Step By Step Guide to Using Restriction Rules in Salesforce

Restriction Rules in Salesforce

Traditionally, to control the visibility of records in Salesforce, we used to start with the most restrictive setting (i.e. setting OWD to Private for an object) and then opening up the access using various features like role hierarchy, sharing rules, teams etc. 

Consider the following diagram. Before Restriction rules, we started with the most restrictive setting and then opened up access using various features.

Before Restriction Rules in Salesforce

(Image Source: Restriction Rule Developer Guide)

But, now with Winter ’22 Release of Salesforce, we can also define a rule to restrict the visibility of records. For example, even if we have defined the OWD to Public Read or Public Read/Write on an object, we can now add restriction rules to hide certain records from certain users. 

After Restriction Rules in Salesforce

(Image Source: Restriction Rule Developer Guide)

So, What Are Restriction Rules?

Restriction Rules allow admin to restrict the visibility of selected records from selected group of users. It went GA (Generally Available) in Salesforce Winter ‘22 Release.

Which Objects are Supported for Restriction Rules?

As of now only the following objects are supported for Restriction Rules:

  1. Custom Objects
  2. Contracts
  3. Events
  4. Tasks
  5. Time Sheets
  6. Timesheet Entries

Where are Restriction Rules Applied?

Once defined, Restriction Rules are applied to the following Salesforce features:

  1. List Views
  2. Lookups
  3. Related Lists
  4. Reports
  5. Search
  6. SOQL
  7. SOSL

What are the Current Limitations & Considerations for Restriction Rules?

  1. Only two Restriction Rules can be created on the supported objects in Enterprise Edition & five in Unlimited & Performance Edition
  2. Only below data types are supported in the recordFilter and userCriteria fields:
    1. Boolean
    2. Date
    3. DateTime
    4. Double
    5. Int
    6. Reference
    7. String
    8. Time
  3. Restriction rules support only the EQUALS operator. The AND, OR, or any other operators aren’t supported.
  4. The use of formulas isn’t supported.
  5. You can use a change set to move restriction rules from one org to another.
  6. If you include IDs in your recordFilter or userCriteria fields that are specific to your Salesforce org (such as a role, record type, or profile ID), you must modify these IDs in the target org if different from the org where the restriction rules were originally created.

Ok, that’s enough talk. Now, let’s take a look at Restriction Rules in action in just under 10 minutes.

Not an “All Access” Pass Member Yet?

Get Download Access to this & 150+ More Step-by-Step Guides with “All Access” Pass. A simple and single plan to access our entire library of courses, guides, workshops & masterclasses on Salesforce.

References & Useful URLs

14 thoughts on “Step By Step Guide to Using Restriction Rules in Salesforce”

  1. Hi,
    Can you please suggest how to restrict users to view records only by users pertaining to the same group using restriction rules without customization?
    I have created a text field on user object that hold the names of the groups the user is part of with a comma separated value. I am updating this text field using flows. On the restriction rule, I am using assigned user’s text field in the first value under record criteria and checking if it’s equal to the Current User’s same text field. This works fine when both of them have same group values in the text field. But doesn’t work when Assigned User is part of Group 1 and Current User is part of Group 1, Group 2.

  2. Hi Ashish,
    Thanks for your post. I have been following you for almost more than 4 years. I do have a question about this.

    As per the salesforce documentation, Restriction rules do not restrict the record access means the user will have access to records and he can have them by searching for the specific record which has been hidden through restriction rules.

    I was looking into the use case where you are trying to restrict the Contracts which are sensitive. But users can still access the sensitive contracts by searching specific records ?? Please correct me if I am wrong.

    Also, could you please share more use cases related to this feature?

    1. Hi Rajashekhar,

      Restriction rules do restrict you from accessing records. So you can stop the users from accessing sensitive contracts by using restriction rules and in this blog post we are doing exactly that.

      The feature that you are referring to is called “Scoping Rules”, which does not restrict you from accessing records. It just controls the default records that your users see based on criteria that you select. Here is the URL where you can find more information about scoping rules –


    1. Hi Alok, it doesn’t look like you can use blank value with “String” field type directly in restriction rules. But what you can try is create a formula field of “Checkbox” type and set the value of this field to true or false based on whether the string field is empty or not. Then use this formula field in the restriction rule. See if this will work.

      1. Thanks for the solution but I can see that we can’t use formula field in the restriction rule as of the Winter ’22 release. Can you help me to find any another way to achieve this

        1. Hi Alok,

          If the formula field does not work, then you can create a regular custom field and populate that using Flows. Restriction rules being a new feature has quite a few restrictions currently. 🙂 Hopefully in future releases, Salesforce will add more features and functionalities.

  3. Thanks for the walk through Ashish, great to see that working in an org – this would have saved a lot of work had it been in a previous release! I can think of a lot of use cases.

    I got caught out with finding the Profile ID as I just clicked the profile in set up and copied the ID number rather than following your instructions. I didn’t realise that when you do that you need to strip out the %2F from the profile ID (as per this help article: Once I had the Profile ID correctly it all worked as per the demo – thanks.

    1. Thanks for sharing the link, Mary. Yes, even I noticed that when you go to the profile directly in Salesforce UI, it adds extra characters to the profile id in the URL. That is why I included the steps to query the Id through Developer Console. 🙂

      The concept of restriction rules sounds promising. But currently it has a lot of limitations. Hopefully in subsequent releases, Salesforce will make it more powerful.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
Introducing All Access Pass