To control access to the Review custom object such that only the HR department and the submitting employee can see the reviews, the following steps should be taken:
A: Disable Grant Access Using Hierarchies:
By default, Salesforce allows users higher in the role hierarchy to access records owned by users lower in the hierarchy. Since reviews should only be visible to HR and the submitting employee, you need to disable Grant Access Using Hierarchies on the Review object to prevent anyone else in the hierarchy from automatically gaining access to these records.
Reference:
C: Create a criteria-based Sharing Rule for the HR Department:
With the organization-wide default (OWD) set to Private, you'll need to create a criteria-based sharing rule to ensure that HR users can view the Review records. This rule would give HR access to the records based on a specified condition, such as all records of the Review object.
E: Set organization-wide default to Private:
Setting the organization-wide default (OWD) for the Review object to Private ensures that no user, other than the record owner (the submitting employee) and those explicitly granted access (HR), can see the Review records by default.
Why the other options are incorrect:
Option B: Add a Master-Detail (User) field on the Review object:
This is not necessary in this scenario because the primary relationship is about controlling access through sharing rules, not creating a master-detail relationship. Moreover, this would complicate access control, which is better managed via sharing settings.
Option D: Remove Review Read permission from non-HR Department user Profiles:
This step is redundant if the organization-wide default is set to Private. Profile permissions control the general ability to access the object, while the visibility of specific records is controlled by sharing rules and OWD. Removing read access via profiles would block all users, including the ones submitting the reviews, from accessing the object.
In summary, by disabling Grant Access Using Hierarchies, setting OWD to Private, and implementing a criteria-based sharing rule for HR, you can ensure that only HR and the submitting employee can view Review records.
Reference:
Record Sharing Overview