Restriction rules vs scoping rules vs sharing rules
Sharing rules open access, restriction rules reduce it, scoping rules just set the default view. How the three differ and when to use each.
Most of the Salesforce sharing model only knows how to open access. Restriction rules and scoping rules are the newer tools that change that — but they do very different things, and they’re easy to mix up. Here’s how all three relate.
The one-line map
- Sharing rules — open access. Grant records to users who wouldn’t otherwise see them.
- Restriction rules — reduce access. Filter out records a user would otherwise be allowed to see.
- Scoping rules — focus the view. Change which records show by default, without changing access.
Two of these affect security; one doesn’t. That’s the distinction to keep straight.
Sharing rules: open access up
Sharing rules sit on top of the org-wide default and grant additional access by ownership or criteria. They can only widen access — never narrow it. If you need a refresher on how they compare to the hierarchy, see sharing rules vs role hierarchy.
This is the additive, most-permissive-wins behaviour at the heart of the record access model.
Restriction rules: reduce access down
Restriction rules are the exception to “Salesforce sharing only opens access.” A restriction rule defines which records a user is allowed to see, and is applied on top of everything the sharing model granted — effectively filtering the result.
If the org-wide default, role hierarchy and sharing rules together would show a user 10,000 records, a restriction rule can narrow that to the subset that matches its criteria.
Example. Support agents have broad access to Cases through a sharing rule, but contractors among them should only see non-confidential cases. A restriction rule on Case — Confidential = false for the contractor permission set — removes the confidential ones from what they can see, even though sharing technically granted them.
This is the tool to reach for when the answer to “how do I take access away” is the question.
Scoping rules: focus, not security
Scoping rules control which records appear by default in list views, searches and reports — based on conditions like owner, role or region. Crucially:
Scoping rules don’t limit access. A user can switch scope to “all records I can access” and see everything sharing grants them.
They’re a productivity feature: show a busy rep their own region first, without forcing it. If a user must be prevented from seeing records, scoping rules are the wrong tool — use restriction rules.
Side-by-side
| Sharing rules | Restriction rules | Scoping rules | |
|---|---|---|---|
| Effect on access | Opens up | Reduces | None |
| Security control? | Yes | Yes | No (focus only) |
| Can user override? | No | No | Yes (switch scope) |
| Direction | Add access | Remove access | Filter default view |
| Typical limit | Many | ~2 active/object | ~2 active/object |
Putting them together
A realistic object might use all three: a Private OWD, sharing rules to give teams the access they need, a restriction rule to carve out a sensitive subset from contractors, and a scoping rule so each user lands on their own region by default. Each does one job; together they shape both what users can see and what they see first.
The catch: effective access is the sum
Layering open-it, reduce-it and focus-it tools makes “what can this user actually see?” genuinely hard to answer by inspection — sharing grants minus restriction filters, ignoring scoping. That’s exactly the calculation AgentForceAccess runs for you: ask what a user can really access and it accounts for the sharing that grants it and the restriction rules that pare it back, in plain English.
Frequently asked questions
What is the difference in one line?
Sharing rules grant access a user did not have, restriction rules take away access a user did have, and scoping rules just pre-filter the list views and searches without affecting access at all.
Can a restriction rule override a sharing rule or the role hierarchy?
Yes. Restriction rules apply on top of the sharing model and filter the records a user can see, even ones the org-wide default, role hierarchy or sharing rules would otherwise expose. They are how you genuinely reduce access in Salesforce.
Do scoping rules hide records for security?
No. Scoping rules only change the default set of records shown in list views, searches and reports. A user can switch the scope to "all records I can access", so they are about focus and productivity, not security. Use restriction rules when access must actually be limited.
Are there limits on these rules?
Yes. Restriction rules and scoping rules are each typically capped at up to 2 active rules per object, and are available for custom objects plus a selection of standard objects such as Account, Case, Contact, Event, Lead, Opportunity and Task. Check the current limits for your edition.
See it on your own org
AgentForceAccess explains, in plain English, why any user can see any record or file — across every Salesforce sharing mechanism.
Request early access