Restriction Rules in Salesforce
In this article let’s try to understand the use of restriction rule in Salesforce and what are the limitations of it. Restriction rules improve security by allowing specific users to access only specific records. They can prevent users from accessing records containing sensitive data or information that isn’t required for their job. Restriction rules are available for custom objects, external objects, contracts, events, tasks, time sheets, and timesheet entries. They can be configured in the Object Manager or via the Tooling or Metadata API.
When a restriction rule is applied to use, the records that the user is granted access to through org-wide defaults, sharing rules, and other sharing mechanisms are filtered by the criteria that you specify. Users, for example, see only records that meet the restriction rule’s criteria when they navigate to the Today’s Tasks tab or a list view for activities. If a user has a link to a record that is no longer accessible as a result of a restriction rule, the user receives an error message.
Keep in mind:
- Review these considerations before creating a restriction rule on an external object.
- External object restriction rules do not include organization-wide defaults or sharing mechanisms.
- Restriction rules are supported only by Salesforce Connect external objects: OData 2.0, OData 4.0, and Cross-Org adapters.
- When a rule is applied to a user, external objects created with the Cross-Org adapter do not support search or SOSL. Salesforce provides search results for the most recently viewed records.
- It is recommended to disable search for external objects.
- External objects created with the Salesforce Connect custom adapter are incompatible.
When Should I Apply Restriction Rules?
When you want specific users to see only a subset of records, use restriction rules. Restriction rules can control access to records containing sensitive or confidential information. Because it can be difficult to make access to contracts, tasks, and events truly private using organization-wide defaults, restriction rules are the best way to configure this visibility.
For example, you may have competing sales teams that cannot see each other’s activities, even if they are on the same account. You can use restriction rules to ensure sales teams see only relevant activities. Alternatively, if you provide confidential services to multiple people, use restriction rules so that only team members who support these people can see related tasks.
Configure the rules so that only one active rule applies to a given user when creating multiple restrictions or scoping rules. Salesforce does not validate that a user has only one active rule. Only one of the active rules is observed if you create two active rules and both rules apply to the same user.
We recommend turning off Salesforce Classic for Your Organization before creating restriction rules. Salesforce cannot guarantee that restriction rules will function properly for end users using Salesforce Classic.
What Effect Do Restriction Rules Have on Other Sharing Options?
Users are granted access to records based on your organization’s global defaults and other sharing mechanisms, such as sharing rules or enterprise territory management.
When you apply a restriction rule to a user, the data they had read access to via your sharing settings is further scoped to only records matching the record filter. This behavior is similar to filtering results in a list view or report, but it is permanent. The number of records visible to the user can vary greatly depending on the record filter value.
How Do I Set Up Restriction Rules?
By navigating to a supported object in the Object Manager or using the Tooling API or Metadata API, you can create and manage restriction rules. In the Enterprise and Developer Editions, you can create up to two active restriction rules per object. In Performance and Unlimited Editions, you can create up to five active restriction rules per object.
Where Restriction Rules are available?
Custom objects, external objects, contracts, events, tasks, time sheets, and timesheet entries all have restriction rules. Salesforce’s following features are subject to restriction rules:
- List Views
- Lookups
- Related Lists
- Reports
- Search
- SOQL
- SOSL
Example:
Allow Users to See Only Specified Record Type
This restriction rule allows the designated users to see only the records that have a specified record type.
CRITERIA | CLICK PATH | FIELD | OPERATOR | TYPE | VALUE |
---|---|---|---|---|---|
User Criteria | [$User].UserRoleId | Equals | ID | 00Exxxxxxxxxxxx | |
Record Criteria | [Object].RecordType.Name | Equals | String | Sample Record Type Name |
Allow Users to See Only Records That They Own
This restriction rule allows users with the designated profile to see only the tasks that they own.
CRITERIA | CLICK PATH | FIELD | OPERATOR | TYPE | VALUE |
---|---|---|---|---|---|
User Criteria | [$User].ProfileId | Equals | ID | 00exxxxxxxxxxxx | |
Record Criteria | [Task].Owner:User.Id | Equals | Current User | $User.Id |
References:
- Restriction Rules Example Scenarios
- Salesforce Ideas to enhance this functionality
- Restriction Rules Consideration
You May Also like:
- Top 10 Salesforce Flow Features From Spring ’23
- Lightning Web Component Debugging Solutions
- Is Salesforce Admin good career Option?
- The Essential Guide to Salesforce Object Prefixes
- Is Salesforce Launching a New Trailhead Coach?
- Lightning Web Component Debugging Solutions
- Best Trailhead Badges in 2023