In large Salesforce environments, testing access control is just as important as testing forms, flows, and user journeys. A process may function correctly from a UI perspective, but still create risk if the wrong users can view, edit, or report on restricted records. This is why teams need a structured way to test Salesforce role hierarchies and sharing rules at scale, especially in enterprise orgs with complex ownership models, regional teams, public groups, queues, and layered permissions.
For teams using Provar, access-control testing can become part of a broader Salesforce automation strategy. Instead of manually checking whether one user can see one record, teams can validate repeatable role-based scenarios across business processes, profiles, permission sets, and sharing configurations. This helps reduce security gaps, release regressions, and production issues caused by incorrect record visibility.
What Role Hierarchies and Sharing Rules Do in Salesforce?
Salesforce uses several mechanisms to determine what users can access. Two of the most important are role hierarchies and sharing rules.
Role hierarchies
A role hierarchy controls record visibility based on an organization’s reporting or management structure. In many Salesforce setups, users higher in the hierarchy can access records owned by users below them, depending on the object’s sharing settings. This helps managers, directors, and executives view records owned by their teams without needing manual access to each record.
Sharing rules
Sharing rules extend record access beyond the baseline sharing model. They can grant access based on record ownership or criteria. For example, a rule may share all high-value opportunities with a regional leadership group, or all support cases from a certain product line with a specialized support queue.
In simple terms:
- Role hierarchy usually follows the organizational structure.
- Sharing rules create exceptions or extensions to standard access.
- Profiles and permission sets define what users can do with objects and fields.
- Organization-wide defaults set the baseline level of record access.
Why Access-Control Testing Is Often Overlooked?
Many Salesforce testing plans focus on whether a user can complete a task: create a lead, update an opportunity, submit a case, or approve a request. Those checks are useful, but they do not always confirm whether the user should have access to the record in the first place.
Access-control testing is often skipped because it is harder to design. It requires multiple users, different roles, controlled records, and clear expectations about visibility. It also involves negative testing, which means confirming that some users cannot see or edit certain records. That type of validation can be more complex than a standard functional test.
However, in enterprise Salesforce orgs, access issues can have serious consequences. A misconfigured sharing rule may expose confidential customer data. A broken hierarchy may prevent managers from reviewing pipeline records. A permission update may allow a user to edit restricted fields. These are not minor defects; they affect governance, compliance, and operational trust.
Common Risks in Salesforce Sharing Models
| Risk Area | Example | Possible Impact |
|---|---|---|
| Overexposure | A public group receives broader access than intended | Users can view sensitive records |
| Underexposure | A manager cannot see records owned by team members | Business reviews and approvals are delayed |
| Incorrect edit access | A user can modify records they should only view | Data integrity and compliance risk |
| Role change issues | A transferred employee keeps old visibility | Access no longer matches job responsibility |
| Rule conflict | Multiple rules grant overlapping access | Difficult troubleshooting and unpredictable visibility |
| Scale limitations | Large sharing recalculations slow access updates | Delayed record visibility after changes |
Start With the Baseline Sharing Model
Before testing role hierarchies and sharing rules, teams should understand the baseline access model. This starts with organization-wide defaults, often called OWD. These settings define the default access users have to records they do not own.
For example, an object may be set to private, public read-only, or public read/write. If an object is already public read/write, sharing rules may not be meaningful for basic visibility because users already have broad access. If an object is private, role hierarchy and sharing rules become more important because they determine who can see records beyond the owner.
Questions to answer before testing
- What is the object’s organization-wide default?
- Should managers inherit access through the role hierarchy?
- Which users should access records outside their ownership?
- Should access be read-only or read/write?
- Are public groups, queues, or territories involved?
- Which fields should remain restricted even if the record is visible?
These answers help define expected behavior. Without them, tests may only confirm what the system currently does, not what it is supposed to do.
Design Test Users Around Real Access Scenarios
Effective access-control testing requires realistic test users. It is not enough to test as a system administrator because admins usually bypass many restrictions. Tests should represent the actual business roles involved in the process.
Useful test user categories
- Record owner: the user who owns or creates the record
- Direct manager: a user above the owner in the role hierarchy
- Peer user: a user at the same level who should not automatically inherit access
- Cross-functional user: a user who receives access through a sharing rule
- Restricted user: a user who should not see or edit the record
- Support or operations user: a user who may access records through queues or public groups
By designing tests around these user types, teams can validate both access grants and access restrictions. This makes the results more meaningful than a single admin-based check.
Test Record Visibility Before Testing Actions
Access testing should usually begin with visibility. If a user should not see a record, they should not be able to act on it. If a user should see a record, the next step is to test whether their allowed actions are correct.
Visibility checks may include:
- whether the record appears in search
- whether the record opens from a direct link
- whether the record appears in list views or reports
- whether related records are visible
- whether record ownership affects visibility correctly
This matters because record visibility can vary depending on where the user accesses the data. A user may not see a record in one list view but may still access it through a report, related list, or direct URL if the sharing model allows it. Strong testing checks visibility from more than one path.
Validate Read, Edit, and Field-Level Access Separately
Seeing a record is not the same as editing it. Editing a record is not the same as editing every field. Salesforce access is layered, so tests should separate these permissions clearly.
| Access Layer | What to Test | Example Validation |
|---|---|---|
| Record visibility | Can the user see the record? | Record opens for manager but not peer user |
| Record edit access | Can the user modify the record? | Manager can view but cannot edit closed case |
| Field-level security | Can the user view or edit sensitive fields? | Revenue field hidden from support profile |
| Object permission | Can the user create, read, edit, or delete object records? | Operations user can read cases but cannot delete them |
| Report access | Can the user see records through reporting? | Restricted records excluded from pipeline report |
This layered approach helps prevent false confidence. A test may pass because a record is visible, but the actual business requirement may be read-only access or restricted field access.
Test Role Hierarchy Behavior at Multiple Levels
Role hierarchy testing should not stop with one manager and one subordinate. Large organizations often have several levels of leadership, regional structures, or matrix-style operations. A record may need to be visible to a direct manager but not to a manager in another branch.
Role hierarchy scenarios to test
- direct manager access to subordinate-owned records
- higher-level manager access across multiple subordinate roles
- peer user restriction at the same role level
- cross-region restriction where hierarchy should not apply
- access after role reassignment or user transfer
- visibility after ownership change
These scenarios are especially important after reorganizations, territory changes, or updates to the role structure. A role change can affect many records at once, so automated checks can help confirm that access remains aligned with the intended model.
Test Sharing Rules Based on Ownership and Criteria
Salesforce sharing rules commonly fall into two broad categories: owner-based sharing and criteria-based sharing. Each type requires different test design.
Owner-based sharing
Owner-based rules grant access based on who owns the record. For example, records owned by a sales team may be shared with a regional operations group. Testing should confirm that the rule applies only to the intended owner group and grants the correct access level.
Criteria-based sharing
Criteria-based rules grant access when records meet certain field conditions. For example, opportunities above a certain amount may be shared with an executive review group. Testing should include records that meet the criteria, records that nearly meet the criteria, and records that do not meet it at all.
Key sharing-rule checks
- the correct users or groups receive access
- access level is read-only or read/write as intended
- records outside the rule remain restricted
- updated records gain or lose access correctly when criteria change
- rules do not unintentionally overlap with other access paths
Include Negative Testing for Restricted Users
Security testing is incomplete without negative scenarios. A positive test confirms that the right user can access a record. A negative test confirms that the wrong user cannot.
For example, if a finance-only object should be hidden from a standard sales user, the test should confirm that the sales user cannot open the record, find it in search, edit it through a related process, or expose it through reports. This is often where access defects are found.
When teams test Salesforce access models, negative testing helps prevent accidental data exposure and strengthens confidence in the security model.
Test at Scale, Not Only With One Record
Testing one record can confirm basic configuration, but it may not reveal enterprise-scale issues. Large Salesforce orgs may have thousands of users, millions of records, multiple public groups, and complex sharing recalculations. A rule that works in a simple test may behave differently when applied across high data volume and many ownership patterns.
Scale-focused checks may include:
- visibility across multiple record owners
- records distributed across regions, teams, or business units
- bulk ownership changes
- criteria changes affecting many records
- large public groups or nested access structures
- performance impact after sharing recalculation
The goal is not always to reproduce production volume exactly. The goal is to test enough variation to confirm that the access model behaves consistently beyond one ideal example.
Connect Access Testing With End-to-End Business Processes
Role hierarchies and sharing rules do not exist only as admin settings. They affect real workflows such as lead assignment, opportunity review, case escalation, approval routing, customer support, and reporting. For that reason, access testing should connect to business-process testing.
For example, a sales manager may need to view subordinate opportunities, update forecast-related fields, and approve a discount request. A support lead may need visibility into escalated cases but not unrelated account financials. These scenarios combine record visibility, field-level security, workflow access, and process outcomes.
This is why End-to-End testing is useful for access validation. It confirms not only that a user can see a record, but also that the user can complete the correct business task with the correct level of access.
Use Automation to Prevent Security Regression
Access models change over time. New teams are added, business units reorganize, profiles are updated, and permission sets are modified for new projects. These changes can accidentally alter record visibility. Automated regression testing helps detect those changes before they reach production.
Provar can support this type of validation by helping teams test business processes through different user contexts and confirm expected Salesforce behavior after configuration changes. In enterprise orgs, this reduces the burden of manual access checks and makes security validation more repeatable.
Access-focused tests are also valuable in CI/CD Integration workflows. When security and sharing tests run as part of release validation, teams can catch permission regressions earlier and avoid discovering access problems after deployment.
A Practical Checklist for Testing Salesforce Sharing Rules
| Test Area | What to Confirm | Why It Matters |
|---|---|---|
| Baseline access | OWD settings match the intended access model | Defines the starting point for record visibility |
| Role hierarchy | Managers inherit access only where appropriate | Prevents both blocked visibility and overexposure |
| Owner-based sharing | Records owned by the correct users or groups are shared | Confirms ownership-based access logic |
| Criteria-based sharing | Only records meeting criteria are shared | Prevents unintended access to unrelated records |
| Permission level | Access is read-only or read/write as intended | Protects data integrity |
| Restricted user access | Unauthorized users cannot view or edit records | Supports security and compliance expectations |
| Reports and list views | Record access is consistent across reporting surfaces | Prevents indirect data exposure |
| Regression impact | Access still works after role, rule, or permission changes | Detects security regressions early |
Common Mistakes to Avoid
Testing only as an administrator
Admin testing does not reflect real access restrictions. Always include realistic business users.
Checking visibility without checking edit access
A user may be allowed to view a record but not modify it. Tests should distinguish between read and edit permissions.
Ignoring reports and list views
Users may discover records indirectly through reports or list views, so access validation should include those surfaces where relevant.
Skipping negative tests
Security validation must confirm both allowed access and blocked access.
Testing only one record
Single-record tests can miss ownership, group, regional, or criteria-based variations.
Conclusion
Testing Salesforce role hierarchies and sharing rules at scale requires more than checking whether a user can open a record. Teams need to validate baseline access, inherited visibility, sharing-rule behavior, permission levels, field access, reporting exposure, and negative access scenarios across realistic user roles. This is especially important in enterprise orgs where small changes to roles, groups, or rules can affect large numbers of records.
For organizations using Provar, access-control testing can become part of a repeatable Salesforce automation strategy. Provar helps teams validate business processes across user contexts, while structured sharing-rule and role hierarchy tests help confirm that the right users have the right access at the right time. Together, they support stronger release confidence, better governance, and safer Salesforce delivery at scale.
more info