Control Access to Sensitive Records with Restriction Rules | Salesforce Developers Blog

*Updated Sep 13, 2021 for the Winter ’22 release* 

Restriction rules are generally available in the Winter ’22 release! We’ve also updated the developer guide and shared a Learn MOAR blog post on the topic.

image.png

In Summer ’21, we brought you an entirely new way to manage your org’s access control with restriction rules, an easy-to-manage feature that lets you pick which users should see which subset of records.

Without restriction rules, users who have access to an account can see its contracts, tasks, and events, even when the organization-wide default is set to Private. For custom objects, users can see all of their child records. Restriction rules allow you to define which users see which records in Lightning Experience for custom objects, timesheets, timesheet entries, contracts, tasks, and events and configure truly “Private” access for these objects. Creating, editing, and deleting restriction rules are available in the Object Manager (new in Winter ’22) and through the Tooling and Metadata APIs.

What are restriction rules?

Restriction rules allow certain users to have access only to specified records. Restriction rules prevent users from accessing records that may contain sensitive data. They also can be used to help users see what they need for their daily work.

For example, let’s say your employee, Sally, can currently see four contracts of various record types in a report.


But for Sally’s role, she only needs to see internal contracts. Sally’s access to other contract record types is a security concern. Plus, it slows down Sally’s productivity to see contracts that aren’t related to her work.

The solution? Restriction rules! We create the following restriction rule so that users in Sally’s role see only internal contracts. We set the userCriteria, or which users the rule applies to, to Sally’s role ID. We set the recordFilter, or which records are shown to these users, to contracts with the “Internal” record type.

{ 
    "FullName":"restriction_rule_internal_contracts",
    "Metadata": { 
        "active":true, 
        "description":"A restriction rule that allows users in the ??? role to see only internal contracts.", 
        "enforcementType":"Restrict", 
        "masterLabel":"Internal Contracts", 
        "recordFilter":"RecordType.Name = 'Internal'", 
        "targetEntity":"Contract", 
        "userCriteria":"$User.UserRoleId='005xxxxxxxxxxx1'", 
        "version":1 
    } 
}

And here’s our result. Now Sally only sees the internal contracts necessary to her role in this report.

In Lightning Experience, restriction rules apply to all of these features:

  • Links
  • List Views
  • Lookups
  • Related Lists
  • Reports
  • Search
  • SOQL
  • SOSL

How do I create restriction rules?

In Winter ’22, you can create restriction rules in the object manager and choosing one of the supported objects. You can also create restriction rules using the RestrictionRule Tooling object or RestrictionRule Metadata type. Here’s a restriction rule created using the Tooling API that allows users with the specified profile to see only the task records that they own.

{
    "FullName":"restriction_rule_tasks_you_own",
    "Metadata": {
        "active":true,
        "description":"A restriction rule that allows users of a specific profile to see only tasks that they own.",
        "enforcementType":"Restrict",
        "masterLabel":"Tasks You Own",
        "recordFilter":"Owner:User.Id = $User.Id",
        "targetEntity":"Task",
        "userCriteria":"$User.ProfileId='005xxxxxxxxxxx2'",
        "version":1
    }
}

How do restriction rules affect other sharing settings?

Users get access to records based on your organization-wide defaults and other sharing mechanisms, like sharing rules or enterprise territory management.

When a restriction rule is applied to a user, the data they had read access to via your sharing settings is further scoped to only records matching the recordFilter. This behavior is similar to how you can filter results in a list view or report, except that it’s permanent. The amount of records visible to the user can vary greatly depending on the value that you set in the recordFilter.

Conclusion

If you have users that should only have access to a specific subset of records, restriction rules provide another layer of security that you can layer on top of your existing org-wide defaults, sharing rules, and other settings. Restriction rules also allow you to configure your access so that custom objects, timesheet, timesheet entries, contracts, tasks, and events are completely “Private,” even for users with access to related accounts, which previously wasn’t possible.

If you’re interested, you can try it out starting in Winter ’22 with a developer, enterprise, unlimited, or performance edition org! For more info, check out the Restriction Rules Developer Guide. And if you have any questions or feedback, reach out to salesforce support or review resources in the Restriction Rules Trailblazer Community.

About the authors

Larry Tung is the Product Manager for Record Access Experience team, where he’s working on the next generation of sharing features.

Dana Holloway is a Senior Technical Writer for the Record Access Experience team.

Stay up to date with the latest news from the Salesforce Developers Blog

Subscribe