Sharing rules
Widen record visibility with criteria-based sharing rules and manual shares, enforced live and logged to an append-only audit ledger.
Sharing rules let you open up record visibility beyond the default ownership model — granting specific users, roles, or territories access to records that match the conditions you define.
Admin only
Sharing rules are managed at /settings/sharing-rules and require administrator access. Because they change who can see what, treat every rule as a security decision.
What a rule contains
A sharing rule is criteria-based: it widens who can see records that match its conditions. Each rule has:
| Field | Default | What it does |
|---|---|---|
| Record type | — | The kind of record the rule applies to |
| Match conditions | — | The criteria a record must meet |
| Grant target | — | Who gets access: a user, a role, or a territory |
| Access level | Full | The level of access granted |
| Priority | — | Resolves precedence between rules |
| Enabled | — | Whether the rule is active |
When a rule runs, it materializes into record-share grants — concrete entries that say "this target can see this record."
Manual shares
Beyond rules, you can create a one-off manual share of a single record with a specific user. A manual share can optionally carry an expiry, so you can grant temporary access that automatically lapses.
Enforcement and auditing
Sharing in Pact is real and in the live visibility path. A grant actually widens what the granted user can see — it is not advisory. When you recompute a rule, Pact re-materializes its grants across all matching records, so the rule's effect stays in sync as your data changes.
Every change is logged
Every grant and revoke is written to an append-only audit ledger. You get a complete, tamper-evident history of who was granted or lost access to what, and when — which is exactly what auditors and security reviews ask for.