Overview
This rule addresses a critical change in Salesforce's sharing model, where the roleAndSubordinates sharing group was removed to enhance data security, especially when digital experiences are enabled. To prevent unintended access for external site users, the default sharing group for roles and subordinates is being updated to
Roles and Internal Subordinates (roleAndSubordinatesInternal). Consequently, all existing code, customizations, and applications that reference the older
roleAndSubordinates group must be updated to explicitly use roleAndSubordinatesInternal.
Code Reviews classifies this issue as an Error because failure to update these references will lead to runtime failures and deployment issues once Salesforce enforces this change in your org. The tool is designed to identify all instances where roleAndSubordinates is referenced within your Salesforce metadata and code.
Why This Matters
The deprecation of roleAndSubordinates and the required transition to roleAndSubordinatesInternal is critical to:
Prevent Runtime Errors and Failures: Any logic, integrations, or customizations that continue to reference the
roleAndSubordinatesgroup after the enforcement date will fail at runtime, potentially disrupting critical business processes. Salesforce will dynamically update some references temporarily, but this will cease in API version 66.0 (Spring ’26).Enhance Data Security: The change specifically aims to prevent unintended access to internal data for external site users if digital experiences are enabled. Adhering to this update ensures that your sharing model aligns with Salesforce's latest security standards.
Ensure Deployment Success: Deployments of Metadata API changes (e.g., for sharing rules or groups) that incorrectly reference
roleAndSubordinatesin orgs where the new behavior is enforced will result in errors like "sharedTo not allowed:roleAndSubordinates".Maintain Application Integrity and Portability: Customizations relying on the outdated group will become brittle and non-portable across environments with different sharing behaviors, leading to increased technical debt.
Recommended approach
The best practice is to proactively identify and update all references to roleAndSubordinates to roleAndSubordinatesInternal in your Salesforce org. This ensures compatibility, security, and seamless operation post-enforcement.
Salesforce's Enforcement Timeline and Behavior:
Sandboxes: This change was enforced in sandboxes in Summer ’25 via the “Enable Secure Roles Behavior and Update Sharing Group References in Sandboxes” release update.
Production Orgs: The change will be enforced in production orgs in Winter ’26 via the “Enable Secure Roles Behavior and Update Sharing Group References in Production” release update.
Dynamic Updates (Temporary): After these release updates are enforced, Salesforce will dynamically update remaining
roleAndSubordinatesreferences toroleAndSubordinatesInternalto minimize immediate issues.Dynamic Update Cessation: Salesforce will stop dynamically updating these references in API version 66.0 (Spring ’26) and later. Therefore, all necessary fixes must be made before updating to this API version.
Impacted Orgs:
The release update is enforced in all production orgs created
after February 8, 2024, that haven’t enabled digital experiences.
The following orgs are not impacted by this specific release update because they already have the Roles and Internal Subordinates group by default:
Production orgs that have digital experiences enabled.
Production orgs created after February 8, 2024.
Production orgs where the “Enable Secure Roles Behavior and Update Sharing Group References in Sandboxes” release update was enabled using the test run (and the test run was not disabled).
Sandboxes that haven’t been refreshed since the behavior was enabled in Summer ’25.
Role Sharing Group Changes in Detail:
Group Name | Corresponding API Field | Description |
Winter ’26 (and later) |
|
|
Role (no changes) |
| Users in the role plus users in roles above it in the hierarchy. Available by default. |
Roles and Internal Subordinates |
| Users in the specified role plus all of the users in roles below that role, excluding site and portal roles. Available by default in all orgs. |
Roles, Internal and Portal Subordinates |
| Users in the specified role plus all of the users in roles below that role, including site and portal roles. Only available when digital experiences is enabled for your org. |
Roles and Subordinates |
| Previously used for users in the specified role plus all of the users in roles below that role. Deprecated as of Winter ’26 with dynamic reference updates stopping in API version 66.0 (Spring ’26). Use |
Summer ’25 (and earlier) |
|
|
Roles and Subordinates |
| Users in the specified role plus all of the users in roles below that role. Only available in production orgs created before February 8, 2024, that don’t have digital experiences enabled. |
What Triggers This Rule
This rule is designed to identify and flag any explicit references to the deprecated roleAndSubordinates sharing group within your Apex code. The rule operates by looking for the literal string "roleAndSubordinates" in three primary contexts within Apex classes:
SOQL Identifiers:
Apex Literals:
General Expressions:
Summary
The upcoming removal of the roleAndSubordinates sharing group and its replacement with roleAndSubordinatesInternal in Salesforce is an Error rule. This change, enforced in production orgs in Winter ’26, is vital for enhancing data security, particularly with external site users and digital experiences.
Code Reviews detects all instances where the deprecated
roleAndSubordinates group is referenced in your code and customizations, preventing runtime errors and deployment failures.
Proactively updating these references across all affected areas and thoroughly testing your changes is essential to ensure your Salesforce applications remain secure, functional, and compliant with the latest platform standards.
Reference: For more detailed information, please refer to the official Salesforce Knowledge Article: Role Sharing Group Changes.