Restriction Rules – Yet Another Data Security Management Tool?

Hell YESSS! Nothing is more important than protecting your customer’s sensitive data you are storing in your Salesforce Org. You can land in prison if you don’t. Ok, I’m being overdramatic, but nevertheless, data protection is a serious topic. So how about we break down the entire model and see how the Restriction Rules fit in? Let’s go!

Hell YESSS! Nothing is more important than protecting your customer’s sensitive data you are storing in your Salesforce Org. You can land in prison if you don’t. Ok, I’m being overdramatic, but nevertheless, data protection is a serious topic. And your data security toolset just got a new addition. 🤯

Whether you are a new Admin, experienced Admin, App Builder, Product Owner or otherwise involved with the Salesforce Setup, understanding how to protect sensitive data stored in Salesforce is probably one of the most important aspects of setting up and managing a Salesforce Org.

We all know that the Data Security Model is already rather complex and now you have been given yet another tool. So how about we break down the entire model and see how the Restriction Rules fit in? Let’s go!

Salesforce Data Security Model & Where Restriction Rules Fit In

Now, as I mentioned above, the Data Security Model is complex and consists of many layers. In general, we have four layers/levels:

Organization-level = This is where you manage the first entry point of a Salesforce User, their login to the system. This includes things like IP Ranges, Login Hours, Password Policy, and so on. Anything that authenticates the User BEFORE they get access to Salesforce.

Object-level = This is what the User will have access to AFTER they successfully logged in. All Salesforce data is stored on Salesforce records that belong to Salesforce Objects. Hence, you will typically use tools like User Profiles, Permission Sets, and Permission Set Groups to manage access to Salesforce Objects.

Record-level = This is where things really start to get interesting with managing access to records that contain all that sensitive or not-to-sensitive data. Therefore, you want to be very careful which records Users should have access to. The baseline tools you’ll have available, are Organization-Wide Defaults (OWD), Role Hierarchy, Sharing Rules, Team Sharing, and Manual Sharing. PLUS, you guessed it, Restriction Rules.

Record-level sharing is the most complex of all our four layers, so here is how they are built up:

Field-level = Is all about managing access to the individual data types (= fields) stored on Salesforce records. You can choose between No access, Read access or Read/Write access.

Now that you know WHERE Restriction Rules fit in, we’ll discuss HOW they work.

HOW Do Salesforce Restriction Rules Work

While your baseline Record-level Sharing Model pretty much opens up access to records, Restriction Rules take away access. In other words, they limit the User’s record access to a sub-set of records they used to have access to. It’s like setting a permanent filter to display only pre-defined records. Why would you need to do that? Good question! We’ll look at some examples shortly.

Now, Restriction Rules can also be used for Objects that do not support any or some of the Record-level Sharing tools.

Let’s look at some examples for both scenarios:

An example where Restriction Rules limit access:

Let’s say you have a Recruiting Team, of which the Recruiting Assistants have access to Positions of the status “Open”. They have hired a Junior Recruiting Assistant, to support with open Positions which need to be filled by the end of the month.

We’re assuming the OWDs for Position is set to “Private”, a Role Hierarchy has been set up including the Role “Recruiting Assistant”, and a Sharing Rule is in place which shares all open Positions with the Recruiting Assistant Role. This Role is also assigned to the Junior Recruiting Assistant. What now?

Well, the Junior Recruiting Assistant has been assigned the Title “Junior Recruiting Assistant” on the corresponding User Record. And this is where we bring in the Restriction Rule. You will use the Restriction Rule to only display open Positions with a Close Date of the current end of the month, to Users with the Title “Junior Recruiting Assistant”.

This may look like this:

The result is this: The Junior Recruiting Assistant already had access to all open Positions because of the Sharing Rule. Of these open Positions, the Restriction Rule limits access to open Positions that contain the date of the current end of month.

Why could you not solve this with a Sharing Rule? Because Sharing Rules don’t support sharing based on User Criteria which are not Role-related. You could use a workaround though, like adding another Role “Junior Recruiting Assistant” to the Role Hierarchy and using this to create a secondary Sharing Rule. However, this makes the Role Hierarchy more complex and will have additional implications on other Sharing Rules, Reports, etc.

As a Salesforce Administrator, you always want to find the least complex but most effective solution. 🤓 Now, you have one, and that is Restriction Rules.

An example where Restriction Rules are the only option:

We’ll use the “Activity” Object which does not support Sharing Rules.

First up, the Object “Activity” relates to “Tasks” and “Events”, and supports OWDs such as “Private” and “Controlled by Parent”. If we chose “Controlled by Parent”, Users who have access to the associated Parent record (what you select in the “Related To” field), maybe “Account”, can see ALL tasks and events of the Accounts they have access to. You can’t restrict access to certain Tasks or Events of those Accounts, even if you selected the OWD “Private”. The latter would limit access to Tasks/Events a User owns.  You wouldn’t be able to open up access to specific Tasks/Events Users do not own, because Sharing Rules are not supported.

How do we fix this? Exactly, with Restriction Rules. Let’s look at a more specific example:

Let’s say you wanted Users of the Marketing Department to only have access to Tasks which have been marked as “Marketing Follow-up”. Again, we’ll use the OWD “Controlled by Parent” as the baseline setting.

Next, we’ll go to the Object Manager and select “Task” and then select “Restriction Rules”. From here, you’ll determine a meaningful Rule Name, specify the User Criteria (like the Department field on the User Record) and then specify the Record Criteria (like the checkbox field “Marketing Follow-up”).

This may look like this:

The result will be: The Marketing Users used to have access to all Tasks of their Accounts because of the OWD “Controlled by Parent” on the Activity Object, but now get a limited view to Tasks marked as “Marketing Follow-up” because of the Restriction Rule.

What Else You Need To Know About Salesforce Restriction Rules

Restriction Rules have only been made GA (Generally Available) in Salesforce’s Winter’22 Release. They still have a number of limitations around where and how you can use them. As always, keep an eye on the Release Notes for updates around the capabilities of Restriction Rules.

Here are some of the key items you currently need to consider before you set up Restriction Rules:

  • Only support Custom Objects and the following Standard Objects: Contracts, Events, Tasks, Time Sheets and Time Sheet Entries
  • Enterprise and Developer Editions only support up to 2 Restriction Rules per Object, Performance and Unlimited Editions up to 5
  • One Restriction Rule per Object per User
  • User Criteria and Record Criteria are limited to a small number of data types (e.g. boolean, date, string)
  • You can’t add more than one User criteria or more than one Record Criteria
  • The Operator is limited to “Equals”
  • Recently Viewed List Views still show records a User may have previously had access to, however when a User attempts to open the record, they will get an error

Make sure to familiarize yourself with the full list of considerations: https://help.salesforce.com/s/articleView?id=sf.security_restriction_rule_considerations.htm&type=5

While the capabilities of Restriction Rules are still rather limited, they already open up great opportunities for System Administrators. They have been put in place for a reason. 🤓

Let me know in the comments if you have been using Restriction Rules and how they have been working for you.

If you want to learn more about Salesforce’s Data Security Model, it’s part of our Salesforce Administrator Certification Course. You can sign up for a Free Preview first to get to know our Video Tutorials, Study Workbooks, and Practice Exams.

Leave a Reply

%d bloggers like this: