Who can see a file in Salesforce? File access, explained
How Salesforce decides who can see a file: private shares, files attached to records, library files, public links and guest users — and how to check access.
File access in Salesforce confuses people because it doesn’t work like record access — until you realize it’s built on record access. A “file” today is a ContentDocument (the Salesforce Files model), and it can become visible through several independent paths at once.
This guide walks through every way someone can end up able to see a file, and how to check which one applies.
The five paths to seeing a file
A user can see a file if any one of these is true:
- They own it — they uploaded it.
- It’s shared directly with them — via the file’s Share button, as a Viewer or Collaborator.
- They can see a record it’s attached to — file access is inherited from the record.
- They’re a member of a library it lives in — with the library’s permission level.
- They have a public link — anyone with the URL, no login required.
Like record access, file access is additive: the most permissive path wins. This mirrors the record sharing model — one grant is enough.
Path that surprises people: files attached to records
This is the big one. When you drag a file onto an Account, Opportunity, or Case, Salesforce creates a ContentDocumentLink between the file and that record. From then on:
Anyone who can see the record can see — and usually download — the file.
So a file’s audience is exactly the record’s audience. If three sales managers can see the Opportunity through the role hierarchy, all three can see its files. Lock down the record and you lock down the file; widen the record’s sharing and the file follows.
Sharing type: Viewer, Collaborator, Inferred
Each file-to-record (or file-to-user) link carries a ShareType:
| Type | Code | What they can do |
|---|---|---|
| Viewer | V | Open and download the file |
| Collaborator | C | View, edit, upload new versions, change sharing |
| Inferred | I | View/edit level inherited from access to the attached record |
Inferred access is why a user who can edit a record may also be able to edit its files.
Library (ContentWorkspace) files
Files can live in a library. Membership in that library — and the permission level assigned (Viewer, Author, etc.) — governs who can see and manage those files, independently of any record.
Public links bypass everything
Creating a public link generates a URL that works for anyone, inside or outside your company, with no login:
- Recipients can view and download — they can’t collaborate.
- Expiration dates are on by default (typically 90 days out) and can be shortened.
- You can add a password.
Because a public link ignores the sharing model entirely, treat it like a credential: set expiry, add a password for anything sensitive, and delete links you no longer need.
Why “shared” files sometimes vanish from reports
A file attached to a record is considered privately shared via the record, not shared directly with users. As a result it won’t appear in the standard File and Content reports, regardless of its sharing settings. To make a file report-visible, share it directly with the user via the file’s Share button. This is a frequent “the file is missing” support ticket — it’s working as designed.
How to check who can see a specific file
- Open the file and use Share to see direct user/group shares and the sharing type.
- List the records it’s attached to — each one’s audience can see the file.
- Check whether it lives in a library, and who’s a member.
- Look for an active public link.
The catch: a file attached to several records inherits each record’s full audience — role hierarchy, sharing rules, teams and all. Reconstructing that by hand is exactly the work that hides accidental exposure.
AgentForceAccess answers “who can see this file, and why” the same way it does for records — tracing every record the file rides on and every share that exposes it, in plain English.
Frequently asked questions
If I attach a file to an Opportunity, who can see it?
Everyone who can see that Opportunity. File access on a record is inherited from record access — so the same role hierarchy, sharing rules and manual shares that expose the record also expose its files. Restrict the record and you restrict the file.
Why can a colleague not see a file I shared on a record?
Most often they do not have access to the record itself, or the file was shared with a different record. Files attached to records are privately shared via the record, so they also do not appear in the standard File and Content reports — share the file directly with the user to make it report-visible.
Are public file links secure?
They trade security for convenience. Anyone with the URL can view and download the file with no login — so treat a public link like a password. Set an expiration date and a password where possible, and delete links you no longer need.
What is the difference between Viewer and Collaborator on a file?
Viewer can open and download the file. Collaborator can additionally edit it, upload new versions and change sharing. A third type, Inferred access, is the view/edit level a user gets because they have access to a record the file is attached to.
See it on your own org
AgentForceAccess explains, in plain English, why any user can see any record or file — across every Salesforce sharing mechanism.
Request early access