How to restrict access to specific Salesforce Roles [you actually can’t – but here’s how to do it]

Posted July 1st, 2009 in Tips & Tricks and tagged , , , by John Coppedge

Sometimes you need to restrict access within Salesforce for certain users or roles.  Unfortunately if you are using the default sharing settings, this is not possible as sharing roles can only grant access, not restrict.

The best solution is to do the following:

  1. Create a public group that includes all roles except for the one(s) with restricted access.
    Role Hierarchy:
    New Public Group:
  2. Create sharing rules that mirror the existing Organization Wide Defaults:
    Current defaults:
    New rules:
    The first rule gives Everyone (Excluding Consultants) the Read/Write access to the Sales Consultants’ accounts and opportunities.  The Management and Administrative roles will have read/write/transfer access through role hierarchy.
    The second rule recreates the existing org wide default sharing rules, but only for the Everyone (Excluding Consultants) group.
  3. Change the org wide defaults for account and opportunity to private (make sure to do this step last).
  4. Repeat for other objects as needed (process may vary slightly).  If you understand role hierarchy this should be pretty straightforward.

When you add new roles to your organization, make sure to add them to your public group, or they will only be able to view their own accounts!

4 Responses so far.

  1. SumaNo Gravatar says:

    Hi there,

    In one of the situation a new user – John Krohn, should be given access to Lead Records where County = Northern Region AND Lead Owner = Maya Sheritt.

    Notice, I am trying to give to fulfill 2 goals:-
    a) John Krohn access to those LEAD Records where he is not the Lead Owner. Is that possible?

    b) John Krohn, should also get access to those lead where he is not the LEAD OWNER *AND* where the County = Northern Region.

    Is this possible using Sharing Rules?


  2. ForceCertified.comNo Gravatar says:

    Sharing rules can accomplish sharing via record owner, so issue A is no problem.

    For issue B, sharing rules would not work. I haven’t personally implemented it, but I believe territory management is precisely what you’re looking for.


  3. NikkieNo Gravatar says:

    Is there a way to find out if a standard user saved some reports to their personal folder. I know even system admin will not be able to know but just wanted to see if there’s any trick to find out.

  4. roysmithNo Gravatar says:

    I am new to salesforce and i have requirement that only current profiles can crate new account record. Example; If i have profile = Test and i want to create new Account on account object then if test profile don’t have permission to create new Account then as soon i try to click to “New” button then massage should display that ” you don’t have permission to create new account record”.
    but if i have profile = Admin then because admin have permission to create account then he/she should be able to create new account.
    I want the functionality that as soon people who have don’t access to create new account, when they click on “New” Button on account object then error should popup saying that you don’t have permission to create new account.
    I am not sure that how can i fulfill this requirement or what steps should i need to take.
    Please help me

Leave a Reply