Access rights need to be assigned at the object level based on roles.
Our requirement is two-fold:
- Assign permissions to specific roles, and
- Assign permissions to specific users within a role, based on certain filter conditions.
For example:
- The X role has role-based permissions, but these permissions must be overridden for certain users within the same role based on filters.
- For other roles like Y, all users in that role should have access to the records without any additional filtering.
We already have a business process that manages this logic, but the challenge is the large volume of records. Whenever we add a new role to the permission set, we must update the object-level permissions again. This unintentionally exposes all existing records to all users in the X role.
To correct this, we must re-run our business processes on all existing records to ensure that only the intended X users retain access, not everyone in the role. This becomes a very manual and time-consuming activity each time any permission change is required.
Would like guidance on how to achieve this more efficiently, ideally through customization, given the volume of records involved.
Like
Hello,
In this scenario, the most effective approach is to separate permission management by role type. For roles like Y, where all users should have access to records without additional conditions, standard object-level record permissions can be used without any changes.
For role X, where access must be limited to specific users within the same role based on certain conditions, permissions should be managed exclusively through a business process. The process can be triggered on record creation (and, if required, on record update) and grant access only to the users who meet the defined criteria.
To avoid unintended access, the X role should not be included in the object-level record permissions. This is important because object-level permissions are recalculated whenever role settings change, which is what currently causes all existing records to become visible to all users in role X. When access is granted through a business process, it is not revoked during permission recalculation, and users retain only the access explicitly assigned by the process.
With this approach, adding or modifying roles no longer requires re-running processes for all existing records. Access remains controlled and consistent, and only the intended users within role X will have permissions to the relevant records.