Configuring User Role Constraints

This feature supports large or global implementations of Dynamic Access Control, specifically where an organization wants to delegate maintenance of User Role Setup records to local users. In organizations without this setup, we recommend using Dynamic Access Control and Matching Sharing Rules without User Role Constraints. 

User role constraints are a way to prevent accidentally assigning a user an incorrect role on a document or object. The User Role Constraint object restricts role assignments by defining a list of roles allowed for a user. Users are allowed, but not automatically assigned, these roles. 

How to Enable User Role Constraints

The Enable user role constraints setting in Admin > Settings > Security Settings turns this feature on.

Once enabled, no users will be able to create User Role Setup records for an application role until User Role Constraint records exist for that application role.

How to Configure User Role Constraints

  1. Navigate to Admin > Business AdminUser Role Constraints.
  2. Click Create
  3. Select a User and a Role that the user is allowed.
  4. Click Save.
  5. You will need to create additional records for each allowable user and role combination. 

Impact on the User Role Setup Object

After creating a User Role Constraint record, you can only save User Role Setup records that have user/role combinations included in User Role Constraint records. If a role or user is invalid, you will receive an “Error saving ‘User Role Setup’” error. This error means that this user/role combination is not allowed by the User Role Constraint(s) related to that user. 

Deleting a User Role Constraint

If a User Role Constraint record is deleted, any User Role Setup record with the same user and role combination is set to Inactive.