@salesforce/afv-skills 1.8.0 → 1.9.0

package/skills/generating-mermaid-diagrams/assets/oauth/user-agent-social-sign-on.md

@@ -0,0 +1,281 @@
+# User-Agent with Social Sign-On Flow Template
+
+OAuth 2.0 User-Agent flow combined with Social Sign-On (OIDC), where Salesforce acts as both the Authorization Provider (for the client) and the Relying Party (to the external OIDC Provider like Facebook, Google, etc.).
+
+## When to Use
+- Mobile apps or SPAs requiring social login (Google, Facebook, etc.)
+- When Salesforce is an intermediary between your app and social identity providers
+- User-Agent flow (implicit-like) with external OIDC authentication
+- Silent re-authentication scenarios (OP session cookies)
+
+## Mermaid Template
+
+```mermaid
+%%{init: {'theme': 'base', 'themeVariables': {
+  'actorBkg': '#ddd6fe',
+  'actorTextColor': '#1f2937',
+  'actorBorder': '#6d28d9',
+  'signalColor': '#334155',
+  'signalTextColor': '#1f2937',
+  'noteBkgColor': '#f8fafc',
+  'noteTextColor': '#1f2937',
+  'noteBorderColor': '#334155'
+}}}%%
+sequenceDiagram
+    autonumber
+
+    box rgba(165,243,252,0.3) CLIENT
+        participant C as 📱 Client<br/>(Mobile App)
+    end
+
+    box rgba(221,214,254,0.3) SALESFORCE
+        participant SF as ☁️ Salesforce<br/>(Auth Provider /<br/>Relying Party)
+    end
+
+    box rgba(254,215,170,0.3) OIDC PROVIDER
+        participant OP as 🔐 OIDC Provider<br/>(Google/Facebook)
+    end
+
+    Note over C,OP: User-Agent Flow with Social Sign-On (OIDC)
+
+    %% Phase 1: Initial Access Token Request
+    C->>SF: 📤 Access Token Request
+    Note over C,SF: GET /services/oauth2/authorize<br/>client_id, response_type=token<br/>redirect_uri, state, scope
+
+    SF->>SF: ⚙️ Check for RP session
+
+    %% Phase 2: Redirect to OIDC Provider
+    SF->>C: 📥 HTTP Redirect to OP
+    Note over SF,C: Redirect to OIDC authorize endpoint
+
+    C->>OP: 📤 Auth Code Request
+    Note over C,OP: GET /authorize<br/>response_type=code<br/>redirect_uri=/services/authglobalcallback<br/>scope, state
+
+    %% Phase 3: Authentication at OP
+    OP->>OP: ⚙️ Check for OP session
+    OP->>C: 📥 Display Login Page
+    C->>OP: 🔐 User authenticates
+
+    OP->>OP: ⚙️ Validate credentials
+    OP->>C: 📥 Display Consent Screen (first time only)
+    C->>OP: 🔐 User grants consent
+
+    OP->>OP: ⚙️ Generate authorization code
+
+    %% Phase 4: Return to Salesforce
+    OP->>C: 📥 HTTP Redirect to Salesforce
+    Note over OP,C: Redirect to /services/authglobalcallback<br/>?code=OP_AUTH_CODE&state=...
+
+    C->>SF: 📤 Deliver OP Auth Code
+    Note over C,SF: GET /services/authglobalcallback<br/>code=OP_AUTH_CODE, state
+
+    %% Phase 5: Salesforce exchanges code with OP
+    SF->>OP: 📤 Access Token Request
+    Note over SF,OP: POST to OP Token Endpoint<br/>client_id, client_secret<br/>code, redirect_uri, state
+
+    OP->>OP: ⚙️ Validate client & code
+
+    OP-->>SF: 📥 Access Token Response
+    Note over OP,SF: id_token (JWT)<br/>access_token<br/>refresh_token
+
+    SF->>SF: 🔐 Verify ID token signature
+
+    %% Phase 6: Optional UserInfo
+    rect rgba(248,250,252,0.5)
+        Note over SF,OP: Optional: UserInfo Endpoint
+        SF->>OP: 📤 Request User Information
+        Note over SF,OP: POST /userinfo<br/>Authorization: Bearer ACCESS_TOKEN
+        OP-->>SF: 📥 User Info Response
+        Note over OP,SF: User claims (email, name, etc.)
+        SF->>SF: 🔐 Validate sub matches ID token
+    end
+
+    %% Phase 7: Salesforce User Provisioning
+    SF->>SF: ⚙️ Invoke registration handler<br/>to create/update user
+
+    %% Phase 8: User Authorization for Salesforce
+    SF->>C: 📥 Display Salesforce Consent
+    Note over SF,C: "App requests:<br/>• API Access<br/>• Refresh Token"
+    C->>SF: 🔐 User grants Salesforce consent
+
+    %% Phase 9: Return tokens to Client
+    SF->>C: 📥 Redirect to Client Callback
+    Note over SF,C: Redirect URI with:<br/>access_token (Salesforce)<br/>refresh_token<br/>instance_url
+
+    C->>C: ⚙️ Store Salesforce tokens
+
+    %% Phase 10: API Usage
+    C->>SF: 📤 Use Salesforce APIs
+    Note over C,SF: Authorization: Bearer SF_ACCESS_TOKEN
+
+    SF-->>C: ✅ API Response
+
+    Note over C,SF: ⚠️ OP session cookie enables<br/>silent re-auth (~15 min)
+```
+
+## ASCII Fallback Template
+
+```
+┌────────────────┐     ┌────────────────────┐     ┌─────────────────────┐
+│     Client     │     │    Salesforce      │     │   OIDC Provider     │
+│  (Mobile App)  │     │ (Auth/RP Server)   │     │  (Google/Facebook)  │
+└───────┬────────┘     └─────────┬──────────┘     └──────────┬──────────┘
+        │                        │                           │
+        │  1. Access Token Req   │                           │
+        │    (response_type=     │                           │
+        │     token)             │                           │
+        │───────────────────────>│                           │
+        │                        │                           │
+        │  2. Redirect to OP     │                           │
+        │<───────────────────────│                           │
+        │                        │                           │
+        │  3. Auth Code Request (response_type=code)         │
+        │────────────────────────────────────────────────────>│
+        │                        │                           │
+        │           4. Login Page                            │
+        │<────────────────────────────────────────────────────│
+        │                        │                           │
+        │  5. Enter Credentials (authenticate)               │
+        │────────────────────────────────────────────────────>│
+        │                        │                           │
+        │           6. Consent Screen (first time)           │
+        │<────────────────────────────────────────────────────│
+        │                        │                           │
+        │  7. Grant Consent                                  │
+        │────────────────────────────────────────────────────>│
+        │                        │                           │
+        │  8. Redirect with ?code=OP_AUTH_CODE               │
+        │<────────────────────────────────────────────────────│
+        │                        │                           │
+        │  9. Deliver OP Code    │                           │
+        │───────────────────────>│                           │
+        │                        │                           │
+        │                        │  10. POST Token Request   │
+        │                        │      (code, secret)       │
+        │                        │──────────────────────────>│
+        │                        │                           │
+        │                        │  11. ID Token + Access    │
+        │                        │      Token Response       │
+        │                        │<──────────────────────────│
+        │                        │                           │
+        │                        │  [Optional: UserInfo]     │
+        │                        │  12. GET /userinfo        │
+        │                        │──────────────────────────>│
+        │                        │                           │
+        │                        │  13. User Claims          │
+        │                        │<──────────────────────────│
+        │                        │                           │
+        │                        │  14. Registration Handler │
+        │                        │      (create/update user) │
+        │                        ├─────────────┐             │
+        │                        │             │             │
+        │                        │<────────────┘             │
+        │                        │                           │
+        │  15. SF Consent Screen │                           │
+        │<───────────────────────│                           │
+        │                        │                           │
+        │  16. Grant SF Consent  │                           │
+        │───────────────────────>│                           │
+        │                        │                           │
+        │  17. Redirect with     │                           │
+        │      SF Access Token   │                           │
+        │      + Refresh Token   │                           │
+        │<───────────────────────│                           │
+        │                        │                           │
+        │  18. Call SF APIs      │                           │
+        │───────────────────────>│                           │
+        │                        │                           │
+        │  19. API Response ✅   │                           │
+        │<───────────────────────│                           │
+```
+
+## Key Concepts
+
+### Dual Role of Salesforce
+
+| Role | Context | Responsibility |
+|------|---------|----------------|
+| **Authorization Provider** | OAuth flow with Client | Issues access tokens to your app |
+| **Relying Party (RP)** | OIDC flow with Social Provider | Consumes ID tokens from Google/Facebook |
+
+### Authentication Endpoints
+
+| System | Endpoint | Purpose |
+|--------|----------|---------|
+| Salesforce Auth | `/services/oauth2/authorize` | Start User-Agent flow |
+| Salesforce Callback | `/services/authglobalcallback` | Receive OP auth code |
+| Salesforce Token | `/services/oauth2/token` | (Not used in User-Agent) |
+| OP Authorization | Provider-specific | `/authorize` endpoint |
+| OP Token | Provider-specific | Exchange code for tokens |
+| OP UserInfo | Provider-specific | Get user profile claims |
+
+## Security Considerations
+
+1. **OP Session Cookies** - Enable silent re-authentication (~15 min intervals)
+2. **ID Token Validation** - Salesforce verifies JWT signature from OP
+3. **Sub Claim Matching** - UserInfo `sub` must match ID token `sub`
+4. **State Parameter** - CSRF protection between all parties
+5. **Registration Handler** - Custom Apex to map OP user to Salesforce User
+
+## Salesforce Configuration
+
+### Auth. Provider Setup
+
+```
+Setup → Auth. Providers → New
+├── Provider Type: OpenID Connect (or specific: Google, Facebook)
+├── Consumer Key: [From OP Developer Console]
+├── Consumer Secret: [From OP Developer Console]
+├── Authorize Endpoint: https://provider.com/authorize
+├── Token Endpoint: https://provider.com/token
+├── User Info Endpoint: https://provider.com/userinfo (optional)
+└── Registration Handler: [Your Apex Class]
+```
+
+### Registration Handler Example
+
+```apex
+public class SocialLoginHandler implements Auth.RegistrationHandler {
+    public User createUser(Id portalId, Auth.UserData data) {
+        // Map social identity to Salesforce User
+        User u = new User();
+        u.Username = data.email + '.social';
+        u.Email = data.email;
+        u.FirstName = data.firstName;
+        u.LastName = data.lastName;
+        // ... additional mapping
+        return u;
+    }
+
+    public void updateUser(Id userId, Id portalId, Auth.UserData data) {
+        // Update existing user on subsequent logins
+        User u = [SELECT Id FROM User WHERE Id = :userId];
+        u.Email = data.email;
+        update u;
+    }
+}
+```
+
+## Token Types
+
+| Token | Issued By | Purpose |
+|-------|-----------|---------|
+| OP Auth Code | OIDC Provider | Short-lived, exchanged by SF |
+| OP ID Token | OIDC Provider | JWT with user identity claims |
+| OP Access Token | OIDC Provider | Used by SF to call OP UserInfo |
+| SF Access Token | Salesforce | Used by Client to call SF APIs |
+| SF Refresh Token | Salesforce | Long-lived, refresh SF access |
+
+## Customization Points
+
+Replace these placeholders:
+- `CLIENT_ID` → Your Connected App's Consumer Key
+- `CALLBACK_URL` → Your registered callback URL
+- `OP_CLIENT_ID` → Consumer Key from Social Provider
+- `OP_CLIENT_SECRET` → Consumer Secret from Social Provider
+
+## Reference
+
+- [Salesforce Identity: User-Agent with Social Sign-On](https://cloudsundial.com/salesforce-identity/user-agent-with-social-sign-on)
+- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)
+- [Salesforce Auth. Providers Documentation](https://help.salesforce.com/s/articleView?id=sf.sso_provider_openidconnect.htm)

package/skills/generating-mermaid-diagrams/assets/role-hierarchy/user-hierarchy.md

@@ -0,0 +1,322 @@
+# Role Hierarchy Diagram Template
+
+Flowchart template for visualizing Salesforce role hierarchies and permission structures.
+
+## When to Use
+- Documenting org security model
+- Planning role hierarchy changes
+- Explaining data access patterns
+- Security review presentations
+
+## Mermaid Template - Sales Role Hierarchy
+
+```mermaid
+%%{init: {"flowchart": {"nodeSpacing": 80, "rankSpacing": 70}} }%%
+flowchart TB
+    subgraph legend["📋 LEGEND"]
+        direction LR
+        L1[Role]
+        L2([Profile])
+        L3{{Permission Set}}
+    end
+
+    CEO[CEO]
+
+    subgraph sales["SALES ORGANIZATION"]
+        direction TB
+        VP_SALES[VP of Sales]
+
+        subgraph regions["REGIONAL DIRECTORS"]
+            direction LR
+            DIR_WEST[Director - West]
+            DIR_EAST[Director - East]
+            DIR_CENTRAL[Director - Central]
+        end
+
+        subgraph managers["SALES MANAGERS"]
+            direction LR
+            MGR_W1[Manager - SF]
+            MGR_W2[Manager - LA]
+            MGR_E1[Manager - NYC]
+            MGR_E2[Manager - Boston]
+            MGR_C1[Manager - Chicago]
+            MGR_C2[Manager - Dallas]
+        end
+
+        subgraph reps["SALES REPRESENTATIVES"]
+            direction LR
+            REP_W[West Reps<br/>12 users]
+            REP_E[East Reps<br/>15 users]
+            REP_C[Central Reps<br/>10 users]
+        end
+    end
+
+    subgraph service["SERVICE ORGANIZATION"]
+        direction TB
+        VP_SVC[VP of Service]
+
+        SVC_MGR[Service Manager]
+
+        subgraph agents["SERVICE AGENTS"]
+            direction LR
+            AGENT_T1[Tier 1 Support<br/>20 users]
+            AGENT_T2[Tier 2 Support<br/>8 users]
+        end
+    end
+
+    %% Hierarchy connections
+    CEO --> VP_SALES
+    CEO --> VP_SVC
+
+    VP_SALES --> DIR_WEST
+    VP_SALES --> DIR_EAST
+    VP_SALES --> DIR_CENTRAL
+
+    DIR_WEST --> MGR_W1
+    DIR_WEST --> MGR_W2
+    DIR_EAST --> MGR_E1
+    DIR_EAST --> MGR_E2
+    DIR_CENTRAL --> MGR_C1
+    DIR_CENTRAL --> MGR_C2
+
+    MGR_W1 --> REP_W
+    MGR_W2 --> REP_W
+    MGR_E1 --> REP_E
+    MGR_E2 --> REP_E
+    MGR_C1 --> REP_C
+    MGR_C2 --> REP_C
+
+    VP_SVC --> SVC_MGR
+    SVC_MGR --> AGENT_T1
+    SVC_MGR --> AGENT_T2
+
+    %% Node Styling - Pastel palette (Tailwind 200-level)
+    style CEO fill:#fbcfe8,stroke:#be185d,color:#1f2937
+    style VP_SALES fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+    style VP_SVC fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+    style DIR_WEST fill:#c7d2fe,stroke:#4338ca,color:#1f2937
+    style DIR_EAST fill:#c7d2fe,stroke:#4338ca,color:#1f2937
+    style DIR_CENTRAL fill:#c7d2fe,stroke:#4338ca,color:#1f2937
+    style MGR_W1 fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style MGR_W2 fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style MGR_E1 fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style MGR_E2 fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style MGR_C1 fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style MGR_C2 fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style SVC_MGR fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style REP_W fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style REP_E fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style REP_C fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style AGENT_T1 fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style AGENT_T2 fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style L1 fill:#e2e8f0,stroke:#334155,color:#1f2937
+    style L2 fill:#e2e8f0,stroke:#334155,color:#1f2937
+    style L3 fill:#e2e8f0,stroke:#334155,color:#1f2937
+
+    %% Subgraph Styling - 50-level fills with dashed borders
+    style legend fill:#f8fafc,stroke:#334155,stroke-dasharray:5
+    style sales fill:#f5f3ff,stroke:#6d28d9,stroke-dasharray:5
+    style regions fill:#eef2ff,stroke:#4338ca,stroke-dasharray:5
+    style managers fill:#ecfeff,stroke:#0e7490,stroke-dasharray:5
+    style reps fill:#ecfdf5,stroke:#047857,stroke-dasharray:5
+    style service fill:#f5f3ff,stroke:#6d28d9,stroke-dasharray:5
+    style agents fill:#ecfdf5,stroke:#047857,stroke-dasharray:5
+```
+
+## Mermaid Template - Profile & Permission Set Structure
+
+```mermaid
+%%{init: {"flowchart": {"nodeSpacing": 80, "rankSpacing": 70}} }%%
+flowchart TB
+    subgraph profiles["📋 PROFILES - BASE ACCESS"]
+        direction LR
+        P_ADMIN([System Admin])
+        P_SALES([Sales User])
+        P_SVC([Service User])
+        P_MKTG([Marketing User])
+        P_PARTNER([Partner Community])
+    end
+
+    subgraph psets["🔐 PERMISSION SETS - ADDITIVE"]
+        direction TB
+
+        subgraph functional["FUNCTIONAL PERMISSIONS"]
+            PS_API{{API Access}}
+            PS_REPORTS{{Advanced Reports}}
+            PS_FLOW{{Flow Admin}}
+        end
+
+        subgraph feature["FEATURE PERMISSIONS"]
+            PS_CPQ{{CPQ User}}
+            PS_EINSTEIN{{Einstein Analytics}}
+            PS_INBOX{{Sales Engagement}}
+        end
+
+        subgraph object["OBJECT PERMISSIONS"]
+            PS_INVOICE{{Invoice Manager}}
+            PS_CONTRACT{{Contract Editor}}
+            PS_PRODUCT{{Product Admin}}
+        end
+    end
+
+    subgraph groups["👥 PERMISSION SET GROUPS"]
+        direction LR
+        PSG_SALES_FULL{{Sales Full Access}}
+        PSG_SVC_FULL{{Service Full Access}}
+    end
+
+    %% Profile assignments
+    P_SALES --> PSG_SALES_FULL
+    P_SVC --> PSG_SVC_FULL
+
+    %% Group composition
+    PS_API --> PSG_SALES_FULL
+    PS_CPQ --> PSG_SALES_FULL
+    PS_EINSTEIN --> PSG_SALES_FULL
+    PS_INBOX --> PSG_SALES_FULL
+
+    PS_API --> PSG_SVC_FULL
+    PS_REPORTS --> PSG_SVC_FULL
+
+    %% Node Styling - Profiles (violet-200)
+    style P_ADMIN fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+    style P_SALES fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+    style P_SVC fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+    style P_MKTG fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+    style P_PARTNER fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+
+    %% Node Styling - Permission Sets (emerald-200)
+    style PS_API fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_REPORTS fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_FLOW fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_CPQ fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_EINSTEIN fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_INBOX fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_INVOICE fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_CONTRACT fill:#a7f3d0,stroke:#047857,color:#1f2937
+    style PS_PRODUCT fill:#a7f3d0,stroke:#047857,color:#1f2937
+
+    %% Node Styling - Groups (orange-200)
+    style PSG_SALES_FULL fill:#fed7aa,stroke:#c2410c,color:#1f2937
+    style PSG_SVC_FULL fill:#fed7aa,stroke:#c2410c,color:#1f2937
+
+    %% Subgraph Styling - 50-level fills with dashed borders
+    style profiles fill:#f5f3ff,stroke:#6d28d9,stroke-dasharray:5
+    style psets fill:#ecfdf5,stroke:#047857,stroke-dasharray:5
+    style functional fill:#ecfdf5,stroke:#047857,stroke-dasharray:5
+    style feature fill:#ecfdf5,stroke:#047857,stroke-dasharray:5
+    style object fill:#ecfdf5,stroke:#047857,stroke-dasharray:5
+    style groups fill:#fff7ed,stroke:#c2410c,stroke-dasharray:5
+```
+
+## ASCII Fallback Template
+
+```
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                           ROLE HIERARCHY                                    │
+└─────────────────────────────────────────────────────────────────────────────┘
+
+                                   ┌─────────┐
+                                   │   CEO   │
+                                   └────┬────┘
+                                        │
+                    ┌───────────────────┴───────────────────┐
+                    │                                       │
+             ┌──────▼──────┐                        ┌──────▼──────┐
+             │ VP of Sales │                        │ VP of Svc   │
+             └──────┬──────┘                        └──────┬──────┘
+                    │                                      │
+     ┌──────────────┼──────────────┐              ┌────────▼────────┐
+     │              │              │              │ Service Manager │
+     ▼              ▼              ▼              └────────┬────────┘
+┌─────────┐  ┌─────────┐  ┌─────────┐                     │
+│Director │  │Director │  │Director │          ┌──────────┼──────────┐
+│  West   │  │  East   │  │ Central │          ▼          ▼          │
+└────┬────┘  └────┬────┘  └────┬────┘    ┌─────────┐ ┌─────────┐    │
+     │            │            │         │ Tier 1  │ │ Tier 2  │    │
+     ▼            ▼            ▼         │ Support │ │ Support │    │
+┌─────────┐ ┌─────────┐ ┌─────────┐      │ (20)    │ │  (8)    │    │
+│Manager  │ │Manager  │ │Manager  │      └─────────┘ └─────────┘    │
+│SF | LA  │ │NYC|BOS  │ │CHI|DAL  │                                 │
+└────┬────┘ └────┬────┘ └────┬────┘                                 │
+     │           │           │                                       │
+     ▼           ▼           ▼                                       │
+┌─────────┐ ┌─────────┐ ┌─────────┐                                 │
+│ West    │ │ East    │ │ Central │                                 │
+│ Reps    │ │ Reps    │ │ Reps    │                                 │
+│  (12)   │ │  (15)   │ │  (10)   │                                 │
+└─────────┘ └─────────┘ └─────────┘                                 │
+
+┌─────────────────────────────────────────────────────────────────────────────┐
+│  DATA ACCESS FLOW                                                           │
+│  ─────────────────                                                          │
+│  • Roles ABOVE can see records owned by roles BELOW                         │
+│  • CEO sees ALL sales and service data                                      │
+│  • VP Sales sees all sales data, NOT service data                           │
+│  • Managers see only their team's records                                   │
+│  • Reps see only their own records                                          │
+└─────────────────────────────────────────────────────────────────────────────┘
+```
+
+## Security Components
+
+| Component | Purpose | Shape |
+|-----------|---------|-------|
+| Role | Data visibility hierarchy | Rectangle |
+| Profile | Base object/field access | Rounded |
+| Permission Set | Additive permissions | Hexagon |
+| Permission Set Group | Bundle of perm sets | Hexagon (orange) |
+
+## Data Access Patterns
+
+### OWD (Organization-Wide Defaults)
+
+| Setting | Meaning |
+|---------|---------|
+| Private | Owner + hierarchy above |
+| Public Read Only | All can view |
+| Public Read/Write | All can edit |
+| Controlled by Parent | Inherits from master |
+
+### Sharing Rules
+
+```mermaid
+%%{init: {"flowchart": {"nodeSpacing": 80, "rankSpacing": 70}} }%%
+flowchart LR
+    OWD[OWD: Private]
+    SHARE[Sharing Rule]
+    APEX[Apex Sharing]
+
+    OWD --> SHARE --> APEX
+
+    subgraph access["ACCESS EXPANSION"]
+        ROLE[Role-based]
+        CRITERIA[Criteria-based]
+        MANUAL[Manual]
+    end
+
+    SHARE --> access
+
+    style OWD fill:#fde68a,stroke:#b45309,color:#1f2937
+    style SHARE fill:#a5f3fc,stroke:#0e7490,color:#1f2937
+    style APEX fill:#ddd6fe,stroke:#6d28d9,color:#1f2937
+    style ROLE fill:#c7d2fe,stroke:#4338ca,color:#1f2937
+    style CRITERIA fill:#c7d2fe,stroke:#4338ca,color:#1f2937
+    style MANUAL fill:#c7d2fe,stroke:#4338ca,color:#1f2937
+    style access fill:#eef2ff,stroke:#4338ca,stroke-dasharray:5
+```
+
+## Best Practices
+
+1. **Minimize role levels** - 3-5 levels max
+2. **Use Permission Set Groups** - Easier to manage
+3. **Document exceptions** - Note any sharing rules
+4. **Show user counts** - Understand scale
+5. **Include profiles** - Show base access
+
+## Customization Points
+
+- Replace example roles with actual org structure
+- Add specific user counts
+- Include custom permission sets
+- Show sharing rule exceptions