Apex Code Development You need to sign in to do that
Don't have an account?
ptjohnson Hide Individual Records (Notes) Per User/Profile
Hi,
I've been through a lot of documentation on SalesForce security and can't find the best (read: simplest) way to implement the following:
We're a small organisation that has pretty open sharing of accounts, cases, notes and attachments. In some instances, we would like to restrict visibility (hidden) to certain notes (i.e. record-level security) within an account that is otherwise accessible to all users. We don't have any role-hierarchies in place, only separate profiles for Management, Finance and Engineers. We basically want to lock down a specific note so it's only visible to Managment.
SalesForce appears to have a "Default Restrict, Exception Allow" policy by using role-hierarchies. We want to do more of a "Default Allow, Exception Restrict" setup. Is this possible?
Thanks and regards,
Peter
(Edit: Changed subject to be more specific and accurate).
Hi Peter,
It sounds like what you really need is a criteria based sharing model. We are working on a criteria based sharing model (as announced in DreamForce) , but we don't have it yet.
The best way to implement criteria based sharing currently, is using Apex Managed Sharing (http://wiki.developerforce.com/index.php/Using_Apex_Managed_Sharing_to_Create_Custom_Record_Sharing_Logic). Using Apex Managed Sharing, you start by setting the object to private (no records are shared by default), then you use the apex code to share based on your logic (with triggers or apex controllers).
And last, I don't think notes have a special sharing object to be used in Apex Managed Sharing, so you probably can't separate the sharing rules of the main record from it's notes. If you want to do this you will have to create a custom notes object and then use Apex Managed Sharing on it.
Best,
Yoel Gluck
Product Security Team @ Salesforce.com
Hi Yoel,
Thanks for your prompt response. Given the Apex Managed Sharing model doesn't support this on notes, it's not a feasilble solution for us. We don't want to stray too far from the standards by unnecessarily implementing custom objects just to store notes.
Could you propose a recommended solution using the existing security functions, even if it means redesigning our security settings? I understand it would mean we need the "higher" level employees to re-create our existing notes that need to be secure, but if that fits in better with the recommended SF solution, then we would rather go down that track.
Alternatively, could we create a new customer object called "Private Notes" for example, which could sit under the existing Account Settings. We could then move the private information into this section and hide that object using the Page Layout settings and do that on a Profile basis?
Thanks and regards,
Peter Johnson
Maybe the best thing would be to schedule Office Hours with our team? This way we can get to know the specific needs and try to recommend the best solution. To schedule Office Hours with the Product Security team, go to: http://security.force.com/PartnerOfficeHours
Note: Removing an object from the page layout does not enforce access control to the records/objects. If the user has access via API, VF, Apex, or any other way, they will have access to your record. You should enforce access to your objects/records using CRUD/FLS/Sharing.
Best,
Yoel Gluck
Product Security Team @ Salesforce.com