Enable Access Group Security for Custom Objects

You can use access groups to provide resources with access to custom object data. To do this, you must first enable access group security for each custom object.

To enable access group security for custom objects, complete these steps:

  1. Navigate to Application Composer and confirm that you're in an active sandbox.

  2. Navigate to the Security node of the custom object that you want to enable access group security for.

  3. On the Define Policies page, select the Enable Access Group Security check box.

    Caution:

    You can't disable access group security once enabled, but you can disable specific groups or rules on the Access Groups page in the Sales and Service Access Management work area.

  4. Next, enable that custom object for access group object sharing rules. To do this, navigate to the Access Groups page in the Sales and Service Access Management work area.

  5. Click the Object Rules tab.
  6. On the Object Sharing Rules page, select the Synchronize Custom Objects and Fields item from the Actions menu. The custom object and its attributes are now available when defining object sharing rules for access groups.

  7. In Application Composer, set functional security for required roles.

    Navigate to the custom object's Security node, and configure functional security in the Roles section of the Define Policies page. This step isn't related to access group security (data security), but it's a required step so that the right roles can see the custom object's user interface pages (functional security).

After you enable access group security for a custom object, you work with it just like a standard object. Create your object sharing rules for access groups, and all group members are given access to that custom object's data according to the rules.

Tip:

When configuring data security, you can optionally configure owner security instead of access group security. With owner security, for example, you can provide create and read access to all users, update access to the record's owner and owner management chain, and delete access to only the owner. You configure owner security in the Roles section of the Define Policies page.

If you configure both owner and access group security, then your users will see data from both their owner management chain as well as from access groups that they're members of.