Considerations in Deciding When to Use Access Groups
You can extend a user's visibility to sales object data in a number of ways:
-
By creating custom data security policies, assigning the custom policies to custom roles, and then assigning the custom roles to users.
-
By using Territory Management to set up territories and to assign users to territories, then using Assignment Manager to assign territories to object records.
-
By creating access groups and assigning users to the access group.
So which factors should you consider when deciding which option to choose? This topic provides you with some guidelines.
Custom Data Security Policies
In situations where you can use either access groups or custom data security policies to provide users with data permissions, use access groups for these reasons:
-
Access groups provide better performance than custom data security policies.
-
You can search for records assigned to users through their access group membership in Workspace. Records assigned to users through custom data security policies can't be searched in Workspace.
-
Access groups are easier to manage.
Access Groups
Access groups work together with the existing access mechanisms to allow you to provide access to users based on parameters that aren't provided by the standard access framework, such as the user's context (country or sales region, for example), the user's resource organization or business unit, or some other attribute.
You can also use access groups to assign access based on custom attributes. For example, you can assign all users in a specific business unit to a group and then grant that group read permissions to opportunities.
Territory Management
You can use Territory Management to manage users' visibility to data. However, Territory Management isn't a security access mechanism. It's a way of assigning sales representatives to sales territories to enable optimal sales coverage. Territory Management is used to configure access primarily to facilitate the selling process by defining boundaries using hierarchical attributes, such as products, geographies, industry, and so on.
Use territory management functionality to extend visibility to data in these scenarios:
-
If you want to use forecasting or quota management functionality.
-
If the territory hierarchy and territory-based reporting and roll-ups are different to the reporting resource hierarchy.
-
If you want to provide users with access based on hierarchical attributes and named accounts.
If you want to provide users with access using a standard mechanism, such as territory or management hierarchy, then use Territory Management. Otherwise, use access groups.