Restriction rules in Salesforce provide an effective way to enhance the security of your data by limiting access to specific records. These rules prevent users from accessing sensitive data or information irrelevant to their job role. By filtering the records that a user can access based on specific criteria, restriction rules ensure that users can only view records that match the criteria set.
Restriction rules can be created for various objects in Salesforce, including custom objects, external objects, contracts, tasks, and events. The number of active restriction rules that can be created per object varies depending on the Salesforce edition – up to two active restriction rules per object can be created in Enterprise and Developer editions, while up to five can be created in Performance and Unlimited editions.
Restriction rules apply to a range of Salesforce features, including List Views, Lookups, Related Lists, Reports, Search, SOQL, and SOSL. Using restriction rules, Salesforce administrators can ensure that their organization’s data remains secure and accessible only to authorized users.
When a restriction rule is applied to a user in Salesforce, the following occurs:
- The records the user is granted access to via org-wide defaults, sharing rules and other sharing mechanisms are filtered based on the criteria specified in the restriction rule.
- Users only see the records that meet the criteria of the restriction rule across all access methods, including list views, related lists, reports, search, SOQL, and SOSL.
- If a user tries to access a record that is no longer accessible due to the restriction rule, they will receive an error message.
Consider the following when setting up a restriction rule on an external object:
- Restriction rules for external objects do not include organization-wide defaults or sharing mechanisms.
- Only external objects created using the Salesforce Connect: OData 2.0, OData 4.0, and Cross-Org adapters support restriction rules.
- When a restriction rule is applied to a user, external objects created using the Cross-Org adapter do not support search or SOSL. Salesforce only returns search results that match the most recently viewed records.
- It is recommended to disable search on external objects.
- External objects created using the Salesforce Connect: Custom Adapter are not supported.
When Do I Use Restriction Rules in Salesforce?
You would use restriction rules in Salesforce when you want to restrict access to certain records for certain users based on specific criteria. This is useful when you have sensitive data or information that should only be visible to specific users.
For example, you might use a restriction rule to ensure that sales reps can only see leads assigned to them or that customer service reps can only see cases from customers in their region.
By applying restriction rules, you can limit access to data that is not essential to a user’s work, reducing the risk of unauthorized access and protecting the security of your organization’s data.
How to setup Restriction Rules in Salesforce?
- Define the Criteria: First, define the criteria that will be used to filter records for the restriction rule. For example, you might create a rule limiting access to records where the “Region” field equals the user’s region.
- Create the Restriction Rule: From Setup, navigate to the Object Manager for the object to which you want to apply the restriction rule. Click “Restriction Rules” in the left-hand sidebar, then click “New.” Enter a name and description for the rule, and select the criteria you defined in Step 1.
- Test the Restriction Rule: After creating the rule, test it by logging in as a user to whom it should impact. Navigate to a list view, related list, or report that includes records affected by the rule and ensure that only the appropriate records are visible.
- Activate the Restriction Rule: Once you are satisfied that the rule works correctly, activate it by changing the status to “Active.” You can create up to two active restriction rules per object in Enterprise and Developer editions and up to five active restriction rules per object in Performance and Unlimited editions.
- Monitor and Maintain: Regularly monitor your restriction rules to ensure they work correctly as data changes or new users are added. Be prepared to adjust your criteria or deactivate rules that are no longer needed or that impact user productivity.
Remember, there are some important considerations when applying restriction rules to external objects. Review the Salesforce documentation for more information on how to set up restriction rules for external objects.
How Do Restriction Rules Affect Other Sharing Settings?
Applying Restriction Rules to a record or object can impact other sharing settings in Salesforce. Here are some ways that Restriction Rules can affect other sharing settings:
- Org-Wide Defaults: Org-wide defaults define the default access levels for an object. When a Restriction Rule is applied, it restricts access to records based on your defined criteria. This means that users who typically access certain records based on the org-wide default may no longer have access to those records.
- Sharing Rules: Sharing rules allow you to extend access to records based on specific criteria. When a Restriction Rule is applied, it can override the access granted by sharing rules. For example, if you have a sharing rule that extends access to records based on a user’s role, a Restriction Rule that restricts access based on a field value will take precedence.
- Manual Sharing: Manual sharing allows users to grant access to individual records to other users or groups. When a Restriction Rule is applied, it can override the access granted through manual sharing.
- Implicit Sharing: Implicit sharing allows certain users to access records based on their relationship to the record owner. For example, a user’s manager may be able to access their subordinates’ records. When a Restriction Rule is applied, it can override implicit sharing rules.
- Apex Managed Sharing: Apex Managed Sharing allows you to write custom code to manage record sharing. When a Restriction Rule is applied, it can override any sharing managed through Apex.
It’s essential to carefully consider the impact of Restriction Rules on other sharing settings in your org and to test your rules thoroughly to ensure that they don’t inadvertently restrict access to records that should be accessible based on other sharing settings.
What is the difference between scoping rules and restriction rules?
Restriction Rules and Scoping Rules differ in their applicable objects and functionalities. Scoping Rules can be applied to Account, Contact, Lead, Opportunity, and Case, but Restriction Rules do not apply to these objects. However, both rules can be applied to Custom Objects.
Furthermore, Scoping Rules can only be used in List Views, Reports, and SOQL. At the same time, Restriction Rules can be applied to a broader range of functionalities, including Lookups, Related Lists, Search, and SOSL, in addition to List Views, Reports, and SOQL.
Restriction rules restrict access to specific records that are not visible through other existing sharing mechanisms. These restrictions are permanent and cannot be changed by the user.
In contrast, Scoping Rules allow users to focus on a specific set of records by filtering out the rest. The effect of this filtering is temporary, and the user still has access to all records, including those that are filtered out. Users can apply the Scoping Rule on a List View or Report, as they have control over the application of this rule.