We are turning on org unit security for a group of customers and will need a role with access to all org units in each of those environments. Is that something we can deliver from RP dev that will work in downstream environments or do we have to rebuild that role in each customer environment?
Also, is it best practice for the field being used for org unit security to be a required field? Does a record become unviewable if OUS is turned on and that field is null?
Based on my reading of help, shipping a All Org Units permission seems valid and should work in downstream environments.
I don’t think it is a best practice, and making it required or leaving it optional will depend on the underlying data architecture. Org Unit fields can be empty by design for situations such as global records that should be accessible to all org units. Per help:
All Org Units this Grants access to all org units in all tables, including records with an empty or null valueEmpty Org Units this Grants access to all records in all tables which have a null or empty value in the defined Org Unit Security FieldSo it will only become unviewable to users who don’t have either of the above if the Org Unit Security Field is left empty.
