Control Access to Sensitive Records with Restriction Rules (Now in Beta) :

Control Access to Sensitive Records with Restriction Rules (Now in Beta)
blow post content copied from  Salesforce Developers Blog
click here to view original post

In Summer ’21, we’re bringing you an entirely new way to manage your org’s access control. Introducing restriction rules, an easy-to-manage sharing feature that lets you grant record access in a secure, granular way. Simply pick which users should see which subset of records, and that’s it!

Without restriction rules, users who have access to an account can see its contracts, tasks, and events, even when the organization-wide default is set to Private. For custom objects, users can see all of their child records. Restriction rules allow you to define which users see which records in Lightning Experience for custom objects, contracts, tasks, and events and configure truly “Private” access for these objects. Creating, editing, and deleting restriction rules are only available via the Tooling and Metadata APIs.

What are restriction rules?

Restriction rules allow certain users to have access only to specified records. Restriction rules prevent users from accessing records that may contain sensitive data. They also can be used to help users see what they need for their daily work.

For example, let’s say your employee, Sally, can currently see four contracts of various record types in a report.

But for Sally’s role, she only needs to see internal contracts. Sally’s access to other contract record types is a security concern. Plus, it slows down Sally’s productivity to see contracts that aren’t related to her work.

The solution? Restriction rules! We create the following restriction rule so that users in Sally’s role see only internal contracts. We set the userCriteria, or which users the rule applies to, to Sally’s role ID. We set the recordFilter, or which records are shown to these users, to contracts with the “Internal” record type.


    "Metadata": { 
        "description":"A restriction rule that allows users in the ??? role to see only internal contracts.", 
        "masterLabel":"Internal Contracts", 
        "recordFilter":"RecordType = 'Internal'", 


And here’s our result. Now Sally only sees the internal contracts necessary to her role in this report.

In Lightning Experience, restriction rules apply to all of these features:

  • Links
  • List Views
  • Lookups
  • Related Lists
  • Reports
  • Search
  • SOQL
  • SOSL

How do I create restriction rules?

You can create restriction rules using the RestrictionRule Tooling object or RestrictionRule Metadata type. Here’s a restriction rule created using the Tooling API that allows users with the specified profile to see only the task records that they own.

    "Metadata": {
        "description":"A restriction rule that allows users of a specific profile to see only tasks that they own.",
        "masterLabel":"Tasks You Own",
        "recordFilter":"OwnerId = $User.Id",

There is no Administrator UI in Setup for restriction rules yet, but stay tuned!

How do restriction rules affect other sharing settings?

Users get access to records based on your organization-wide defaults and other sharing mechanisms, like sharing rules or enterprise territory management.

When a restriction rule is applied to a user, the data they had read access to via your sharing settings is further scoped to only records matching the recordFilter. This behavior is similar to how you can filter results in a list view or report, except that it’s permanent. The amount of records visible to the user can vary greatly depending on the value that you set in the recordFilter.


If you have users that should only have access to a specific subset of records, restriction rules provide another layer of security that you can layer on top of your existing org-wide defaults, sharing rules, and other settings. Restriction rules also allow you to configure your access so that custom objects, contracts, tasks, and events are completely “Private,” even for users with access to related accounts, which previously wasn’t possible.

If you’re interested, please contact Salesforce Customer Support to try out this beta feature for yourself. For more info, check out the Restriction Rules Developer Guide (Beta). And if you have any questions or feedback, please post in the Restriction Rules Trailblazer Community.

About the author

Larry Tung is the Product Manager for Record Access Experience team, where he’s working on the next generation of sharing features. Dana Holloway is a Senior Technical Writer for the Record Access Experience team.

The post Control Access to Sensitive Records with Restriction Rules (Now in Beta) appeared first on Salesforce Developers Blog.

May 21, 2021 at 09:40PM
Click here for more details...

The original post is available in Salesforce Developers Blog by
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.