An Overview of Restriction Rules in Salesforce
Salesforce Restriction Rules are an essential feature for controlling data access beyond standard object-level, field-level, or record-level permissions. They allow administrators to define finer-grained access rules to ensure users see only the records they need for their roles, improving data security and usability.
Salesforce introduced Restriction Rules to enhance data visibility controls, allowing administrators to limit access to records for specific users or groups of users. Restriction rules complement sharing rules by further refining access to records, ensuring users see only the data they need.
In this blog, we will explore what restriction rules are, how they work, their benefits, and step-by-step instructions for implementing them.
What Are Restriction Rules?
Restriction rules are Salesforce features that let administrators restrict user access to records based on field values, user attributes, or combinations of criteria. Unlike sharing rules, which broaden access to records, restriction rules narrow it down.
Restriction rules operate at the record level, meaning that only records matching the specified conditions are visible to the user. They are useful when organizations need to comply with strict data privacy laws or business needs that require granular data visibility control.
Supported Objects
Restriction rules are available for the following objects:
- Custom Objects
- External Objects
- Contracts
- Events
- Tasks
The availability of restriction rules varies based on your Salesforce edition:
- Enterprise and Developer Editions: Allow up to 2 active restriction rules per object.
- Performance and Unlimited Editions: Allow up to 5 active restriction rules per object.
Key Benefits of Restriction Rules
- Enhanced Data Privacy: Restriction rules help enforce data visibility policies for regulatory compliance.
- Enhanced User Experience: Users are presented only with records pertinent to their roles, minimizing clutter and confusion.
- Granular Access Control: Restriction rules offer more precise control over record-level visibility compared to sharing rules.
How Do Restriction Rules Work?
Restriction rules use criteria defined by Salesforce admins to filter out records from a user’s view. These criteria are based on:
- Field values on the object
- User attributes (e.g., role, profile, or user type)
- Other record-related conditions
Restriction rules are evaluated after standard object and record-sharing settings. If a user is granted access through sharing rules but denied by a restriction rule, the restriction rule takes precedence.
Steps to Create a Restriction Rule
Here’s a step-by-step guide to creating and implementing restriction rules in Salesforce:
1. Navigate Setup
- Go to Setup -> Object Manager in Salesforce.
- Select the object you want to apply a restriction rule to, then click on Restriction Rule.
2. Create a New Rule
- Click New Restriction Rule.
- Fill in the following information:
- Rule Name: Enter a clear and descriptive name for the rule.
- Developer Name: Either automatically filled in or can be customized.
- Active: Tick this box to enable the rule.
3. Set Criteria
- Define the conditions for the restriction rule using filter logic.
- Example:
- For contracts, restrict access to contracts created by the user:
CreatedById = $User.Id - For tasks, restrict access to only open tasks:
Status != ‘Completed’
- For contracts, restrict access to contracts created by the user:
4. Assign the Rule to Users
- Use the User Criteria section to specify which users or profiles the rule applies to.
- Example:
- For tasks, restrict access to only open tasks:
Status != ‘Completed’ - Restrict based on a custom profile field:
Profile.Name = ‘Sales Representative’
- For tasks, restrict access to only open tasks:
Best Practices
- Plan Your Rules: Understand your organization’s visibility requirements before creating restriction rules.
- Avoid Overlaps: Ensure restriction rules and sharing rules don’t conflict, as it can lead to unintended access or restrictions.
- Test Thoroughly: Use test users and scenarios to verify the rule behavior before deploying it organization-wide.
- Document Rules: Maintain documentation for all active restriction rules to track their purpose and scope.
- Minimize Rules: Use the least number of restriction rules to simplify administration and reduce potential issues.
Key Considerations
- Restriction rules do not apply to reports, dashboards, or API queries.
- Users who have the “View All Data” or “Modify All Data” permissions are not affected by restriction rules.
- Restriction rules apply only to records accessible through sharing settings. They do not grant additional access.
Use Case Example
Scenario:
A company wants to ensure that Sales Representatives can view only the opportunities they own, even if the sharing rules grant access to broader records.
Solution:
- Create a restriction rule for the Opportunity object.
- Set the filter logic:
OwnerId = $User.Id - Assign the rule to users with the Sales Representative profile.
This ensures Sales Representatives only see opportunities they own, regardless of sharing rules.
Conclusion
Restriction rules in Salesforce provide an extra layer of data visibility control, allowing administrators to fine-tune access for specific users or scenarios. By understanding their functionality and best practices, organizations can enhance security and streamline data access while ensuring users only see what they need.
