How to make custom object record only visible to certain users based on field checkbox
How to make custom object record only visible to certain users based on field checkbox
So I have a custom object in my org called Promotion Events. I would like to add a field called 'Private' that is a check box, and if it is checked and the event is created, this event(Promotion Event Record) should only be visible to two specific users in the org. these users have permission sets already that allows them to administrate the events and make changes as necessary. What would be the best way to go about changing the permission set to allow them to be the only ones to view records created as private? Changing the profile does not seem like the best option as there are many users who fall under the same profile as these two users.
2 Answers
2
Set sharing on the entire object to Private. Add the two users to a Permission Set that has View/Modify All on the object. Add a criteria based sharing rule that shares records with Private = FALSE to all internal users.
You can't do this with a simple permission set. You have to set the sharing model to private and use sharing rules to control the access.
The Modify all permission can be applied in a permission set which could cut the number of sharing rules in half; however, this is kind of a super-power permission which would give those two users the ability to do pretty much what ever they want with events. I'd usually recommend stricter control than that. Always start with the most secure system you can and open up only what you need to open up.
Criteria Based Rules are one way to try to achieve this. This allows you to create a rule based on some values of the record that will automatically share the record with users. This is perfect for many use cases.
You can use apex sharing rules inside of a trigger to modify the sharing behavior. If it is not checked, create a rule that shares with all internal users. If it is checked create a share that only shares with those two users. This gives you complete control over the sharing fucntionality.
Guide on Apex Sharing
Maybe I'm just too apex minded :) From my experience Criteria based sharing has been pretty limited and I almost always end up writing the apex sharing rules. If Criteria base works that's great.
– gNerb
Aug 22 at 17:00
If fixed criteria determine sharing to fixed users, then yes it's an appropriate way to do it.
– Charles T
Aug 22 at 17:19
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
This sounds doable with criteria-based sharing rules, no? Unless the two users are dynamic, I'm not sure it needs Apex-managed sharing.
– David Reed
Aug 22 at 16:58