The sharing model in depth
Record visibility is one of the two hardest architecture domains, because access is additive and layered and every layer has performance and maintenance consequences at scale. An architect must be able to reason precisely about who can see a given record and why, and to design access that is both least-privilege and performant.
Access is granted by combining several mechanisms; a user gets the most permissive result of all that apply. The baseline is the org-wide default (OWD) per object — Private, Public Read Only, or Public Read/Write — and the golden rule is to set it restrictively and grant access back, never the reverse. On top of OWD, the role hierarchy gives managers access to records owned by people below them (toggleable per object with "Grant Access Using Hierarchies"). Sharing rules open access to public groups, roles, or roles-and-subordinates based on record ownership or criteria. Manual sharing, team sharing, and programmatic (Apex) sharing handle the exceptions.
Effective access = MAX(
Org-Wide Default,
Role hierarchy (if enabled for the object),
Ownership-based & criteria-based sharing rules,
Manual / team / account-team sharing,
Apex managed sharing,
Implicit sharing (parent<->child, e.g. Account grants to child Cases)
)
At scale, sharing is not just a security question but a performance one. Every share is a row in a sharing table, and broad OWDs, deep role hierarchies, and large criteria-based rules trigger heavy sharing recalculations when ownership or roles change. Ownership skew (one user owning huge numbers of records) makes those recalculations, and record locking, dramatically worse. So an architect designs the hierarchy shallow where possible, prefers public groups over sprawling rules, and watches for skew.
Understand also implicit sharing — for example, access to an Account implicitly grants read to its child Cases and Opportunities under certain settings — because it explains many "why can they see this?" puzzles.
As an exercise, take a real requirement ("reps see own records; regional managers see their region; a central ops team sees everything") and map it to OWD plus the minimum set of hierarchy and sharing-rule mechanisms. The next lessons cover two advanced tools that extend this model: enterprise territory management and restriction rules.