🏠 Home 🔒 Record Sharing ⚙ Apex Triggers 🔍 SOQL 💻 LWC 🔗 Integration 🤖 Flows & Automation 🤖 Agentforce & AI 🎈 Agentforce Course — Free ☁ Data Cloud 🎓 DC Course — Free 🚀 DevOps Course — Free 💵 CPQ 🎯 100 Scenario Questions 🏆 150 Advanced Questions 📧 Marketing Cloud 🎤 Mock Interview Community 🏗️ Company Wise 👥 About Us Start Learning Free →
Home Record Sharing

Top 30 Salesforce Record Sharing & Visibility Interview Questions 2026 — OWD, Role Hierarchy, Sharing Rules, FLS & Apex Sharing Explained

📅  Record Sharing
Salesforce Record Sharing Interview Questions — OWD, Role Hierarchy, Sharing Rules Explained
🔐 Record Sharing

Salesforce Record Sharing Interview Questions — OWD, Role Hierarchy, Sharing Rules Explained

FLS, Apex Sharing, Manual Sharing, Dynamic Dashboards & More — Real Scenarios Explained for Interviews

Intermediate Advanced 26 Questions
Questions Index
1Restrict Sensitive Fields from Sales Reps 2Share Data Between Two Salesforce Orgs 3Managers See Only Direct Reportees' Data 4Same Profile & Role — Restrict A's Records from B 5User A Sees B's Data But B Can't See A's — Why? 6Multiple Business Units — Each BU Sees Own Data 7Same Profile, Different Record Access — Why? 8User A Can't Access Record That User B Can 9Same Profile & Role — One Can See Report, Other Can't 10Custom Fields — Different FLS Per Department 11Case OWD Private — Make All Cases Visible Without Changing OWD 12Manager Must NOT See Employee Feedback 13OWD = Public Read/Write, Profile = Read Only, User is Owner — Can They Edit? 14Parent OWD = Public Read Only — Can Child Have Read/Write? 15Contact OWD Private — Users Can't See Each Other's Records 16Different Page Layouts for Same Profile Users 17No Record Type Access — Can User Still See Records? 18Owner Changes — Who Still Has Access? 19Sales Exec Left — Give New Rep Access to Old Records 20WITHOUT SHARING + No FLS — Fetches Restricted Fields? 21WITH SHARING + No FLS — Fetches Restricted Fields? 22What is Apex Sharing Reason (RowCause)? 23Manual Sharing vs Apex Defined Sharing Reason 24What Happens When You Delete Apex Sharing Reason? 25Senior Manager & Manager = Read, Team Lead & Member = CRUD Setup 26What is CRUD? With Delete Access Can User Delete Others' Records?
Q
Question 01 · 🟠 Intermediate
You have a team of sales representatives who need access to customer data but want to restrict access to sensitive fields like credit card numbers. How would you accomplish this?
✅ Answer
Use a Layered Security Approach — FLS on Profile is the primary tool, combined with Shield Encryption for compliance and Apex FLS checks for programmatic enforcement! 🔐
📌 Layer-by-Layer Approach
1️⃣ Field-Level Security (FLS) — First Step
  • 🔧Setup → Object Manager → [Object] → Fields → Set Field-Level Security
  • Set sensitive field to Hidden on Sales Rep profile
  • Automatically hides it from page layouts, list views, reports, and API responses
2️⃣ Profiles & Permission Sets
  • Sales Rep Profile = minimal baseline access
  • Use Permission Sets to grant access selectively to authorized users only
  • Follow Principle of Least Privilege
3️⃣ Data Masking — Partial Visibility
  • Store masked value in a formula field: ****-****-****-1234
  • Hide real field via FLS, show only masked formula field to reps
4️⃣ Salesforce Shield — Compliance
  • 🔒Use Platform Encryption to encrypt fields at rest
  • 🔒Even if FLS bypassed via API, encrypted data remains unreadable
  • 🔒Required for PCI-DSS compliance
5️⃣ Enforce FLS in Apex
Schema.DescribeFieldResult dfr = Account.CreditCardNumber__c.getDescribe(); if (dfr.isAccessible()) { // safe to read }
📋 Summary Table
LayerToolPurpose
Field HidingFLS on ProfileBlock field entirely
ComplianceShield EncryptionEncrypt at rest
Partial ViewMasked Formula FieldShow last 4 digits safely
ProgrammaticApex FLS checkEnforce in custom code
🎤 One-Line Answer for Interview
"FLS on the Sales Rep profile is the primary tool — set the field to Hidden which auto-blocks it from layouts, reports and API. For compliance-grade security add Shield Encryption. In Apex, always enforce FLS using isAccessible() or WITH SECURITY_ENFORCED."
Q
Question 02 · 🔴 Advanced
Your company acquired another company that uses a different Salesforce org. How do you share data between the two orgs while maintaining security?
✅ Answer
Two main paths: Keep both orgs + integrate (recommended first) or full org migration (long-term). Integration first is the practical approach! 🔗
1️⃣ Salesforce-to-Salesforce (S2S) — Native
  • 🔧Setup → Salesforce to Salesforce → Enable
  • Org A publishes records → Org B subscribes
  • You choose which objects and fields to publish — sensitive fields simply not published
  • Limitation: Standard objects only, limited customization
2️⃣ Connected App + REST API — Enterprise
  • Create Connected App in both orgs with OAuth 2.0
  • Use Named Credentials to store endpoint and tokens securely
  • Write Apex Callouts to push/pull data
HttpRequest req = new HttpRequest(); req.setEndpoint('callout:OrgB_Credential/services/data/v59.0/sobjects/Account/'); req.setMethod('POST'); req.setHeader('Content-Type', 'application/json'); req.setBody('{"Name":"Acme Corp"}'); Http http = new Http(); HttpResponse res = http.send(req);
3️⃣ Platform Events / Change Data Capture (CDC)
  • Enable CDC on required objects in Org A
  • Org B subscribes via Apex Triggers on Change Events
  • Only publish events for non-sensitive fields
4️⃣ Salesforce Connect (External Objects)
  • Surface Org B data in Org A as External Objects using OData
  • Data stays in Org B — no replication, read-only cross-org visibility
📋 Security Layers
Security LayerControl
AuthenticationOAuth 2.0 with least-privilege scopes
Field FilteringNever include sensitive fields in payloads
Integration UserDedicated user with minimum field access
AuditEvent Monitoring + Shield in both orgs
🎤 One-Line Answer for Interview
"Use S2S for quick native sharing on standard objects. For complex logic, build Connected App + Named Credential + Apex Callout. The integration user in each org must have bare minimum permissions — interviewers always ask this follow-up."
Q
Question 03 · 🟠 Intermediate
You have a large sales team. Sales managers should only see data for the sales representatives that report directly to them. How would you accomplish this?
✅ Answer
Core Solution: OWD Private + Role Hierarchy — the most classic sharing setup in Salesforce! 🏗️
📋 Step-by-Step Setup
  • 1️⃣Set OWD to Private on Opportunity, Lead, Account
  • 2️⃣Build Role Hierarchy matching your org chart
  • 3️⃣Assign users to correct roles
  • 4️⃣Use Dynamic Dashboards so each manager sees only their team's data
VP Sales └── Regional Manager (East) └── Sales Rep A └── Sales Rep B └── Regional Manager (West) └── Sales Rep C └── Sales Rep D
✅❌ What Role Hierarchy Controls
  • East Manager sees Rep A and Rep B records
  • East Manager CANNOT see West Manager's reps — cross-branch always blocked
  • Same level = no sideways access ever
Security Evaluation Order: OWD → Role Hierarchy → Sharing Rules → Manual → Apex
🎤 One-Line Answer for Interview
"Set OWD to Private, build role hierarchy matching org chart, assign users to roles. Hierarchy opens access upward automatically — managers see reps below them, cross-branch access is always blocked. Enable 'Grant Access Using Hierarchies' checkbox on objects."
Q
Question 04 · 🟠 Intermediate
We have 2 users A and B with the same profile and same role. How can we restrict records of A from B and vice versa?
✅ Answer
Set OWD to Private — Role Hierarchy only opens access UPWARD, never sideways. Two users in the same role cannot see each other's records! 🔒
📌 Key Insight
Setup → Sharing Settings → [Object] → Default Internal Access = Private
✅❌ With OWD = Private
  • A owns Record 1 → only A sees it
  • B owns Record 2 → only B sees it
  • Neither can see the other's records — by design
🔑 Key Points for Interviewer
  • 🔥Sharing Rules work at Role/Group level — same role = opens access to BOTH, not restricts. OWD Private is the correct solution
  • 💡If OWD cannot be Private → use Apex Managed Sharing with granular control
  • 💡Ensure correct user owns each record — OWD Private relies on ownership
ScenarioSolution
OWD = PrivateRecords auto-restricted by ownership ✅
OWD = Public Read OnlyCannot restrict sideways — redesign OWD
Selective sharing neededApex Managed Sharing
🎤 One-Line Answer for Interview
"Set OWD to Private — role hierarchy only opens access upward, not sideways. Two users in the same role cannot see each other's records with Private OWD. This is the key concept interviewers test here."
Q
Question 05 · 🟢 Basic
User A can see User B's data but User B cannot see User A's data. Both are in the same org. What are the possible reasons?
✅ Answer
Most likely User A is higher than User B in the Role Hierarchy — hierarchy opens access upward only, so A sees B's records but not vice versa! 📊
User A (Manager Role) ← sees more records └── User B (Rep Role) ← sees fewer records A is ABOVE B → A sees B's records ✅ B is BELOW A → B cannot see A's records ❌ Hierarchy is UPWARD ONLY
📋 All Possible Reasons
ReasonHow It Happens
Role HierarchyA's role is above B's — most common answer 🔥
Manual SharingB's records were manually shared with A only
Sharing RuleRule shares B's role records with A but no reverse rule exists
Public GroupA is in a group with access to B's records, B is not
Record OwnershipA owns some of B's records (transferred ownership)
Apex SharingApex programmatically shared B's records with A only
🎤 One-Line Answer for Interview
"Most likely A is higher than B in the Role Hierarchy — hierarchy opens access upward only, so A sees B's records but B cannot see A's. This is the #1 answer interviewers expect."
Q
Question 06 · 🔴 Advanced
Your company has multiple business units. Each BU should only access their own data. However, certain users need access to all data across all BUs. How would you accomplish this?
✅ Answer
OWD Private + Separate Role Branch per BU blocks cross-BU access. For users needing ALL data — place them at top of hierarchy or assign 'View All Data' Permission Set! 🏢
📋 Step-by-Step Setup
CEO └── BU A Head → BU A Manager → BU A Reps └── BU B Head → BU B Manager → BU B Reps └── BU C Head → BU C Manager → BU C Reps
📋 For Users Who Need ALL Data
OptionHowBest For
Highest RolePlace at CEO role — sees all branchesSimple, no code
View All DataPermission Set with "View All Data"Quick but powerful ⚠️
Apex SharingCustom logic with Permission Set checkGranular control
🔑 Key Points for Interviewer
  • 🔥Cross-branch is always blocked — BU A cannot see BU B even at same level
  • ⚠️View All Data is very powerful — flag it as last resort, always
  • 💡Public Groups per BU helps manage sharing rules cleanly
🎤 One-Line Answer for Interview
"OWD Private + separate role branch per BU blocks cross-BU access. For cross-unit users: place them at top of hierarchy OR assign 'View All Data' Permission Set — but always flag View All Data as last resort since it's very powerful."
Q
Question 07 · 🟠 Intermediate
Two users have the same profile in Salesforce, but one has access to more records than the other. What could be the reason?
✅ Answer
Profile controls object/field access — NOT record access. Same profile users can absolutely have different record access! 🎯
📋 All Possible Reasons
ReasonHow It Gives Extra Access
Different RoleHigher role in hierarchy = sees more records below
Manual SharingRecords explicitly shared with one user only
Public GroupOne user in a group with sharing rule access
Permission SetOne has "View All" or "View All Data" permission
Record OwnershipOwns more records → sees more with Private OWD
Apex SharingTrigger/Batch programmatically shared with one user
Territory ManagementAssigned to more territories = more record access
Account/Opp TeamOne user added as Team Member on records
🎤 One-Line Answer for Interview
"Profile controls object and field access, not record access. Record access is controlled by OWD, Role Hierarchy, Sharing Rules, Permission Sets, Teams, and Apex Sharing — all of which can differ between two users even on the same profile."
Q
Question 08 · 🟠 Intermediate
User A cannot access a record that User B can. Both have the same profile and same role hierarchy. What could be causing this?
✅ Answer
Same profile + same role eliminates the standard reasons — dig deeper into record-level differences like ownership, manual sharing, or team membership! 🔍
📋 Where to Check
ReasonWhere to Check
Record OwnershipRecord detail → Owner field
Manual SharingRecord → Sharing button → see access list
Public Group MembershipSetup → Public Groups → Members
Permission SetSetup → Users → User A → Permission Set Assignments
Account/Opp TeamRecord → Team related list
Apex SharingQuery AccountShare / OpportunityShare object
TerritorySetup → Territory → User assignment
Queue OwnershipRecord Owner = Queue — check queue members
🔧 How to Diagnose via Apex
List<UserRecordAccess> access = [ SELECT RecordId, HasReadAccess, HasEditAccess FROM UserRecordAccess WHERE UserId = :userAId AND RecordId = :recordId ];
🎤 One-Line Answer for Interview
"Same profile and same role eliminates object access and hierarchy. The difference is at record level — check ownership, manual sharing, public group membership, permission sets, or team membership between the two users."
Q
Question 09 · 🟠 Intermediate
Two users have same profile and same role hierarchy but one can access a specific report and the other cannot. What could be causing this?
✅ Answer
Reports have their own access model via Report Folders — Profile and Role have ZERO effect on report access! 📁
📋 Reasons for Different Report Access
ReasonWhere to Check
Report Folder Not SharedReport Folder → Share Settings — #1 reason 🔥
Public Group MembershipFolder shared with a group, one user not in it
Permission Set"Manage Reports" or "View All Data" on one user only
Report in Personal FolderPersonal folders are private — only owner can see
Run Reports PermissionCheck if missing from User A's profile/permission set
📋 Report Folder Access Levels
LevelWhat User Can Do
ViewerCan run the report only
EditorCan run and edit the report
ManagerCan run, edit, delete, and manage folder
🎤 One-Line Answer for Interview
"Report access is controlled by Report Folder sharing — not profile or role. User A likely doesn't have access to the folder containing the report, either directly or via a Public Group. Always lead with this answer in interviews."
Q
Question 10 · 🔴 Advanced
A company has custom fields used by multiple departments. Some departments need view+edit access, others should not see those fields at all. How do you set up FLS?
✅ Answer
Profile = Most Restrictive (baseline), Permission Sets = Additive (grant per department) — this is Salesforce best practice for multi-department FLS! 🔐
📋 Step-by-Step Setup
  • 1️⃣Set Baseline on Profile — Mark all sensitive fields as Hidden on all profiles by default
  • 2️⃣Create Permission Sets Per Department — Grant access selectively
  • 3️⃣Permission Set Groups (Advanced) — Bundle multiple Permission Sets per department
Permission Set: Finance_Field_Access → Custom Field A: Visible + Editable → Custom Field B: Visible + Read Only Permission Set: HR_Field_Access → Custom Field C: Visible + Editable → Custom Field A: Hidden Permission Set: Sales_Field_Access → Custom Field B: Visible + Read Only
📋 Practical Example
FieldFinanceHRSales
Salary__cView + EditView OnlyHidden
Budget__cView + EditHiddenView Only
Commission__cView OnlyHiddenView + Edit
🔑 Key Points for Interviewer
  • 🔥Page Layout alone is NOT enough — users can still see fields via API or List Views. Always use FLS + Page Layout together
  • 💡Mention Permission Set Groups for advanced knowledge — bundles multiple sets
  • 💡Follow Principle of Least Privilege — restrictive base, additive permissions
🎤 One-Line Answer for Interview
"Set most restrictive FLS on base profile, then use Permission Sets to open access per department — this is the Salesforce best practice of least privilege with additive permissions. Mention Permission Set Groups for advanced knowledge."
Q
Question 11 · 🔴 Advanced
Case object has OWD set to Private. All cases should be visible to everyone — top to bottom, bottom to top, horizontal, and cross-functional — without changing OWD. How is this possible?
✅ Answer
Assign a Permission Set with 'View All' on Case object to all users — this bypasses OWD, role hierarchy, and sharing rules entirely without changing OWD! 🎯
📋 Three Options
SolutionOWD Changes?Recommended?
View All Permission SetNo✅ Best
Criteria Sharing + All Internal UsersNo✅ Good Alternative
View All DataNo⚠️ Last Resort
📋 View All vs Modify All
PermissionWhat It Does
View AllSee ALL records regardless of OWD, Role, Sharing
Modify AllSee + Edit + Delete ALL records
🔑 Key Points for Interviewer
  • 🔥Option 1 (Best): Permission Set → View All on Case → Assign to ALL users → OWD remains Private
  • 💡Option 2: Criteria-Based Sharing Rule → All Cases → All Internal Users group
  • ⚠️Option 3: View All Data is org-wide — too powerful, flag as last resort
🎤 One-Line Answer for Interview
"Assign a Permission Set with 'View All' on the Case object to all users — this bypasses OWD, role hierarchy, and sharing rules entirely without changing OWD. Mention Criteria-Based Sharing Rule with All Internal Users as an alternative."
Q
Question 12 · 🔴 Advanced
Users submit feedback about their managers. Managers must NOT see feedback about themselves. Only the person at the highest level (CEO) should see all feedback. How do you configure this?
✅ Answer
OWD Private + Uncheck "Grant Access Using Hierarchies" on the custom Feedback object — this breaks upward visibility for managers! 🚫
📋 Step-by-Step Setup
// Step 1 — OWD to Private Setup → Sharing Settings → Feedback__c → Default Internal Access = Private // Step 2 — KEY STEP: Uncheck Grant Access Using Hierarchies Setup → Sharing Settings → Feedback__c → Uncheck "Grant Access Using Hierarchies"
📋 Grant Access Using Hierarchies — What It Does
SettingBehaviour
Enabled (default)Manager automatically sees subordinate's records
Disabled ✅Manager CANNOT see subordinate's records
📋 CEO Access — Two Options
  • Option A (Simplest) — Permission Set with View All on Feedback__c → Assign ONLY to CEO
  • Option B (Apex) — Trigger shares every Feedback record with CEO user programmatically
trigger FeedbackSharingTrigger on Feedback__c (after insert) { User ceo = [SELECT Id FROM User WHERE UserRole.Name = 'CEO' LIMIT 1]; List<Feedback__Share> shares = new List<Feedback__Share>(); for (Feedback__c fb : Trigger.new) { Feedback__Share s = new Feedback__Share(); s.ParentId = fb.Id; s.UserOrGroupId = ceo.Id; s.AccessLevel = 'Read'; s.RowCause = Schema.Feedback__Share.RowCause.Manual; shares.add(s); } insert shares; }
🔑 Key Points for Interviewer
  • 🔥"Grant Access Using Hierarchies" — this is the #1 answer interviewers want. Unchecking it breaks upward access
  • 🔥This setting is ONLY available on Custom Objects — always mention this!
  • 💡Standard objects like Account, Opportunity always have hierarchy access — cannot be turned off
🎤 One-Line Answer for Interview
"Set OWD to Private + uncheck 'Grant Access Using Hierarchies' on the custom Feedback object — this blocks managers from seeing upward. Then assign 'View All' Permission Set exclusively to CEO. This setting is only available on Custom Objects — always mention this!"
Q
Question 13 · 🟠 Intermediate
Same Object has OWD set to Public Read/Write and Profile has Read Only setting. The user is the owner of the record. Can they read and edit the record?
✅ Answer
✅ Can READ — Yes    ❌ Can EDIT — No. Profile is evaluated FIRST — if it says Read Only, edit is blocked at the very first gate! 🚦
📋 Two Independent Layers
LayerSettingResult
OWDPublic Read/Write (Default)All users can see all records
ProfileRead OnlyUser can NEVER edit any record
OwnershipUser is OwnerGives visibility — NOT edit rights
Security Evaluation Order: Profile (CRUD) → FLS → OWD → Role Hierarchy → Sharing Rules → Ownership Profile is evaluated FIRST — if it says Read Only, edit is blocked at the very first gate ❌
🔑 Key Points for Interviewer
  • 🔥Being the record owner does NOT grant edit access if Profile restricts it
  • 💡OWD and Ownership control record visibility — Profile controls operations
  • 💡Profile = Read Only → no edit anywhere on that object, regardless of ownership
🎤 One-Line Answer for Interview
"Profile controls object-level CRUD. If profile is Read Only, the user cannot edit any record regardless of OWD or ownership — profile is always evaluated first in Salesforce's security chain."
Q
Question 14 · 🔴 Advanced
There are two objects: Contact (parent, OWD = Public Read Only) and College (child). Is it possible to give Read/Write OWD to the child object? (Very Tricky!)
✅ Answer
IT DEPENDS on the Relationship Type! Master-Detail = ❌ NOT possible. Lookup = ✅ Possible! 🔗
📋 Scenario 1 — Master-Detail ❌
Contact (Parent) OWD = Public Read Only ↓ (Master-Detail) College (Child) OWD = Controlled by Parent ↓ College = Public Read Only automatically ❌ Cannot give Read/Write via OWD!
📋 Scenario 2 — Lookup Relationship ✅
Contact (Parent) OWD = Public Read Only ↓ (Lookup — loose coupling) College (Child) OWD = Public Read/Write ✅ ↓ College = Read/Write independently!
FactorMaster-DetailLookup
Child OWDControlled by ParentIndependent
Can set Read/Write on Child?❌ No✅ Yes
OWD in SetupGrayed OutConfigurable
Parent deletionChild deleted tooChild remains
🎤 One-Line Answer for Interview
"It depends on relationship type. In Master-Detail, child OWD is 'Controlled by Parent' and is grayed out — cannot be changed. In Lookup, child has independent OWD and can be set to Public Read/Write regardless of parent's OWD."
Q
Question 15 · 🟢 Basic
Contact OWD = Private. Users A and B have different profiles but both have Read access on Contact. A can't see B's records and B can't see A's records. What is the problem?
✅ Answer
This is NOT a problem — it's Expected Behaviour! Profile gives object-level Read access. OWD Private controls WHICH records — only their own! 🎯
Profile gives READ access ↓ Opens the DOOR to Contact object ↓ OWD = Private controls WHICH records inside ↓ A can only see A's records ✅ B can only see B's records ✅ Neither can see each other's records ✅ — by design!
📋 If Mutual Access IS Required
SolutionHow
Change OWDSet to Public Read Only — everyone sees all
Sharing RulesShare records of Role A with User B and vice versa
Public GroupAdd A and B to same group + create sharing rule
Manual SharingEach manually shares their records with the other
🎤 One-Line Answer for Interview
"This is expected behavior, not a problem. Profile gives object-level Read access — users CAN read Contacts they have access to. OWD Private controls WHICH records — only their own. Profile and OWD are two completely independent layers controlling different things."
Q
Question 16 · 🟠 Intermediate
How can you give two different page layouts to two different users who have the same profile in Salesforce?
✅ Answer
You CANNOT do it directly. Record Types are the only bridge — different Record Types → different Page Layouts for same Profile! 🗂️
// Step 1 — Create Two Record Types Setup → Object Manager → Contact → Record Types → New → Record Type 1: Type_A → Record Type 2: Type_B // Step 2 — Create Two Page Layouts Setup → Object Manager → Contact → Page Layouts → New → Layout_For_User_A → Layout_For_User_B // Step 3 — Map Record Type → Page Layout Setup → Object Manager → Contact → Page Layout Assignment Profile | Record Type | Page Layout Sales Profile | Type_A | Layout_For_User_A Sales Profile | Type_B | Layout_For_User_B
ElementControls
ProfileWhich Record Types are available to user
Record TypeWhich Page Layout is shown
Page LayoutWhat fields/buttons user sees on screen
🔑 Key Points for Interviewer
  • 🔥Assignment chain: Profile → Record Type → Page Layout
  • 💡Record Types also control picklist values per user — mention for extra depth
  • 💡Can also use Permission Sets to assign Record Types instead of Profile
🎤 One-Line Answer for Interview
"You cannot directly assign different page layouts to same profile users. Record Types are the only way — assign different Record Types to each user, then map each Record Type to a different Page Layout. Also mention Record Types control picklist values per user for added depth."
Q
Question 17 · 🟠 Intermediate
If a user does not have access to a specific Record Type, will they still be able to see records that have that Record Type assigned?
✅ YES — They CAN still see the records!
Record Type Access ≠ Record Visibility. These are completely independent layers — Record Type only controls creation and layout, NOT who sees existing records! 🎯
📋 Two Completely Independent Layers
LayerControls
Record Type AccessWhich record types user can CREATE or SELECT
OWD + SharingWhich records user can SEE
✅❌ What Record Type Access Controls
  • Cannot create a new record with that Record Type
  • Cannot select that Record Type from picklist
  • Will NOT see that Record Type's page layout
  • CAN still view existing records with that Record Type
  • CAN still edit those records (if OWD/Sharing allows)
OWD → Role Hierarchy → Sharing Rules → Manual Sharing Record Type assignment has ZERO impact on this chain!
🌍 Real World Example

User A only has Standard Record Type. A record exists with Premium Record Type. User A can still open and read that Premium record — but will see it with their default page layout, not the Premium layout. They just cannot create a new Premium record themselves.

🎤 One-Line Answer for Interview
"Yes, the user can still see the record. Record Type access only controls which record types a user can create or select — record visibility is always governed by OWD, Role Hierarchy, and Sharing Rules, which are completely independent of Record Type access."
Q
Question 18 · 🔴 Advanced
Account OWD = Private. 5 people accessed a record via different methods. Admin changes record ownership. Out of these 5, who still has access after ownership change?
✅ Answer
When ownership changes, Salesforce recalculates all sharing. Only Custom RowCause Apex Sharing is guaranteed to always survive! 🔄
Person 1 → Record Owner Person 2 → Role Hierarchy (Manager of Person 1) Person 3 → Owner-Based Sharing Rule Person 4 → Manual Sharing Person 5 → Apex Managed Sharing
📋 Person-by-Person Analysis
PersonAccess MethodAfter Owner Change
Person 1Record Owner❌ Loses Access
Person 2Role Hierarchy❌ Recalculated — based on new owner
Person 3Owner-Based Sharing Rule❌ Loses Access
Person 3Criteria-Based Sharing Rule✅ Retains if criteria still match
Person 4Manual Sharing❌ DELETED automatically
Person 5Apex — Manual RowCause❌ DELETED
Person 5Apex — Custom RowCause✅ ALWAYS SURVIVES
// Custom RowCause = SURVIVES ownership change ✅ share.RowCause = Schema.AccountShare.RowCause.MyCustomReason__c; // Manual RowCause = DELETED on ownership change ❌ share.RowCause = Schema.AccountShare.RowCause.Manual;
🎤 One-Line Answer for Interview
"When ownership changes, Salesforce recalculates all sharing. Owner, Role Hierarchy, Manual shares are removed. Owner-Based Rules are recalculated. Criteria-Based Rules persist if criteria still match. Apex Sharing with Custom RowCause is the ONLY sharing guaranteed to always survive an ownership change."
Q
Question 19 · 🟠 Intermediate
A sales executive left the company. A new sales representative joined in their place. How do you give the new rep access to all records owned by the old executive?
✅ Answer
Freeze → Mass Transfer → Deactivate. NEVER delete a Salesforce user — always deactivate to preserve audit trail! 🔄
Step 1 — Freeze old user (don't delete immediately) Step 2 — Mass Transfer all records to new rep Step 3 — Deactivate old user Step 4 — Assign new rep correct Role + Profile ⚠️ NEVER delete a user in Salesforce — always deactivate!
📋 Three Options
OptionBest When
Mass Transfer RecordsNew rep is direct replacement, full ownership needed ✅ Best
Sharing RuleOwnership history must be preserved
Queue OwnershipTeam manages shared records going forward
🔑 Key Points for Interviewer
  • 🔥NEVER delete a user — always deactivate. Deleting breaks relationships, audit history, and reporting
  • 💡Mass Transfer is the go-to — new rep becomes owner → full access automatically
  • 💡Setup → Mass Transfer Records — supports Accounts, Leads, Opportunities, Cases, Contacts
🎤 One-Line Answer for Interview
"Freeze old user first, then use Mass Transfer Records to bulk transfer ownership to new rep, then deactivate the old user. Never delete a user — always deactivate to preserve audit trail. This ensures new rep gets full access via ownership with OWD Private."
Q
Question 20 · 🔴 Advanced
User has no FLS access to certain fields. Apex class runs WITHOUT SHARING (system context) and queries all those fields. Will it fetch the restricted field data?
✅ Answer — YES, Restricted Fields WILL be fetched!
without sharing bypasses record-level sharing ONLY — it does NOT enforce FLS automatically! All restricted fields are returned without any error! ⚠️
📋 Two Completely Different Layers
KeywordControls
with / without sharingRecord-level access (WHICH records)
FLSField-level access (WHICH fields)
// Case 1 — Without FLS Check (Default — UNSAFE ⚠️) public without sharing class FetchData { public static void run() { List<Account> accs = [ SELECT Id, Name, CreditScore__c FROM Account ]; // ✅ ALL records returned // ✅ ALL fields returned including restricted ones ⚠️ } } // Case 2 — WITH SECURITY_ENFORCED List<Account> accs = [ SELECT Id, Name, CreditScore__c FROM Account WITH SECURITY_ENFORCED // ← Enforces FLS ]; // ❌ Throws QueryException if user lacks FLS on any field // Case 3 — Security.stripInaccessible (Best Practice ✅) List<Account> accs = [SELECT Id, Name, CreditScore__c FROM Account]; SObjectAccessDecision d = Security.stripInaccessible( AccessType.READABLE, accs ); List<Account> safe = d.getRecords(); // ✅ Records returned, restricted fields automatically STRIPPED
ApproachFLS Respected?Error?
without sharing alone❌ No❌ No
WITH SECURITY_ENFORCED✅ Yes✅ Yes — exception thrown
Security.stripInaccessible✅ Yes❌ No — graceful
🎤 One-Line Answer for Interview
"without sharing bypasses record-level sharing only — it does NOT enforce FLS. All restricted fields are returned without error. Use Security.stripInaccessible() (modern approach) or WITH SECURITY_ENFORCED to properly respect FLS in Apex."
Q
Question 21 · 🔴 Advanced
Same scenario but Apex class is WITH SHARING. User has no FLS access. Will it fetch restricted fields? Will SOQL throw any error?
✅ Answer — Records fetched, Restricted Fields STILL returned, No Error!
with sharing only enforces record-level sharing — it does NOT enforce FLS. Restricted fields are still returned without any error! 🎯
ScenarioRecords Fetched?Restricted Fields?Error?
without sharing✅ ALL records✅ Returned ⚠️❌ No
with sharing✅ Only accessible records✅ Still returned ⚠️❌ No
with sharing + SECURITY_ENFORCED✅ Accessible only❌ Exception thrown✅ Yes
with sharing + stripInaccessible✅ Accessible only❌ Stripped gracefully❌ No
// Golden Rule: with/without sharing = Record Level (WHO sees WHICH records) FLS = Field Level (WHO sees WHICH fields) with sharing does NOT automatically enforce FLS! FLS must be enforced SEPARATELY in Apex code! // Key Difference: without sharing → ALL records returned (ignores sharing) ALL restricted fields returned (ignores FLS) with sharing → ONLY accessible records returned (respects sharing) ALL restricted fields STILL returned (FLS still ignored!) FLS behaviour is IDENTICAL in both unless explicitly enforced!
🎤 One-Line Answer for Interview
"with sharing only enforces record-level sharing — it does NOT enforce FLS. Restricted fields are still returned without any error. SOQL never throws errors for FLS violations unless WITH SECURITY_ENFORCED is explicitly used."
Q
Question 22 · 🔴 Advanced
What is Apex Sharing Reason in Salesforce? How many custom Apex Sharing Reasons can you create per object?
✅ Answer
Apex Sharing Reason (RowCause) is a label that explains WHY a record was shared via Apex Managed Sharing — and you can create a maximum of 10 custom reasons per object! 🏷️
📋 Two Types of RowCause
TypeCreated BySurvives Owner Change
Standard (Manual, Owner, Rule)Built-in by Salesforce❌ No (Manual deleted)
Custom (Apex Sharing Reason)Developer via Setup✅ Always
// How to Use in Apex AccountShare share = new AccountShare(); share.AccountId = recordId; share.UserOrGroupId = userId; share.AccountAccessLevel = 'Read'; share.RowCause = Schema.AccountShare.RowCause.MyCustomReason__c; // ← Sharing Reason insert share; // How to Delete Shares by RowCause List<AccountShare> toDelete = [ SELECT Id FROM AccountShare WHERE RowCause = 'Territory_Based_Sharing__c' AND AccountId = :recordId ]; delete toDelete;
🔑 Key Points for Interviewer
  • 🔥Maximum 10 custom Apex Sharing Reasons per object — most asked limit!
  • 💡Setup → Object Manager → Account → Apex Sharing Reasons → New
  • 💡You can ONLY delete shares where RowCause is your custom reason — cannot delete standard RowCause shares via Apex
  • 💡Custom RowCause shares survive ownership changes — unlike Manual shares
🎤 One-Line Answer for Interview
"Apex Sharing Reason (RowCause) identifies WHY a record was shared. You can create a maximum of 10 custom reasons per object. Custom RowCause shares survive ownership changes — unlike Manual shares — and can be selectively deleted by RowCause in Apex."
Q
Question 23 · 🔴 Advanced
What is the difference between Manual Sharing Reason and Apex Defined Sharing Reason (Custom RowCause) in Salesforce?
✅ Answer
The biggest difference — Manual sharing is DELETED on ownership change. Apex Defined Custom RowCause ALWAYS survives! 🔑
📋 Full Comparison
FactorManual SharingApex Defined
Who createsEnd User / Admin via UIDeveloper via Setup + Apex
RowCause valueManualCustom e.g. MyReason__c
Survives owner change❌ Deleted automatically✅ Persists always
Can delete via Apex❌ No✅ Yes
Scalability❌ One record at a time✅ Bulk via Apex
Business logic❌ No logic — manual only✅ Complex logic driven
Max limitNo limit10 per object
Ownership Changes ↓ Manual Share (RowCause = Manual) → ❌ DELETED automatically Apex Share (RowCause = Custom__c) → ✅ SURVIVES — stays intact
🎤 One-Line Answer for Interview
"Manual sharing uses standard RowCause and is deleted automatically on ownership change. Apex Defined sharing uses custom RowCause, always survives ownership changes, supports complex business logic, and can be selectively deleted — making it more reliable for enterprise requirements."
Q
Question 24 · 🔴 Advanced
What happens to the shared records when you delete the Apex Sharing Reason (RowCause) associated with them from Setup?
✅ Answer
When you delete an Apex Sharing Reason — ALL associated share records are automatically deleted and ALL users immediately lose access. This is irreversible! ❌
Admin deletes Apex Sharing Reason from Setup ↓ Salesforce finds ALL AccountShare records where RowCause = deleted sharing reason ↓ ALL those share records deleted instantly ↓ ALL users lose access to those records ❌
📋 What Exactly Happens
PointDetail
Share records deleted?✅ Yes — automatically
User access lost?✅ Yes — immediately
Can be undone?❌ No — permanent
Recreating reason restores shares?❌ No — must recreate via Apex
🔧 Safe Deletion Best Practice
// Step 1 — Delete share records via Apex FIRST List<AccountShare> toDelete = [ SELECT Id FROM AccountShare WHERE RowCause = 'Territory_Access__c' ]; delete toDelete; // Step 2 — Then delete Sharing Reason from Setup safely
🎤 One-Line Answer for Interview
"Deleting an Apex Sharing Reason automatically deletes ALL associated share records, causing all users who had access only through that reason to immediately lose access. This is irreversible — shares must be recreated via Apex if needed again."
Q
Question 25 · 🔴 Advanced
Object: Account. Roles: Senior Manager (Read), Manager (Read), Team Lead (CRUD), Team Member (CRUD). How will you set up this in Salesforce?
✅ Answer
Two separate layers to configure — Profile/Permission Set for CRUD operations, Role Hierarchy + OWD for record visibility! 🏗️
// Step 1 — OWD to Private Setup → Sharing Settings → Account → Default Internal Access = Private // Step 2 — Role Hierarchy Senior Manager └── Manager └── Team Lead └── Team Member
📋 Profile CRUD Matrix
ProfileCreateReadEditDelete
Senior_Manager_Profile
Manager_Profile
Team_Lead_Profile
Team_Member_Profile
📋 Final Access Matrix
RoleCRUDRecords Visible
Senior ManagerRead OnlyEveryone's records (top of hierarchy)
ManagerRead OnlyTeam Lead + Team Member records
Team LeadFull CRUDTeam Member + Own records
Team MemberFull CRUDOwn records only
🔑 Key Points for Interviewer — The Tricky Part!
  • 🔥Manager SEES Team Lead's Account (Role Hierarchy) → but tries to EDIT → ❌ BLOCKED (Profile = Read Only)
  • 🔥Profile CRUD is evaluated FIRST — Role Hierarchy only gives visibility, not edit rights
  • 💡This is the most common interview trap — visibility ≠ edit permission
🎤 One-Line Answer for Interview
"Set OWD to Private, build role hierarchy top to bottom, create separate profiles — Senior Manager and Manager with Read Only on Account, Team Lead and Team Member with full CRUD. Role hierarchy controls record visibility while profile controls operations on those records."
Q
Question 26 · 🟢 Basic
What is CRUD in Salesforce? If User A has Delete access, can they delete records belonging to User B?
✅ Answer
CRUD = Create, Read, Update, Delete — the 4 basic object-level permissions. Having Delete access alone does NOT mean you can delete anyone's records! 🔐
📋 What is CRUD?
LetterOperationMeaning
CCreateCan create new records
RReadCan view/see records
UUpdateCan edit existing records
DDeleteCan delete records
TWO layers must BOTH allow it: Layer 1 — Profile CRUD → Does user have DELETE permission? Layer 2 — Record Access → Does user have access to THAT record? BOTH must be YES to delete ✅
📋 Can User A Delete User B's Record?
CRUD DeleteOWDRoleCan Delete B's Record?
Public R/WAny✅ Yes
PrivateA above B✅ Yes
PrivateSame level❌ No
PrivateB above A❌ No
AnyAny❌ No
🔑 Key Points for Interviewer
  • 🔥CRUD (Profile) = WHAT operations you can perform
  • 🔥Record Access = WHICH records you can perform it ON
  • 💡Delete Permission ≠ Can delete ANY record — can only delete records you already have access to
🎤 One-Line Answer for Interview
"CRUD = Create, Read, Update, Delete — object level permissions set via Profile. Having Delete access alone doesn't mean you can delete anyone's records. You can only delete records you already have access to — which is controlled by OWD, Role Hierarchy, and Sharing Rules together."

Your go-to resource for Salesforce Interview Preparation

Home Agentforce Data Cloud Agentforce Course DC Course DevOps Course Marketing Cloud Company Wise About Us Contact Us Privacy Policy
Sitemap RSS Feed

© 2026 SF Interview Pro · Free for all Salesforce professionals