[SalesForce] Restrict record access based on record type

We have requirement :

For Operations profile — we want them to not see any Opportunity Record Type = Grant; or Opportunity Record Type = Report.

So regarding that requirement we have did following things:

1.) Removed View and Modify all permission from Opportunity object for Operations profile.
2.) Revoked Modify All Data/View All Data permission for Operations profile.
3.) Created a Role With the name of "Operations" and assigned that role to all users Of Operations Profile users.
4.) Update OWD Sharing to Setting for Account and Opportunity as Private.
5.) Then created a sharing rule that will share Opportunity with "Operations" role where Record type NOT EQUALS To Grant OR Report.
6.) Removed Access for Grant and Report record type for Opportunity From Operations profile.

Now we are able to share to Opportunity record with Operations profile users WHERE Opportunity Record Type Not Equals Grant; or Opportunity Record Type Not Equals Report.

ISSUE: But the issue is that if My User profile is Operations and if i am own a Account and that Account have opportunities with Opportunity Record Type = Grant; or Opportunity Record Type = Report then Opportunity record is automatically shared with Account Owner Due to "Account Sharing Rule".

Can anyone please help me on this how can i avoid the Account sharing rule that is applied due to my user is Account Owner OR Is there any other better way to show only specific record type data with a profile users?

Best Answer

The record owner is automatically granted Full Access, allowing them to view, edit, transfer, share, and delete the record

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_bulk_sharing_understanding.htm

If the user is the owner of the record then they have implicit visibility. You will need to remove that user from being the owner.

Opportunities have an additional setting under roles that provides access based on account ownership. Make sure the users role is set to "cannot access opportunities that they do not own" so if they do not own the app but own the related account they cannot see it

Optionally you can override the View to use a VF page with an <apex:detail> tag and if the owner should not see it then present a message instead of the <apex:detail>

Related Topic