Access Control is a CaseCloud add-on that enforces rule-based control over access to Salesforce records using Salesforce’s native sharing model, providing centralized and consistent record-level security.
You can also extend these rules to automatically control access to related records, ensuring consistent security across a record and its related lists; all from a single configuration point.
How Access Control Works
Access Control manages Salesforce record-level sharing on your behalf.
When a rule is triggered, Access Control:
- Evaluates the criteria you define.
- Applies the appropriate access rules.
- Uses Salesforce’s native sharing engine to grant or restrict access.
Because Access Control relies on Salesforce’s built-in sharing model, it enhances rather than replaces your existing Salesforce security configuration.
How Access Control Works with Existing Salesforce Security
If you already manage a Salesforce org, you’ve built a security model using standard Salesforce controls, including:
- Profiles and Permission Sets
Define which objects, fields, and actions users can access. - Role Hierarchy
Controls record visibility based on organizational structure. - Organization‑Wide Defaults (OWD)
Establish the baseline level of access for each object. - Sharing Rules
Expand access beyond OWD for specific users or public groups.
Access Control operates only at the record‑sharing layer.
It does not replace or override:
- Profiles
- Permission Sets
- Role Hierarchy
Instead, Access Control works on top of your existing Salesforce security configuration by dynamically managing record‑level sharing when its rules are triggered.
Access Control can only grant access that Salesforce security already allows. If a user lacks object or field permissions, Access Control cannot override those restrictions.
Prerequisites
Before you begin the Access Control configuration, ensure that you meet all the following prerequisites:
- The Access Control managed package is installed in your Salesforce org.
- You have System Administrator profile or equivalent permissions to edit OWD settings, manage flows, create Permission Set Groups, and edit page layouts.
- You have identified all objects for which you want to enforce Access Control.
- For each identified object: the OWD Default Internal Access and Default External Access are NOT set to Public Read/Write.
- You have identified the Salesforce Users and/or Public Groups that will be granted access through Access Control rules.
- No target object is a child object in a Master-Detail relationship. Access Control cannot be extended to Master-Detail child objects.
- Lightning Experience is enabled (Access Control components are Lightning-only).
Access Control can operate only on objects whose Organization‑Wide Defaults (OWD) are set to a level more restrictive than Public Read/Write.
If an object’s Default Internal Access or Default External Access is set to Public Read/Write, all users already have full read and write access to every record. In this case, there is no access to restrict, and Access Control cannot apply any rules.
As a result:
- CaseCloud does not display these objects in Access Control configuration screens.
- You cannot configure Access Control rules for objects with Public Read/Write OWD.
Audit and Update OWD Settings
- In Salesforce, open Setup by clicking the gear icon in the top‑right corner.
- In the Quick Find box, enter Sharing Settings, then select Sharing Settings.
- On the Sharing Settings page, click Edit.
- Scroll to the Organization‑Wide Defaults section.
- For each object you plan to control with Access Control:
- Locate the object row.
- Review the Default Internal Access and Default External Access values.
- If either value is set to Public Read/Write, change it to a more restrictive setting.
- For legal and matter‑centric objects, the most common choice is Private, which limits access to the record owner and users above them in the role hierarchy.
- Select the setting that best fits your organization’s security requirements.
- After updating all target objects, click Save.
- Verify the changes by reviewing the Organization‑Wide Defaults table again.
CaseCloud ships two permission sets with the Access Control package. Every user who needs to manage or use Access Control must be assigned one of these: Access Controls Admin and Access Controls User.
For detailed instructions on assigning permission sets and recommended best practices, see Set Up Permissions for Your Salesforce Users.
Access Controls & Sharing action provides visibility into the sharing of the record to various users within your organization, provides quick ability to add additional users or public groups to access the record, and view all applicable related access control for the object of the record, with the ability to prioritize the order of the access control application.
For detailed instructions on how to create the Action on the object and add the Action to the page layout or object's lightning record page, see Using Access Control & Sharing Action.
For the Account object, CaseCloud ships this action button pre-installed on the standard Account page layout.
For Access Control to apply automatically when a record is created, updated, or deleted, you must activate a record-triggered flow for each object you are adding. CaseCloud provides two flow templates for this purpose: one for create and update records, and one for delete records.
For detailed instructions on how to configure record-triggered flows on the object, see Setup Record-Triggered Flows on the Object.
If your organization requires records to be processed on a fixed schedule rather than on save, CaseCloud also supports a background Apex job for this purpose. See Using Scheduled Background Apex Job.
The Account object does not require this step. CaseCloud processes Account records automatically. Complete this step for every other standard or custom object.
An Access Control rule defines which object it applies to, the criteria that determine which records it governs, which related objects inherit the same access restrictions, and which users or groups receive what level of access. Once you save a rule with the Active checkbox enabled, CaseCloud immediately applies it to all records that match the configured criteria.
For detailed instructions on creating and configuring an access control rule, see Manage Access Control.
- Only active rules are applied to records. If you save a rule without checking Active, it will not affect any records until you activate it.
- If you edit a rule using the inline-edit feature in the Access Control list view, the changes will not automatically apply to records. Always open the rule's detail page and use the Edit button to make changes. When you save from the detail view, Access Control is automatically re-applied to all matching records.
To verify your setup, perform the following check to ensure Access Control is working correctly. Work through each check in order.
| Check | How to perform? | |
|---|---|---|
| 1. | Apply Access Control Settings button is visible on the Access Control tab | Open the Access Control tab and confirm the Apply Access Control Settings button is visible in the list view toolbar. |
| 2. | The Access Control tab is accessible | Open the App Launcher, search for Access Control, and confirm the app loads. Verify that users assigned the Access Control User or Admin permission set can see the Access Control tab and the list of rules. |
| 3. | Your target object appears in the rule creation dropdown | Create a new Access Control rule and open the Object dropdown. Confirm your target object appears in the list. If it does not, return to Step 1 and verify that the object's Default Internal Access and Default External Access are not set to Public Read/Write. |
| 4. | The rule applies to an existing record | Find an existing record that matches your rule's criteria. Open it and click the Access Controls & Sharing action button. In the Sharing section, confirm the user or group specified in your rule appears with the correct access level. |
| 5. | A new record triggers the rule automatically | Create a new record that matches your rule's criteria and save it. Open the record and confirm that sharing was applied. This verifies that the record-triggered flows configured in Step 4 are active and working. Note: If Check 4 fails but Check 3 passes, the most likely cause is that one or both record-triggered flows for your object are inactive. Return to Step 4 and confirm both flows show a status of Active. |
| 6. | The Related Access Control list appears on the record | On any record of your target object, scroll to the Related Access Control related list. Confirm it is visible and that your rule appears in it after the rule has been applied. |
Once your initial setup is complete, you can extend Access Control to additional standard or custom objects at any time. For detailed instructions, see How to Extend Access Control to Other Objects.