Salesforce Restriction Rules: How to Restrict Record Access

Share this article...

Previously in beta, Restriction Rules are now a generally available feature from the Winter ‘22 release. 

Restriction Rules can be used to restrict what records users can see – the clue is in the name!

Traditionally, Salesforce was all about opening up record access to users, so where do Restriction Rules fit in and why do we need them?

Where can I use Restrictions Rules?

With traditional sharing methods, you could open up access to records within the system, but there were some considerations with this method.

If you have a Custom Object as the child in a master-detail relationship, its access defaults to ‘Controlled by Parent’. This means if a user can see the parent record, they can see the child record. Restriction Rules will enable you to selectively share these child records.

For example ‘Account Reviews’ linked to ‘Account’ via a master-detail relationship:

With Restriction Rules, you can apply filters to determine which child records (in this example Account Reviews) a user should be able to see, using User/Permission Criteria combined with Record Criteria.

For example, you could share Account Reviews records if the current User is within the Account Manager field on the record and they have a specific profile.

Another great use for Restriction Rules is Tasks. Within Salesforce, Tasks can be ‘Private’ or ‘Controlled by Parent’ meaning they can see a Task if they can see the related parent record.

You could use Restriction Rules to only show Tasks that the current User owns, for example:

You can also restrict records based on field criteria. If you needed to hide sensitive contracts you could create a custom permission and hide records marked as sensitive to users with this permission:

General Considerations

  • Restriction Rules are currently only available for Custom Objects, Contracts, Events, Tasks, Time Sheets and Time Sheet Entries.
  • These rules are only applied to certain features such as List Views, Lookups, Related Lists, Reports and Search.
  • If users are viewing the ‘Recently Viewed’ list view and they previously viewed a record they no longer have access to because of Restriction Rules, they can still see it in the list but if they click through to the record they’ll get an error.
  • Users with the System Administrator profile retain the ability to see and modify all records.
  • If you are running Enterprise or a Developer edition you only get two rules per object. If you have Performance or Unlimited you get up to five rules per object. 
  • Currently, the criteria is limited to the ‘Equals’ operator and doesn’t support formula fields.

Summary

Restriction Rules are a great feature. However, there are still a few obstacles to overcome to make these a viable option for all types of sharing problems.

Be sure to test these thoroughly in a sandbox before making anything live in production and use criteria to ensure a user is only influenced by one rule per object to avoid any conflicts.

Fingers crossed Salesforce increases the use cases for Restriction Rules and perhaps considers an Admin-friendly way to debug these rules when they are not working as expected.

References

8 thoughts on “Salesforce Restriction Rules: How to Restrict Record Access

  1. Hi Tom, This is great read.
    The above custom permission restrict rule will show only secure contracts to the users with permission set. They don’t get to see other contracts. In order to show secure contracts and other contracts we can have a rule as below
    Add custom permission ‘Restrict Sensitive Contracts’ and assign to users who shouldn’t have access to secure contracts.
    User criteria: Permission.Restrict_Sensitive_Contracts = true
    Record criteria: Contract.Sensitive_Contract__c = false

Add Comment