Overview of Object Sharing Rules

Object sharing rules provide access groups with access to an object's records. There are three types of object sharing rules:

• Object sharing rules

  Standard object sharing rules specify the type of object access to be provided, the conditions under which the access is provided, and the access groups to share the rule with.

• Hybrid object sharing rules

  A hybrid rule is an object sharing rule that combines a predefined rule condition with one or more custom rule conditions. Use hybrid rules to restrict the access provided by a predefined condition.

  You can enable or disable the creation of hybrid rules using a profile option. For information, see Enable Hybrid Object Sharing Rules.

• Access extension rules

  These rules extend the object sharing rules defined for one object to a related object. You can use both predefined and custom object relationships in an access extension rule.

For information about creating and editing each type of rule, see the relevant topics in this chapter.

There are also two categories of object sharing rules:

• Custom rules you create to configure data access for members of access groups. You can create these types of rules:

  • Standard object sharing rules
  • Hybrid object sharing rules
  • Access extension rules

  You must manually assign these rules to relevant access groups, and the rules are active by default.

• Predefined rules created by Oracle. These can be either standard object sharing rules or access extension rules.

  One or more predefined rules are assigned to each system access group that's generated for a predefined job role. These rules provide the same access to data for supported objects as the job role provides.

  On the Object Sharing Rules page, the Predefined column is checked if a rule is predefined. If the predefined rule is assigned to a system access group as part of the default security configuration, it also has a Lock icon to indicate that you can't change the association between the rule and the group, or the level of access provided by the rule to the group.

  For additional information, see System Groups and Predefined Rules.

Comparison of the Predefined and Custom Object Sharing Rules

There are a few differences between the object sharing rules you create and the predefined rules that Oracle provides. There are also differences in what you can do when a predefined rule is associated with a system group as part of the default security configuration and when it isn't. Some of the similarities and differences between the object sharing rules you create and the predefined rules are outlined in this table:

Custom Rules	Predefined Rules	Predefined Rules Associated to a System Group
You can create, edit, and delete the rule.	Oracle creates the rule. You can edit the rule.	You can only enable or disable the rule for the group.
Rule is active by default.	Rule is active by default.	Rule is active by default.
You can create one or more conditions for the rule.	Rule has one predefined condition which you can't change.	Rule has one predefined condition which you can't change.
You can't create rule conditions that provide either of these types of access: Access to all of an object's records Field-level access to object records, such as access to Personally Identifiable Information (PII) for the Contact object	Predefined rules with conditions that provide global and field-level access to object data are provided.	Predefined rules with conditions that provide global and field-level access to object data are available.
You can assign the rule to system access groups and custom access groups.	You can assign the rule to system access groups and custom access groups. Note: Predefined rules that provide global or field-level access to object data are an exception. You can't assign these rules to custom access groups.	NA
You can change the access level provided by the rule for different custom or system groups.	You can change the access level provided by the rule for a custom access group. If a rule is predefined but doesn't have the Lock icon, you can also change the access level provided by the rule to a system group.	Can't change the access level provided by a predefined rule for a system access group.