Custom Permission for Validation Rule

Custom Permissions: –

Use custom permissions to give users access to custom processes or apps.  Custom permissions let you define access checks that can be assigned to users via permission sets or profiles, similar to how you assign user permissions and other access settings.
You can query custom permissions in these ways.
  • To determine which users have access to a specific custom permission, use Salesforce Object Query Language (SOQL) with the SetupEntityAccess and CustomPermission sObjects.
  • To determine what custom permissions users have when they authenticate in a connected app, reference the user’s Identity URL, which Salesforce provides along with the access token for the connected app.


Scenario and Different ways to achieve it: – None user can Edit the Opportunity once opportunity is on Closed Won Stage, Only Certain Set of Users can Edit the Opportunity.

Problem: – We have instruction that we can not alter the profile, permission set and we can not write the code as well.

Solution: – We will see three solution here that will work for us and their pros and cons, So that we can choose the right solution for our problem.

Solution #1 :- Write a validation rule on the Opportunity Object and put the hardcode user Ids there in validation rule. For example

$Profile.Name <> ‘System Administrator’,
$User.Id = ’15Digit UserIdhere’,
$User.Id = ‘anoother user Id here’,
and So on
the above validation rule will work like a champ but it has some cons as well

** UserId = 15 characters, not 18 characters

Cons: Difficult to maintain, admin need to update each validation rules (if many) affected for maintenance or any change in username or user.

Solution #2: – Custom Setting: – We can use hierarchical custom setting  in validation rule. Create a custom setting and store the user ids into Custom Setting.

Setup -> Develop -> Custom Settings -> New ->

Click Manage and then New to Create New record for Custom Setting

Use Validation Rule like below

         $Profile.Name <> ‘System Administrator’,
          NOT CONTAINS($Setup.SpecialPermission__c.User_Ids__c ,$User.Id),
          TEXT(PRIORVALUE(STAGENAME)) = ‘Closed Won’

** UserId = 15 or 18 characters is fine, because we are using CONTAINS()

Pros: –

  • One place to manage all users
  • Can be used in multiple validation rules

Cons: –

  • Admin need to update the values again and again if user is leaving or joining
  • Only 14 OR 15 User Ids can be stored because the Max length of TextArea field is 255
  • We can use User Ids only

Solution #3 – Custom Permissions: – We can use custom permission to achieve our requirement.

Create new Custom Permission: –

1 – Setup -> Develop -> Custom Permissions -> New ->

Custom Permission

2 – Now, next step is to create a new permission set and assign the above custom permission to that permission set.

Setup -> Manage Users -> Permission Sets -> New

Permission Set.png

Save. Click on Custom Permission Link to Add the Custom Permission into the Permission Set. Click Edit and Select the available custom permission then save it.

Assign this permission set to the users whom you want to give the access for Editing the Opportunity.

Then Replace the above validation rule with the below formula

         $Profile.Name <> ‘System Administrator’,
         NOT( $Permission.Special_User_Edit ),
        TEXT(PRIORVALUE(STAGENAME)) = ‘Closed Won’


  • We can control and manage the users with Permission Set
  • We can use N no of user and assign this permission to the appropriate users
  • We do not need to make the changes again and again into validation rule

Cons: –

  • No cons found yet.

Resources : –

Salesforce Document

Salesforce Article


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s