This is the pictorial representation of how Salesforce determines record access for a user

How Salesforce Determines Record Access for a User

  1. When a user needs to access a record, Salesforce will first check whether the user’s profile has required permission to access the object. If user’s profile does not have the required permission, user will not be able to access the record. If the profile has required permissions, system will proceed to step 2
  2. System checks “View All Data” system permission. If granted, user will be able to access the record
  3. Else, system will determine if the user is the owner of record. If yes, the user will be able to access the record
  4. Else, system will check Organization Wide Default (OWD) setting for that object. If OWD is set to Public Read Only or Public Read/Write, user will be able to access the record
  5. Else, system will check if the user is above in the role hierarchy from the owner who owns that record. If yes, user will be able to access the record
  6. Else, sharing rules are checked. If the user has been granted access to the record through Apex sharing, sharing rules or manual sharing, user will be able to access the record
  7. If none of the above requirements are met, user will not be able to access the record