Sharing Sets in Communities

Avnish Yadav

2 Oct, 2022

Hello Trailblazer

Today, I'm going to talk about Sharing Sets. In the Winter 2019 update, Sharing Sets were added to Partner Community Licenses and Customer Community Plus Licenses. It is now much simpler to enable sharing within those Community types thanks to this update.

You will need to think about data security when you consider the idea of exposing your data to the outside world. This is the focus of this blog. We will examine a wide range of sharing-related Community-specific products. Let's get started by making sure we understand the fundamentals.

Basics

Let’s start with our salesforce security pyramid, if you don’t know this one you should copy this image and save it. It will become your general security for the salesforce.

OWD

Your Org Wide Defaults.

When it comes to the Community Cloud, you need to be aware that there are two parts to your Org Wide Defaults (OWD), namely your internal sharing model and your external sharing model. These are very important because they are the foundation of your organization. The community members are subject to the external sharing model, not the internal model.

Role Hierarchy

Trust me when I say that roles can be tricky. So this is where licenses come into play for the first time. That means that the kind of license you have has an impact on whether or not you have a role. Let's begin by dissecting this.

Customer Community – No Role

These users are role-less
This means they can’t be added to public groups
This also means that role-based sharing won’t work since they don’t have roles
If you only have Customer Community licenses you won’t have the ability to set how many roles your CC users have
No Manual Sharing allowed

Customer Community Plus – Roles

Customer Community Plus/Customer Community Plus Login users have Roles
You can set how many roles they have – from 1-3
The roles available are User, Manager, Executive
You cannot change role names
When you set how many roles this is ORG WIDE, not per community or per profile, but PER ORG
These users can be in Public Groups
Manual Sharing Allowed

Partner Community – Roles

Partner Community/Partner Community Login users have Roles
You can set how many roles they have – from 1-3
The roles available are User, Manager, Executive
You cannot change role names
When you set how many roles this is ORG WIDE, not per community or per profile, but PER ORG
These users can be in Public Groups
Manual Sharing Allowed

For Customer Community Plus and Partners, you set the Number of Roles for your org for each at:

Classic: Setup => Digital Experiences => Settings

Lightning: Setup => Feature Settings => Digital Experiences => Settings

Sharing Rules

You might think that sharing rules is a great way to share things; I can simply create a rule that states that if this account belongs to you, I will share it with you.LIMITS are where the issue lies! You can only create 50 sharing rules for each object. You will quickly run out of sharing rules as your community expands and you consider how many accounts you will use or users you will activate. Fear not, because sharing sets are here to save the day!

Sharing Sets

The incredible superpower that comes with your Communities is Sharing Sets. They provide a method for sharing with Community License types and users. Keep in mind that this kind of sharing and security is only available to members of your community and cannot be shared with internal users.

Sharing Sets are completely different from the sharing that you are accustomed to for internal users and operate in a manner that is completely distinct from the majority of other types of sharing that you will think of in the Salesforce world. With Sharing Sets, you can match a Community User Lookup—typically an Account, Contact, or User—to records in your Salesforce Organization that also have that Lookup value.

You have your User.

The User is always connected to a Contact (or Person Account), that’s how you created your community User.
This Contact is the User.ContactId
The Contact also has an Account, the User.Contact.AccountId
You can also use the User.ContactAccount, these are your Account Contact Relationships

Your records will then be yours. If records have an AccountId or ContactId, they can be shared. Sharing Sets announce, "Hello, I am this logged-in User."My User.Contact. Because they match, AccountId = x, and I can see this record's AccountId = x.

It would not be visible on the record if the AccountId was y.

Objects for Sharing Sets

The following objects can be used with sharing sets:

Account
Account sharing sets can control access to Contract, Entitlement, and OrderItem objects
Asset
Campaign
Case
Contact
Custom Objects
Individual
Lead (contact Salesforce Customer Support to enable)
Opportunity
Order
ServiceAppointment
Service Contract
User
Work Order

The Available Objects list excludes:

Objects with an organization-wide sharing setting of Public Read/Write
Custom objects that don’t have an account or contact lookup field

Sharing Set Checklist

Your Org Wide Defaults as Private for your External Sharing Model
You know the objects you want to share
You have your Custom Profiles created for your Community Users
Your Custom Profile(s) have the objects with the proper CRUD access

How to Set it Up

First of all, you need to be aware that each Community Profile can only have one Sharing Set. This indicates that the sharing set for the profile was created and that sharing set contains all of the objects. Each object can only be shared in one way. To appear in the list of objects for Sharing Sets, objects must be Private. When you look for an object, you might find that your OWD has it set to Public Read/Write; if you want to use Sharing Sets on it, you should change that to Private. Your data must be protected.

Go to Setup and Access your Digital Experiences Settings

Classic: Setup => Customize => Digital Experiences => Settings => Sharing Sets

Lightning: Setup => Feature Settings => Digital Experiences => Settings => Sharing Sets

You’ll see the 2nd section of the page is Sharing Sets. Unless you have your profiles sharing all objects the same way, you’ll want to create different Sharing Sets for each profile. If they share objects via the same fields, then you can add multiple profiles to the same Sharing Set.

For instance, below we are sharing all Projects that have an Account that matches the Community User’s Account.

With a "backend logic" Lookup for the Object, you can make this even more creative. Using the automation tool of your choice (such as Process Builder, Flow, or trigger), you can conditionally fill out this field. You can now share only the records you want to share by changing your Sharing Set up to use this conditional Lookup instead of the one you use internally!

Make sure the name of this backend field is very clear so that administrators and users don't get confused if they see it.

What if you have complex Account hierarchies?

Not to fear! Account Contact Relationship saves the day. If the Contact has a match with any of their Accounts you can grant access via the Account (if that is how you want to share the record). I always look to enable this to future-proof an implementation, instead of having to adjust your sharing down the road. Another benefit of using Account Contact Relationships is that it allows you the ability to expand your sharing with one-off scenarios outside of an Account’s hierarchy.

Conclusion

I hope that the concept of sharing sets, matching user lookup fields to lookup fields on a record, and related lookup fields has given you some ideas about your Community and sharing options. It's amazing what amazing things can be done now that all Community Licenses have access to Sharing Sets.

What innovative uses of Sharing Sets do you have? Have you solved any unique issues? I'd love to learn more about them.