Currently Salesforce allows you to create rules that restrict the visibility of records. For example, even if we have the OWD of an object to Public Read or beyond, we can still hide its records from certain users by adding a rule called "Restriction Rule".
Restriction Rules help us to restrict access to selected records from a group of users. It is made Generally Available (GA) since Winter '22 of Salesforce. Remember that the restriction rule can only be created from the lightning experience and not from the classic experience. We will take an example to illustrate each of its functionality, pros, and cons.
Scenario : I have a custom object named Engagement holding a checkbox field "Active". The OWD for this object is "Public Read Only," but there are a specific set of Users belonging to profile "Sales Executive" who should be denied access to Engagement records where Active is TRUE. Due to the OWD being "Public Read Only," the user cannot be restricted from accessing it.
Solution : A Restriction Rule becomes relevant at this point. So let's create one to address the problem. Restriction Rules are object-specific and so which we need to navigate to the object to create one.
Navigation : Goto Setup > Object Manager > Choose the object for which the Restriction Rule has to be created and on the left pane an option "Restriction Rule" will be available.(Refer to the below image for Reference). Then click on "New Rule"
1. Rule Detail :
2. User Criteria :This is the place where we have to specify the Users for which
ii. Permission Criteria
For our scenario, we wish to apply rule to all users associated with profile "Sales Executive". But we need to understand the fact that the field Profile on User is a lookup and so only ID of the profile will be available on the User record. As Restriction Rules can access data on the User object but not on the associated object, we have copy ID of the profile and use it in our criteria.
3. Record Criteria
Save the record and you are all set. Despite OWD being "Public Read Only", Engagement records with Active checkbox checked will no longer be visible to Users belonging to profile "Sales Executive".
It's definitely a useful feature, but it's equally important to know what the limitations are. Below are some of them.
- Restriction rules are not supported for all objects. Only custom objects, contracts, events, tasks, time sheets, and time sheet entries can be restricted.
- You can only have one Filter Entry under "User Criteria" and "Record Criteria". You cannot configure any Filter Logic and have multiple Filter Entries.
- Only "Equals" is available as "Operator" for sections "User Criteria" and "Record Criteria".
- Checkbox, Text, Number, Date, DateTime, Time, and Id(Lookup) are the only data types supported. Only fields belonging toe mentioned data-types will be coming up in the User/Record Criteria
Source : https://developer.salesforce.com/docs/atlas.en-us.restriction_rules.meta/restriction_rules/restriction_rules_about.htm
Hi, In above example, If active checkbox is false then 'Sales Executive' profile will be able to see the record. Right?
ReplyDeleteAs mentioned in the post...
DeleteDespite OWD being "Public Read Only", Engagement records with Active checkbox unchecked will no longer be visible to Users belonging to profile "Sales Executive".