Admins / Developers

Salesforce Restriction Rules: How to Restrict Record Access

By Tom Bassett

Previously in beta, Restriction Rules are now a generally available feature from the Winter ‘22 release. 

Restriction Rules can be used to restrict what records users can see – the clue is in the name! Traditionally, Salesforce was all about opening up record access to users, so where do Restriction Rules fit in and why do we need them?

Where Can I use Restrictions Rules?

With traditional sharing methods, you could open up access to records within the system, but there were some considerations with this method.

If you have a custom object as the child in a master-detail relationship, its access defaults to ‘Controlled by Parent’. This means if a user can see the parent record, they can see the child record. Restriction Rules will enable you to selectively share these child records.

For example ‘Account Reviews’ linked to ‘Account’ via a master-detail relationship:

With Restriction Rules, you can apply filters to determine which child records (in this example Account Reviews) a user should be able to see, using User/Permission Criteria combined with Record Criteria.

For example, you could share Account Reviews records if the current User is within the Account Manager field on the record and they have a specific profile.

Another great use for Restriction Rules is tasks. Within Salesforce, Tasks can be ‘Private’ or ‘Controlled by Parent’ meaning they can see a task if they can see the related parent record.

You could use Restriction Rules to only show tasks that the current user owns, for example:

You can also restrict records based on field criteria. If you needed to hide sensitive contracts you could create a custom permission and hide records marked as sensitive to users with this permission:

General Considerations

  • Restriction Rules are currently only available for custom objects, contracts, events, tasks, time sheets and time sheet entries.
  • These rules are only applied to certain features such as list views, lookups, related lists, reports and search.
  • If users are viewing the ‘Recently Viewed’ list view and they previously viewed a record they no longer have access to because of Restriction Rules, they can still see it in the list but if they click through to the record they’ll get an error.
  • Users with the System Administrator profile retain the ability to see and modify all records.
  • If you are running Enterprise or a Developer edition you only get two rules per object. If you have Performance or Unlimited you get up to five rules per object. 
  • Currently, the criteria is limited to the ‘Equals’ operator and doesn’t support formula fields.

Summary

Restriction Rules are a great feature. However, there are still a few obstacles to overcome to make these a viable option for all types of sharing problems.

Be sure to test these thoroughly in a Sandbox before making anything live in production and use criteria to ensure a user is only influenced by one rule per object to avoid any conflicts.

Fingers crossed Salesforce increases the use cases for Restriction Rules and perhaps considers an admin-friendly way to debug these rules when they are not working as expected.

References

The Author

Tom Bassett

#AllStarArchitect working in the UK as a Solution Architect. 30x Trailhead Certified, 11x Accredited Professional, 2x Slack Certified with 6+ years experience of working on the platform.

Comments:

    Gladstone
    December 01, 2021 5:41 pm
    Can I get a complete step by step material or guide for salesforce admin.
    David Kirzner
    December 02, 2021 10:23 pm
    Great content. Thank you
    Tom Bassett
    December 03, 2021 10:51 am
    Glad you enjoyed it , all the best!
    Bryan
    December 06, 2021 5:29 am
    Good
    Christine Marshall
    December 06, 2021 10:06 am
    You can find everything you need to know on Salesforce Help: https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_sharing_restriction_rules.htm&type=5&release=234
    Sai Bitra
    January 13, 2022 5:42 pm
    Hi Tom, This is great read. The above custom permission restrict rule will show only secure contracts to the users with permission set. They don't get to see other contracts. In order to show secure contracts and other contracts we can have a rule as below Add custom permission 'Restrict Sensitive Contracts' and assign to users who shouldn't have access to secure contracts. User criteria: Permission.Restrict_Sensitive_Contracts = true Record criteria: Contract.Sensitive_Contract__c = false
    Tom Bassett
    January 14, 2022 10:07 am
    You make a very good point! I'll arrange to get the screenshot swapped out. Thanks for pointing this out
    Paula
    March 08, 2022 9:11 am
    This is extremely helpful. Thank you so much!
    shruti
    July 06, 2023 4:14 pm
    can you tell me the user and record criteria in details of this sharing solution-'Sales_Manager_Task_Restriction' here the description-Allows Technical Sales Managers* to see only tasks from their department

Leave a Reply