In Salesforce, there are a few different ways to add a File to your org: as a direct upload through the Files tab, as an attachment in a Chatter feed or comment, as part of a Salesforce CRM library, and through the Files Related List on a record page. As we know, that last option comes in handy when you need client documents at your fingertips while viewing their records.
But what exactly happens when a File is added to a related list on a record? How do the record page's privacy settings intersect with the privacy settings of the File itself? Let's take a look at how it all works by default, and then we'll talk about how to adjust those default settings.
Default Visibility & Access Settings on Records
By default, Salesforce Files are visible to anyone who can access the record they're attached to. And as of the Winter '20 release, a user's default level of access to a File is determined by their level of access to its parent record:
- If you have read/write access to a record, you'll have Collaborator access to its attached Files by default, allowing you to view, download, share, edit, and upload new versions of the Files.
- If you're restricted to read-only access to the record, you'll have Viewer access to its Files by default, allowing you only to view, download, and share them.
This is a reasonably intuitive set of access rules, and for many organizations, they'll work just fine out of the box. But what if you need a more granular level of control over File visibility & access? What if you want to take a record that's accessible to your entire organization and attach a File that needs to be restricted to a select group of users? Don't worry – it's totally doable. Here, we'll use Salesforce's privacy controls to lock down access to Files on records, and then we'll show you how to use sharing settings to grant access to select viewers. Let's go!
Enabling File Privacy on Records
The first thing you'll want to do here is change the default visibility of Files attached to records in your org. To do that, you’ll need to enable the File Privacy on Records option in the Edit File Details modal. To do that, you or your admin will need to customize the page layout of the Content Version object, which is where the content of a Salesforce File is stored. Here's how to do it:
First, go to Setup > Object Manager and select the Content Version object.
Click Page Layouts and select the Content Version page layout you'd like to edit. You'll need to repeat this process for every Content Version page layout in active use in your org.
In the page layout palette, find the File Privacy on Records field.
Finally, drag the File Privacy on Records field to the Content Version Detail fields section and click Save.
Making a File Private on a Record
Once that’s all set, you’re ready to fine-tune file visibility for Salesforce files attached to records. Only admins and file owners can access this option.
Open the record that owns the File you'd like to lock down and open your target File.
Select Edit File Details from its actions menu.
Open the File Privacy on Records picklist and select Private on Records. This limits default visibility of the File on the record page to its owner alone.
Click Save and you’re all set! Your File will not be visible to users who do not own the file and haven't been granted sharing access.
Granting Access to Private Files on Records
Now that you've hidden your sensitive Files from everyone who can see its parent record, you can grant access to select users the way you would any other Salesforce File. To view and edit the complete list of everyone who has access to a File you own, open it and select Share from its actions menu.
Here, you'll be able to add and remove users and groups from your access list. You can also change users' level of access to the File and select whether non-File owners should be able to share the File themselves.
It's important to note that these sharing settings supersede the default access granted by your File Privacy on Records setting. If a user or group has specifically been granted access to a File, they won't lose it if you change File access to Private on Records.
If your head is starting to spin here, don't worry – remember, you can always double-check the complete list of entities with access to a given File in its Sharing modal. Don't forget to bookmark Salesforce's Who Can See My File? cheat sheet, and check out our own Salesforce Files overview to learn more about file sharing and management.
And if your head is really starting to spin here, allow us to propose a completely different solution for managing document access in Salesforce. Drive Connect is an AppExchange app that allows you to link to Google Drive files from a Lightning Component that can be added to any Salesforce record page, just like the native Salesforce Files Related List. That means that your client files live in Google Drive, and access to them is based on your existing sharing & permissions structure in Google Workspace, independent of whatever settings exist in your Salesforce org.
Sound interesting? Try it for yourself with a free two-week trial – no credit card required.