Securing Chid Records with Restriction Rules in Salesforce

Securing Sensitive Child Records with Restriction Rules

Last year, as part of the Summer ‘21 Release, Salesforce introduced the new Restriction Rules (Beta) feature. Now, it has become a full-fledged feature of the platform, and has introduced a new way for Admins to keep sensitive records safe and secure.

In a master-detail relationship, access to the child record is controlled by the parent record. Restriction rules allow Admins to manipulate access to records in situations where the access to the child record may not be needed or warranted. Some examples of when this scenario could pop up might include:

  • General access requirements don’t match the parent
  • Access to the child is contextual
  • Multiple independent teams are working on one parent object
  • There’s just a sharing exception

As a more illustrative example, let’s consider a scenario where there’s a custom Financial Details object in a Master-Detail relationship with Opportunity. In this case, Opportunity Sharing Setting is Public Read Only, and as such, the Financial Detail object is also Public Read Only. However, the Financial Details are sensitive, and access must be limited once the Opportunity is Won. The organization does not want Sales Team Profile users to be able to access this information on Closed Won Opportunities.

In this case, the Administrator would create a custom permission “Remove Access to Financial Details When Won” (or some similarly clear naming convention), and assign the permission to the Sales Team Profile.

configuring a restriction rule in Salesforce

An important note here – Restriction Rules are limited to ONE criteria. AND/OR Operators are not currently supported.

Some savvy Admins may ask “Why not just use Dynamic Forms”? Well, that’s certainly an option, as this could hide the Related List based on criteria and the Users wouldn’t be able to access the Object from the Opportunity record, BUT – it would not prevent them from accessing the records through other means within Salesforce.

A few best practices for creating Custom Permissions:

  • Use Custom Permission when the share is binary
  • Use User Criteria when access is based on dynamic criteria
  • Ensure one restriction rule for each User per Object (Restriction Rules are non-deterministic, and having multiple can lead to unpredictable results)
  • Turn off Salesforce Classic in your Org (Classic may not apply rules correctly)
  • And finally – Restriction Rules don’t apply to Child Objects, so make sure you mirror the Restriction Rules on Child Objects

For more information, check out these helpful resources:

Trail: Protect Your Data

The Restriction Rules Help Documentation from Salesforce

Larry Tung’s Review of Restriction and Scoping Rules


We hope you found this overview helpful! If you have questions about how restriction rules could be implemented in your own Salesforce org (or just want to chat), Get in Touch!

You may be interested in

Restriction Rules in Salesforce

Restricting Sensitive Data in Salesforce with Restriction Rules

Introduction As part of the Summer ‘21 Release, Salesforce announced the new Restriction Rules (Beta) feature. This new feature provides an additional layer of security on top of the existing OWDs and Sharing Rules. It allows Admins to restrict access to sensitive records for certain users by setting up the filter conditions in the Restriction […]

Read More

The 3 Pillars of Salesforce security

The Three Pillars of Salesforce Security

We live in a world where data breaches are not a question of if, but a question of when. Data breaches are on the rise for the third consecutive year, and all the signs point to a continuation of this trend in 2022/2023. With this in mind, a primary goal for any Salesforce implementor is […]

Read More

Sign up for the latest tips & news from CloudKettle

Thank you for subscribing.