LinkedIn

Salesforce Security - Restriction Rules and Scoping Rules

-



1. Overview

Salesforce provides a very effective security model where we always start with the most restrictive access and then open up access using additional mechanisms like sharing rules, and manual sharing based on the requirements.



 

But there might be scenarios where we need to restrict access based on specific criteria. Salesforce recently introduced 2 approaches to support this requirement. Those are restriction rules and scoping rules. Let us see this in detail.

2. Restriction Rules - Overview

Using restriction rules we can apply an additional level of filter on top of records to which a specific user is having access.



3. Scoping Rules - Overview

Scoping rules help to filter the default records visible for a user based on specific criteria. But it is not preventing access to other records.





4. Compare Restriction Rules and Scoping Rules




5. Restriction Rule - Example

Company ABC is having Job Applications getting created through their company portal and synched to Salesforce. The recruitment team needs to work on these job Applications to process them. 

Visibility Requirement

We have a recruitment person assigned to each region and he should have visibility to Job Applications only in his region.

Job Application Organization-Wide Default is Private

All recruitment team members will be assigned to Recruitment Team Role.

Solution

Since OWD is private, We need to create sharing rule to share Job Applications with Recruitment Team. The traditional solution option is that, create public groups for recruiters based on region and share job applications based on criteria.

Now let us see how we can use restriction rules to share it with recruiters.

Step 1 - Create Sharing Rule to share all job Applications with the recruitment Team Role. All recruiters will be assigned with the "Recruitment Team" Role.

OWD:


Sharing Rule:



 Test Results

I got a Recruitment Team member called Recruitment manager with geography as "APAC"

Also, we have 2 Job Application got created as shown below, 1 belong to APAC and one belongs to EMEA. 

Since we have the sharing rule giving access to all records, this person can see both records now:



But our requirement is that he should see only records from APAC, since his geography is APAC.

Let us see how we can achieve this through the Restriction rule.

Restriction rule can be created from Set up->Object manager->Job Application -> Restriction rule-> New



Restriction Rule Name - >Geography Sharing



User Criteria - User.Goegraphy__c = APAC


Note that we can add only one criteria here. 

Record Criteria

Job_Application__c.Geography__c = APAC


Test Results

Now if we refresh the Recruitment Manager list view - we can see that he got access to only APAC record.


And if we try to access the record which got removed from list - he will get error as shown below:


Considerations

  • At this moment we can create only a maximum of 5 Restriction rules per object. 
  • And we cannot have AND or OR conditions in the criteria
  • In record criteria, we cannot have picklist values

So keep all this in mind before solutioning your sharing.

6. Scoping Rule - Example

For the same example, we described above, suppose the same recruitment team needs to support all-region, but they want to work on a single region at a time. In that case, let us see how Scoping rules going to help us. We need to deactivate the Restriction rule first. After that follow the below steps:

Step 1 - Create Scoping rule

We can create scoping rule in the same way we created the restriction rule:

Go to setup->Object Manager->Job Application->Scoping Rules->New



Give a Label


Define User Criteria

Here we are going to define generic criteria to identify all users in the recruitment team. So criteria will be specified as User.Role = Recruitment Team



Define Record Filter Criteria

Here the user is always going to see records from geography which is the same as his geography.


Once this is saved, we need to update the filter criteria in the list view to reflect Scoping rule:



Test Results:

Now if we open the list view, he can see only APAC records which is his geography.


But if we go to recently viewed - he cans till see both records:


And if he opens EMEA record, he can still view it.


So Scoping rule - just restrict the displayed records currently, but do not block access to other records.

7. Adding additional flexibility to view records

Since we have got a global team handling the recruitment process, we need a mechanism to switch between regions and control visibility through scoping rules. 

To get this visibility we are using a list button associated with a screen flow to update the user's region on selection and display records based on that.

Let us see the flow first:



List button Created consuming this flow:



This is going to show a picklist with different region values and defaulted to the current user's region. Users can select some other region and at the backend user's record will be updated with a new region and scoping rule will take effect and the list view will point to new region records now.

Let us see how the list view is behaving now:

1. User's current region is APAC:



2. Job Application List view:

Shows APAC record

3. User clicks on Select Geography Button



4. User selects region as EMEA


5. User gets region updates message


6. On Finish user navigated to List view & It shows EMEA record



Conclusion - So user is getting flexibility now to switch between regions and concentrate on a single region at a time easily.

Video Explanation:




8. References

https://help.salesforce.com/s/articleView?id=sf.security_restriction_rule.htm&type=5

https://help.salesforce.com/s/articleView?id=security_scoping_rule.htm&type=5&language=en_US

https://developer.salesforce.com/docs/atlas.en-us.restriction_rules.meta/restriction_rules/restriction_rules_about.htm

https://developer.salesforce.com/docs/atlas.en-us.scoping_rules.meta/scoping_rules/scoping_rules_about.htm

https://trailhead.salesforce.com/trailblazer-community/groups/0F94S000000GzylSAC?tab=discussion&sort=LAST_MODIFIED_DATE_DESC - Community group

Comments

  1. APTRON Delhi16 June 2022 at 23:20

    Salesforce Training in Delhi
    https://cliqafriq.com/read-blog/225538_genius-how-to-figure-out-if-you-should-really-do-salesforce-training.html
    Salesforce Training in Delhi from APTRON is outlined to assist you with figuring out the intricacies of the innovation in a simple manner and set you up for modern requests. Being a Certified Salesforce expert can work on your resume and open a ton of vocation potential open doors. So utilize APTRON Salesforce training focus to benefit of what you want.

    ReplyDelete
  2. SFDC-Novice24 July 2022 at 20:32

    Thanks for the detailed explanation.

    ReplyDelete
  3. sk11 September 2022 at 01:01

    thanks for great article like
    virginia reckless driving attorney

    ReplyDelete
  4. Anonymous3 October 2023 at 06:38

    Great step by step solution, thanks for the help. Online Salesforce Training

    ReplyDelete

Post a Comment

Popular posts from this blog

Subscribing to Salesforce Platform Events using External Java Client - CometD

-
Image
Platform Events follow event based Architecture, where multiple subscribers can subscribe to a published event in real time manner.  Below diagram shows the basic Architecture of the event-based communication Model: Event - This is a change in state for a business process Event Message - Data about the event Producer - Publisher of the event Event Bus - A communication and storage service for published events Event Consumer - A subscriber to the channel Platform events can be subscribed internally and also externally Platfrom events  - Internal Subscription Below are some scenarios in which you can consume platform events internally: 1. When we need to execute functionalities asynchronously to save govornor limits 2. To build a proper exception logging framework - You can find more details here  How to subscribe Internally? we can see more details about this in a different blogpost. Platfrom events  - External Consumption Many Organizations are moving to event-bas...
Read more

Send Data from Salesforce to Data Cloud using Ingestion API and Flow

-
Image
As part of this blog post, we are going to see a Sprint 24 feature - Send Data to Data Cloud using Flows and Ingestion API. The release note is available  here .   Introduction As we all know, Data Cloud helps us to build a unique view of customers by harmonizing data from multiple source systems and coming up with meaningful data segmentation and insights that can be used in different platforms for additional processing.  If you ar e new to D ata Cloud refer to Salesforce documentation or these videos that are part of Salesforce Developers youtube channel. What is Ingestion API As per Salesforce documentation ,  Ingestion API is a REST API and offers two interaction patterns: bulk and streaming. The streaming pattern accepts incremental updates to a dataset as those changes are captured, while the bulk pattern accepts CSV files in cases where data syncs occur periodically. The same data stream can accept data from the streaming and the bulk interaction. This Inges...
Read more

How to develop reusable Invocable Apex methods for Flows

-
Image
 Salesforce is adding many new features and capabilities to Flows. But there are still some scenarios where you need to call apex methods from Flows to execute complex operations - when Flow is not capable of doing that or the performance will be low when you implement that using flows. Let us see how we can build reusable apex methods for Flows. For this let us consider 2 sample scenarios: Scenario 1 - Quick Create Account/Contact I want to build a screen, where the user can select the object needs to be created, and then create a record of that object by entering the required details. Also if the record creation is getting failed, I want to create an exception record with details. Solution Let us see how we can utilize Apex action for this. For this first let us create an Apex Invocable method, which can accept a list of wrapper class as shown below: You can see, this invocable method is accepting a List of wrapper class variables and also returning a list of wrapper class variab...
Read more