Negative Permissions: Restriction Rules (Part 2)

What are they?

Restriction rules provide another layer of security that you can layer on top of your existing org-wide defaults, sharing rules, and other settings – In case you have users that?should only?have access to a specific subset of records.

Some usage examples:

1.???Only show the contracts that are owned by the logged-In users, regardless of where they are in the role hierarchy.

2.???Make sure only selected users have access to Tasks and Events on a given Account,?even if they have access to the Account’s record.

3.?For custom objects, even if a user has access to the Master record, prevent access to Detail records.

How to create a Restriction rule?

For detailed steps click here.

Important information to consider:

1. Restrictions Rules will be applied after all other types of sharing (OWD, Role, Sharing Rules, Manual) have been computed, but will not work in System Mode or for users with View All/Modify All
2. If you’re building an ISV package or running Apex without checking for CRUD/FLS, this could be a problem for you, so make sure to check your sharing settings to ensure you’re not bypassing them.
3. You cannot have AND or OR conditions in the criteria.
4. You cannot have formula fields in the record filter.
5. After restriction rules are applied, users can still see records that they previously had access to in the search box shortcuts list or in the Recently Viewed list view however when users click the record name, they can’t access the record and get an error.
6. Lastly, when you restrict an object, you are not automatically restricting its child objects. So, if you restrict Contacts, users will still be able to see Tasks or Notes for those contacts they can’t see.