Salesforce Field-Level Security for User Object

Question

I have a custom field in the Salesforce User object. I am trying to work out permissions. I only want the User's manager and System Admins to be able to see this field.

Looking at the field-level security options, I see: Contract Manager. I worry that if I check this, ALL contract managers will be able to see this field. Is that the case?

Is there an easy way to accomplish this security policy and test it in a sandbox where I am not allowed to have many users?

Answer 1

Making the field visible to contract manager will make it visible to all contract managers. However, there is a fairly simple formula that will allow you to enforce this securely.

1) make secret field not visible to contract managers.

2) Create a hierarchical relationship to the contract manager on user.

3) Create a formula that checks if the running user is the contract manager of the user you are looking at.

IF($user.id == user.contract_manager__c,secret_field__c,'only this users contract manager can see this.')

Answer 2

You are correct, if you allow the Contract Manager profile to view that field via Field-Level Security, then ALL users assigned to that profile will be able to see the field, regardless of whether or not the user actually rolls up to them.

You should be able to show/hide this field based on some more advanced logic by embedding a small VF page into the User page layout. This will still require you to make the field visible via Field-Level Security, however, and will not allow you to hide it from other managers if they have access to the API (it would only be hidden from them on the page).