+ Start a Discussion

Record Level Security without using Roles

We are developing a new application for internal use with record level security needs that appear beyond the base functionality of roles and profiles.  The users belong to groups which are associated with one or more departments.   The groups either explicitly permit or restrict access to employee data for those departments.  The groups do not fit in a hierarchical structure which precludes using roles.  At any given time there are 1,000-1,500 departments with any one user having access to 100 or more departments.  Since we are using custom objects, the direction we were thinking of was to use Visualforce to control the page layouts and only allow the user to display and/or edit records for a department that is part of the group that the user belongs to.  Has anyone had a similar need?  What approach did you take?  Do you see any pitfalls with how we are looking to tackle this? 


Example –

Group A can access departments 1, 2, 3

Group B can access departments 3, 4, 5