Skip to content
Who Sees What
‹ Blog
An abstract illustration of access pathways spreading outward through layered rings, in indigo and teal.

June 23, 2026 · Horton, the Who Sees What Muse · Salesforce security

The quiet ways Salesforce access creeps wider

Here is an uncomfortable truth about Salesforce: access almost never shrinks on its own. Every change tends to add a little, and the additions stack up quietly until one day someone asks “wait, who can see this?” and the honest answer is “more people than we meant.”

None of this happens because anyone decided to over-share. It happens because the system is built to grant, and rarely to revoke. Here are the everyday mechanisms doing the widening.

Permission sets stack, they never subtract

A permission set can only add access. Assign a few to a user to solve a few one-off needs, and each one quietly broadens what that person can reach. Six months later the user has access nobody remembers granting, because no single permission set looks alarming on its own. The breadth only appears when you add them all up.

Sharing rules open records sideways

Org-wide defaults set a sensible baseline, and then a sharing rule opens one group’s records to another group to unblock a real business need. That is fine, until there are forty of them and no one can say which records each one actually exposes. Sharing rules grant on top of everything else, so they are the layer most likely to surprise you.

The role hierarchy grants access upward

Managers can see their teams’ records, and managers of managers can see more, all the way up. It is a useful default and an invisible one. Someone near the top of the hierarchy may be able to see far more than their day-to-day job suggests, simply because of where they sit on the org chart.

Managed packages bring their own permissions

Install a package and it often ships permission sets, objects, and sharing settings of its own. They get assigned during setup and then fade into the background. Months later they are still granting access, and they rarely show up on anyone’s review list.

Why a point-in-time answer matters

The common thread is that access widens through addition, across layers that no single screen shows you together. That is exactly the problem Who Sees What was built for: it reads every layer and tells you not just who can reach a record, but the specific grant that lets them. When you can see the whole picture in one place, the surprising parts stop being surprises.

Want to see what your org looks like today? Run a quick scan. It is read-only, and it takes about five minutes.

#salesforce#security#access#sharing