users”
Real Example: Lead Import Capability
Scenario: Only certain marketing coordinators should be able to import leads, but all marketing team members have the same profile.
Solution: Create a “Lead Import Access” permission set that includes the “Import Leads” system permission, and assign it only to the marketing coordinators who need this capability.
Result: Marketing coordinators can import leads while other marketing team members cannot, all without creating a separate profile.
Side-by-Side Comparison
| Feature | Sharing Rules | Permission Sets |
|---|---|---|
| Security Level | Record-level | Object/Field/System-level |
| Primary Purpose | Extend record visibility | Extend functional capabilities |
| Can Restrict Access? | No | No |
| Based On | Record owner, criteria | User assignment |
| Works With | OWD, Role Hierarchy | User Profiles |
| Number Per User | Automatic (based on criteria) | Multiple can be assigned |
| Examples | Share cases by region, share accounts by industry | Edit restricted fields, access custom objects, API access |
How They Work Together
Sharing Rules and Permission Sets work together in Salesforce’s layered security model:
Example Scenario: Account Management
Let’s say Sarah is a sales rep who needs to:
- View accounts in her territory (not just her own)
- Edit a custom “Credit Score” field that’s normally read-only
The Solution:
- Sharing Rule: Create a criteria-based sharing rule that shares all accounts where Territory = “Northeast” with the “Northeast Sales Team” public group (Read/Write)
- Permission Set: Assign Sarah a “Credit Score Editor” permission set that grants Edit access to the Credit Score field
The Result:
- Sarah can see and edit accounts in her territory (Sharing Rule provides record access)
- Sarah can edit the Credit Score field on those accounts (Permission Set provides field-level permission)
- Without the Sharing Rule, Sarah couldn’t access the records
- Without the Permission Set, Sarah couldn’t edit that specific field
Best Practices
For Sharing Rules:
- Keep them simple and well-documented
- Use public groups for easier management
- Consider performance impact with large data volumes
- Review regularly to ensure they’re still needed
- Prefer criteria-based rules for dynamic sharing
For Permission Sets:
- Create role-based permission sets (e.g., “Sales Manager Permissions”)
- Use permission set groups to bundle related permissions
- Document what each permission set grants and why
- Regularly audit who has which permission sets
- Consider using permission set licenses for advanced features
When to Use Which?
Use Sharing Rules When You Need To:
- Give a team access to records they don’t own
- Share records based on field values
- Provide cross-departmental visibility
- Extend access beyond the role hierarchy
Use Permission Sets When You Need To:
- Grant additional object or field permissions
- Provide system-level capabilities
- Give access to custom apps
- Allow specific actions (import, export, delete)
- Extend profile permissions without creating new profiles
Common Mistakes to Avoid
- Confusing the Two: Trying to use Sharing Rules to grant edit permissions on fields (use Permission Sets instead)
- Over-Sharing: Creating too many sharing rules that make records too widely accessible
- Profile Proliferation: Creating multiple profiles when permission sets would be more flexible
- Not Testing: Always test security changes in a sandbox first
- Poor Documentation: Not documenting why sharing rules or permission sets exist
Conclusion
Understanding the difference between Sharing Rules and Permission Sets is crucial for implementing effective Salesforce security. Remember:
- Sharing Rules = Which records (record access)
- Permission Sets = What actions (functional permissions)
Both are essential tools in your Salesforce admin toolkit. Sharing Rules open up record visibility, while Permission Sets unlock functional capabilities. Used together strategically, they provide the precise level of access your users need to do their jobs effectively while maintaining data security.
The key is to start with restrictive defaults (via OWD and Profiles) and then carefully extend access using these tools only where necessary. This approach, known as the principle of least privilege, ensures your Salesforce org remains secure while empowering your users.
What’s your experience with Sharing Rules and Permission Sets? Share your questions or tips in the comments below!
