Salesforce Restriction Rules, Restrict Access to Sensitive Records

Author

mirketa

March 28, 2022

Restriction Rules, as the clue itself in this name, restricts what records user can see and enhance the security by allowing certain users to access only specified records.

When we apply restriction rule to a user and specify some criteria, the data that the user is allowed to access via org-wide defaults, sharing rules, and other sharing mechanisms is filtered by the specified criteria in restriction rule.

We can better understand this Restriction rule working with the below image:

Restriction Rules Configuration

These can be configured in Salesforce Org Setup or through Tooling API or Metadata API. As of Salesforce Winter’22 release, we can create up to two restriction rules per object in Developer and Enterprise Editions and up to five restriction rules per object in Performance and Unlimited Editions.

Steps to create restriction rules: –

Navigate to Object Manager in Setup
Select the Object on which we need to add Restriction Rule
Click on Restriction Rule
Name and describe the rule then activate it
Select the user field and choose filter settings to determine user on which rule is to be applied
Select the record field and choose filter settings to determine which records are accessible

For example, if there is a master-detail relationship between two objects (Partnership Request (Master) and Onboarding Process (Detail)), and we want Sales reps can see all Partnership records but can only see Onboarding records that they create.

Let’s create Restriction Rule to solve this requirement: –

1. Go to Object Manager, Select Object Onboarding Process.

2. Click on tab “Restriction Rules”, then click on “Create New Rule”.

3. Then Enter Rule Name, select “Is Active” checkbox.

4. In User Criteria, select which users this Restriction Rule applies to.

5. In Record Criteria, select which records, specific users are allowed to access.

6. Then click “Save”.

When Do We Use Restriction Rules?

With the help of restriction rule we can prevent record access of certain type which contains sensitive data. In the case of a Parent-Child relationship, sometimes it’s difficult to control access with existing options since if you have parent record access you will get access of the child record. So here restriction rule comes in the picture and provide more control.
Access to contracts, tasks, and events can be difficult to make Private using organization-wide defaults, creating restriction rules are the best way to configure this visibility.

How Restriction Rules different from Sharing Rules?

Sharing Rules are used to provide wider access to data. These are used to extend sharing excess to users in public groups, roles, or territories. We cannot restrict data access using sharing rule below organization-wide defaults while Restriction rules prevent users from accessing records that contain sensitive data or information which is not essential for their work. Also, restriction rules enhance security by allowing certain users to access only specified records.

Where Are Restriction Rules Available?

Restriction rules are available for Enterprise, Performance, Unlimited, and Developer Salesforce Editions.
Salesforce Restriction rules are available for custom objects, tasks, contracts, events, timesheets, and timesheet entries. Restriction rules can be applied to the following Salesforce features: