Identifying your record access requirements is an essential step that you should do before procuring user licenses or setting up your community for the following reasons:
1) Sharing options in Communities are affected by the type of Community user licenses you have (Customer or Partner)
2) Even with the more robust Partner license, there are still some “gotchas” when it comes to sharing in a Community
3) You may end up needing to adjust internal sharing settings so you don’t inadvertently grant Community users access to the wrong records.
Before you say to yourself, “My Community users are my customers–I need Customer licenses”, dig a little deeper. Salesforce has a great chart here that compares features for Customer vs. Partner Community licenses. In a nutshell, Customer licenses are designed for high-volume applications without complex sharing requirements. Partner licenses have access to more object types. For example, if you need your Community users to access Leads, Opportunities, Campaigns, or to upload Content, you will need Partner licenses. The other important note is that Partner license has roles and sharing rules available but basic Customer license does not. Likewise, Apex sharing and manual sharing are not available for Customer license.
Important Update: In addition to the above options, Salesforce has now made Customer Plus license available, which grants the following permissions on top of Customer: full access to Accounts, view access to Content, ability to create Tasks, view access to Reports and Dashboards, AND role-based sharing. This new license is a helpful middle-road option that will grant much-needed additional flexibility to most applications that are more complex than basic customer support. The main distinction of Partner Community license is access to the “premium” standard objects Lead, Campaign, and Opportunity.
Sharing with Customer License: Sharing Sets
The option you do have available for sharing records with users with lowly Customer license is called Sharing Sets. These essentially allow you to grant a user access to records based on affiliation with the user’s contact or account (or a contact or account related indirectly to the user through lookup relationships.) If the user’s account or contact record is populated in a lookup on the record, you can share it. To edit sharing sets, go to Settings under the Communities menu. Note that you specify profiles the sharing set applies to since Customer users don’t have roles.
Use Case: you want to share cases created on behalf on a Community user by internal users (where the Community user is the contact on the case) with that user.
Sharing with Customer License: Share Groups
Sharing sets are geared towards sharing records owned by other users with Community users. Share Groups, on the other hand, allow you to go the other direction and share records owned by Community users with other users. You can use share groups to share records owned by an external user (with a Customer Community or High-Volume Customer Portal License) with internal users, partner users, or other high-volume external users in the same account. To create a Sharing Group, you must first create a Sharing Set, then click into its name to access the Sharing Group sub-tab. Use Case: you want to share cases or another type of record created and owned by Community users with internal users or other external users in their account (the account restriction applies to high-volume external users only.)
Sharing with Partner License: Role Hierarchy
Partner users will see records owned by partner users in roles below them in the hierarchy. Each partner account may have up to 3 roles (Executive, Manager, and User). Using record ownership and the role hierarchy is the simplest way to share records among Partner users in the same account.
Use Case: you have a need for granular owner-based sharing where some Partner users should only see records they create, while others should see records created by others below them in their account.
Sharing with Partner/Customer Plus License: Super User Access
Partner users with super user permission can access records belonging to users in their account at their same role or lower in the role hierarchy, for Cases, Leads, Opportunities and Custom Objects only.
Use Case: you’re using Partner license and want to grant access to all records for the account to certain users and are fine with it opening up visibility to all the above objects. This also must be enabled in the Community settings and then manually enabled for each partner contact. For Customer Plus users, the super user permission can be granted via a permission set.
Sharing with Partner License: Sharing Rules
Owner and criteria-based sharing rules apply and can be used to share records with Partner Community users. To create rules that specifically apply to partner users, you can use partner roles and public groups. Partner users can be added to public groups just like internal users.
Use Case: you need to share all opportunities related to a particular partner account with all users in the partner account, but don’t want to open up the full super user access. You could create a criteria-based sharing rule where the Account ID is the partner account, sharing with the partner account executive role and subordinates. This works best if you work with only a small number of partner accounts, because it is a bit labor-intensive and will eat into your limit of 50 criteria-based sharing rules.
Sharing with Partner License: Manual Sharing
Manual sharing can be used for sporadic or one-off requirements to share records with partner users. Records can only be shared by internal users to partner users–partner users can’t manually share records with other users.
Use Case: Partners work closely with your internal users on only a few opportunities.
Sharing with Partner License: Apex Sharing
If your sharing criteria are more complex than criteria based sharing allows, or you work with enough partner organizations that you are in danger of hitting criteria-based sharing rule limits and/or managing them is an administrative burden, you may need to look into programmatic Apex-managed sharing. This can be complex to implement and should only be considered after other options have been ruled out. A related approach is to create a custom User interface with Visualforce that displays only selected records.
Use Case: you want to share only program records associated with the brand that a partner organization works with, the relationship is not tracked in an account lookup, and you don’t want to have to manually set up and maintain public groups.
Recommended Additional Reading: Getting Started With Salesforce Communities