Last year, as part of the Summer ‘21 Release, Salesforce introduced the new Restriction Rules (Beta) feature. Now, it has become a full-fledged feature of the platform, and has introduced a new way for Admins to keep sensitive records safe and secure.
In a master-detail relationship, access to the child record is controlled by the parent record. Restriction rules allow Admins to manipulate access to records in situations where the access to the child record may not be needed or warranted. Some examples of when this scenario could pop up might include:
- General access requirements don’t match the parent
- Access to the child is contextual
- Multiple independent teams are working on one parent object
- There’s just a sharing exception
As a more illustrative example, let’s consider a scenario where there’s a custom Financial Details object in a Master-Detail relationship with Opportunity. In this case, Opportunity Sharing Setting is Public Read Only, and as such, the Financial Detail object is also Public Read Only. However, the Financial Details are sensitive, and access must be limited once the Opportunity is Won. The organization does not want Sales Team Profile users to be able to access this information on Closed Won Opportunities.
In this case, the Administrator would create a custom permission “Remove Access to Financial Details When Won” (or some similarly clear naming convention), and assign the permission to the Sales Team Profile.
An important note here – Restriction Rules are limited to ONE criteria. AND/OR Operators are not currently supported.
Some savvy Admins may ask “Why not just use Dynamic Forms”? Well, that’s certainly an option, as this could hide the Related List based on criteria and the Users wouldn’t be able to access the Object from the Opportunity record, BUT – it would not prevent them from accessing the records through other means within Salesforce.
A few best practices for creating Custom Permissions:
- Use Custom Permission when the share is binary
- Use User Criteria when access is based on dynamic criteria
- Ensure one restriction rule for each User per Object (Restriction Rules are non-deterministic, and having multiple can lead to unpredictable results)
- Turn off Salesforce Classic in your Org (Classic may not apply rules correctly)
- And finally – Restriction Rules don’t apply to Child Objects, so make sure you mirror the Restriction Rules on Child Objects
For more information, check out these helpful resources:
The Restriction Rules Help Documentation from Salesforce
Larry Tung’s Review of Restriction and Scoping Rules
We hope you found this overview helpful! If you have questions about how restriction rules could be implemented in your own Salesforce org (or just want to chat), Get in Touch!