How to restrict access to specific Salesforce Roles [you actually can’t – but here’s how to do it]

Posted July 1st, 2009 in Tips & Tricks and tagged , , , by John Coppedge

Sometimes you need to restrict access within Salesforce for certain users or roles.  Unfortunately if you are using the default sharing settings, this is not possible as sharing roles can only grant access, not restrict.

The best solution is to do the following:

  1. Create a public group that includes all roles except for the one(s) with restricted access.
    Role Hierarchy:
    New Public Group:
  2. Create sharing rules that mirror the existing Organization Wide Defaults:
    Current defaults:
    New rules:
    The first rule gives Everyone (Excluding Consultants) the Read/Write access to the Sales Consultants’ accounts and opportunities.  The Management and Administrative roles will have read/write/transfer access through role hierarchy.
    The second rule recreates the existing org wide default sharing rules, but only for the Everyone (Excluding Consultants) group.
  3. Change the org wide defaults for account and opportunity to private (make sure to do this step last).
  4. Repeat for other objects as needed (process may vary slightly).  If you understand role hierarchy this should be pretty straightforward.

When you add new roles to your organization, make sure to add them to your public group, or they will only be able to view their own accounts!