+ Start a Discussion
Rakesh ChattyRakesh Chatty 

Field Level permissions

I have requirement where all Account fields should be  able to edit if he/she is the owner of record, if not only few fields.

Account Owner : User1
User1 : System Admin
User2 : System Admin

User 1 should be able to edit all fields no restrictions.
user 2 : only access to edit few fields.

can someone suggest how to fullful this requirement using out of box functionality like by using shariring rules, permission sets, field level security,etc.

Thanks in Advance.

Parish Haldkar 11Parish Haldkar 11
Hi Rakesh,
To allow only the Account owner to edit all the fields of an account record, you can set the org-wide defaults for the Account object to 'Public Read Only' which will give access to all users to view and create a report on records, but only the owner, and users above that role in the hierarchy, can edit them. You can disable access to role hierarchy by unchecking the 'Grant Access Using Hierarchies' checkbox.
To give access to other users for certain fields on the Account object, you can create a permission set and assign the permission set to all the users.
Or create a profile and give access to certain fields on the Account object, and assign this profile to all the users.

Permission set and profile are used to give excess access to the object and fields, not limit it. So if the user is the owner of the account record and has these permission set or profile assigned, even then the user can edit all the fields on the record due to the OWD access for record owners.

If it helps, please mark it as the best answer.
Rakesh ChattyRakesh Chatty
Hi Parish,

On which one we need to give all permssions either on Profile or Permission set.

Parish Haldkar 11Parish Haldkar 11
To give all the permission to the Account owner only, we will be doing it by org-wide defaults. And to give permission for the specific fields for the other users, we will be using the permission set or profile.

The steps for implementation-
1. Set the org-wide defaults for Account to 'Public Read Only' which will give read/edit access to account owners, but all other users will have read-only access to the account fields.
2. To give access to all the other users who are not the owner of the specific account record, we will create a permission set or a profile and give read and edit access to those specific account fields using this permission set or profile. Then assign this permission set or profile to all the users present in your org.

So here we are limiting the edit access for all fields for all the users except the account owner using the org-wide defaults. We are then giving access to these users to edit some fields in the account record using the permission set or profile.

Please mark this as the best answer if it helps.
Danish HodaDanish Hoda
Create 2 permission sets 
1. With Limted fields, named it - limitedFieldAccess - give access to the fileds reqd.
2. With all fields, name it - ownerFieldAccess - give access to all fields
In the account trigger, create a future method to assign limitedFieldAccess permiison set to other users while ownerFieldAccess permisson set to the owner using PermissionSetAssignment object.