Organization-Wide Defaults (OWD) are the baseline record-access settings configured per object that determine what a user can see for records they don’t own. OWD is the most restrictive layer of the Salesforce sharing model — every other sharing mechanism (role hierarchy, sharing rules, manual sharing, Apex sharing, team sharing) only opens up access from the OWD baseline. You cannot share a record more restrictively than the OWD allows.
Where OWD sits in the security stack
Salesforce security is layered, and OWD is the foundation of record-level access:
1. License → which objects exist for this user at all
2. Profile + perm set → CRUD on objects, FLS on fields
3. OWD → baseline visibility of OTHER users' records ← here
4. Role hierarchy → managers see direct reports' records
5. Sharing rules → criteria-based or owner-based opening
6. Manual sharing → record-by-record shares (when OWD is not Public Read/Write)
7. Apex sharing → programmatic shares
8. Teams, territories → object-specific sharing extensionsIf your profile gives you Read on Account but OWD is Private and you’re not in the role hierarchy above the owner, you see only your own accounts. Profiles answer “can I open this object?” — OWD answers “whose records can I see?”
The OWD options for internal users
| Setting | Who can see records they don’t own? | When to use |
|---|---|---|
| Private | Only the owner (and people above them in the hierarchy, if enabled). | Sensitive data — opportunities, HR records, legal cases. |
| Public Read Only | All internal users can read; only the owner (and people above) can edit. | Reference data — accounts in some orgs, products. |
| Public Read/Write | All internal users can read and edit; only the owner can transfer/delete. | Highly collaborative data — internal contacts in small orgs. |
| Public Read/Write/Transfer | Lead and Case only — adds transfer to the previous level. | High-volume lead pools and case queues. |
| Public Full Access | Campaign only — adds full record manipulation. | Marketing teams co-managing campaigns. |
| Controlled by Parent | Detail objects in a master-detail relationship inherit access from the master record. | Almost always the right answer for detail objects. |
Internal vs external OWD
For each object you set two OWDs:
- Default Internal Access — for internal license users (Salesforce, Salesforce Platform).
- Default External Access — for community/portal users (Customer Community, Partner Community, Experience Cloud).
Salesforce enforces a rule: external access can never be more permissive than internal access. You can have internal “Public Read/Write” and external “Private”, but not the other way around.
Real scenario interviewers love
“Your sales VP says ‘reps should only see their own opportunities, but managers should see everything.’ How do you configure this?”
The answer chains three settings:
- OWD for Opportunity → Private. This locks the baseline so reps only see their own.
- Role hierarchy with VPs above Managers above Reps. “Grant Access Using Hierarchies” is on by default for Opportunity, so managers automatically inherit visibility of their reports’ records.
- If teams also need to see each others’ deals: add an owner-based sharing rule sharing opportunities owned by the Sales Reps public group with the Sales Reps public group (Read or Read/Write).
This question tests whether you understand the layered model — OWD alone is not the answer.
Common pitfalls
- Tightening OWD on an existing org takes time. When you reduce access (e.g., Public Read Only → Private), Salesforce recalculates sharing in the background. On large orgs this can take hours and pages multiple sharing recalc emails. Plan the change for off-peak time.
- Manual sharing only works when OWD is Private or Public Read Only. Public Read/Write makes manual sharing unnecessary (everyone can already see and edit).
- Detail objects must use “Controlled by Parent” when in a master-detail relationship — Salesforce enforces this and you can’t override it.
- Custom object OWD defaults to Public Read/Write on creation. On a security-sensitive object, change it before anyone starts loading data.
Verified against: Salesforce Help — Organization-Wide Sharing Defaults and the Sharing & Visibility Architect resources. Last reviewed 2026-05-17.