I have some fields on an object that contain private information. While the object itself should be visible to an entire group of users, I would like tighter control over those specific fields: I would like them to be visible only to the record owner. Let's say, for argument sake, that they are SSN numbers stored on a contact record.
Org-wide sharing is private, but these Contacts are shared out to the users in question. All of the Contacts are the same Record Type, and all of the users are (ideally) in the same Profile.
Is there a way to do this?
UPDATE: Here's a more detailed example. (We're actually going to be working with the Customer Portal, but using CP-EA licenses which behave like normal SF users in these respects.)
All of the CP users/contacts within a given organization will have Read access to users/contacts in that organization. However, for privacy reasons, we want to block them from seeing certain contact information (address, phone, email) on the other contacts. At the same time, they should be able to see (and update) their own info.
Attribution to: Benj
Possible Suggestion/Solution #1
Sharing only goes to the record level, so there isn't a way to hide fields based on ownership. You could do something with visualforce pages to hide the data, but the data could still be accessible through reports or the API. Another approach would be to split out the sensitive data into its own object and make the sharing rules tighter for the sensitive data object. This may or may not work in your case since you want to hide email, address, etc on the contact and those are standard fields.
Attribution to: Daniel Hoechst
Possible Suggestion/Solution #2
This would help... 1) Remove the access permission of the field from that profile. So nobody can see that field. 2) Create a Permission set and allow the Visible/Edit permissions to that field. 3) Attach desired users to this permission set.
Attribution to: Ashok
Possible Suggestion/Solution #3
Does the Owner need to be able to edit the SSN field? If not, you can do this with a formula.
Make the SSN visible only to admins.
Create a formula that will show the SSN to the record Owner:
IF(
$User.Id = OwnerId ,
SSN__c,
NULL
)
This will not remove any data from the SSN field because it is not modifying it. It will just be used to show or hide the value of the SSN depending on whether the User viewing the formula ($User.Id) is the Owner or not.
If the Owner does need to be able to edit the fields, there is not really a good way to do this without custom code. If you want a pretty ugly, config-only solution, you could try this.
Create 3 fields for each field that you need that meets your requirement.
SSN_Real (Text): This will contain the actual actual value and will be visible only to admins.
SSN View (Formula): This will be the formula I described earlier.
SSN Entry (Text): This will be the field where the User will enter data.
SSN View and SSN Entry will both need to be shown on the page. If the Owner wants to modify the SSN, they will enter it into the SSN Entry field. When this happens, a workflow rule will run that has two field updates:
1) SSN_Real <- will be updated with the value in SSN Entry
2) SSN_Entry <- needs to be blanked out.
You will need to filter your workflow rules so that only the owner will be able to update the fields. Do this by adding a formula: RunningUserIsOwner = IF( $User.Id = OwnerId , 1, 0 ) Filter your workflow rule to only run when RunningUserIsOwner = 1. You should create another workflow rule to clear SSN_Entry when RunningUserIsOwner = 0 and SSN_Entry NOT NULL.
This solution has lots of issues with it, but it is the best I can think of for a config-only solution.
Attribution to: Eric Nelson
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/777