[SalesForce] Opportunity product field permissions

I'm looking to give specific user access to edit single custom field on 'Opportunity Product'.
This user should not have the ability to edit any 'Opportunity' field.

I created ‘Opportunity Product’ validation rule which yields if the user change any forbidden field and I had to create ‘Opportunity’ validation rule (prevent any opportunity modification)

It seems like the 'Opportunity' and the 'Opportunity Product' both related to the same permission and when I try to edit this specific Opportunity Product field – the Opportunity validation rule yield.

And idea how to prevent this user edit opportunity but allow him edit this ‘Opportunity Product’ specific field?

The 'Opportunity Product’ validation rule:

AND (NOT (ISCHANGED ( my_custom_field__c )), $Profile.Name = 'Support & Automation')

And the 'Opportunity' validation rule:

$Profile.Name = 'Support & Automation'

Thanks!

Best Answer

Opportunity Product has a master-detail relationship to Opportunity, so it inherits its CRUD permissions from Opportunity. You won't be able to remove object-level Edit access to the Opportunity from a user who can edit the Opportunity Product (since it's Opportunity Edit that grants the latter permission), and that means that certain standard required fields cannot be marked as read-only for this user. That list includes Name, Stage, CloseDate, and a handful of others.

Opportunity Product has the same basic problem - any user who has permission to edit the object at the CRUD level also gets to edit the Opportunity, Product, Quantity, and Sale Price fields.

A validation rule can only take you so far. This rule, for example,

AND (NOT (ISCHANGED ( my_custom_field__c )), $Profile.Name = 'Support & Automation')

will allow a Support & Automation user to make any change to the Opportunity Product, provided that they also change my_custom_field__c.

This one:

$Profile.Name = 'Support & Automation'

means that you cannot have any automation that updates the Opportunity level from the Opportunity Product level (unless it's designed very carefully and excludes updates made by these users, which won't be possible in all cases), because the rule will then fire when the programmatic update goes off.

Unfortunately, I think the only thoroughgoing solution to this ask is code-based. You'd need to completely remove Edit permission for Opportunity and Opportunity Product for these users (at the CRUD level rather than FLS) and implement some type of custom UI for the users to initiate these updates, running automation or Apex that ignores CRUD and FLS to perform the changes.

Related Solutions

[SalesForce] Validation rule to prevent account name change on opportunity

if you want to restrict changes to Account field only if the field already has a value, then you can use something like this

AND(
  NOT(ISBLANK(AccountId)),
  ISCHANGED(AccountId)
)

this will check if the Account field has changed and if it already has a value.

[SalesForce] Prevent user from editing or deleting a validation rule

These permissions required for creating and editing validation rules:

To view field validation rules: View Setup and Configuration

To define or change field validation rules: Customize Application

You can find these permissions under system permission of profile or Permission set.

Basically if you have standard profile then you can't remove them also removing these permission you will lost a lot of other setup access too so keep that in mind.

Best Answer

Related Solutions

[SalesForce] Validation rule to prevent account name change on opportunity

[SalesForce] Prevent user from editing or deleting a validation rule

Related Topic