• With Field Restrictions (or Field-Level Security), you can use Security Roles to hide specific data values on a record. This means that a User with a Security Role that prohibits them from seeing a specific field on the Contacts page may not even know that field exists.
• Field Restrictions are subtractive, not additive. In other words, anyone in a Security Role with Field Restriction does not have permission to that field, regardless of their other Roles. This is different than Page permissions, which are additive.
• You can expose a field that is otherwise secured if you make it part of a Page View or a Report. The current design for field-level restrictions is based on the table and not the Page, so keep in mind the following:
  • Make sure the fields you restrict are NOT on the default field list of the Page as these will populate in grid layout.
  • Make sure fields you restrict are restricted in a Security Role for users who shouldn't see them ever.
  • Ensure you don't apply the restrictive roles to people who might need them even on another Page (especially filtered Pages).
  • Remember that field-level restrictions are based on the table, not a Page, so be careful with filtered pages.
• Some fields are labeled in the Field Restrictions window as "Required". You can't set these fields to Read-only or Not Visible. For these fields, consider setting the Permissions to the more restrictive setting and edit the data in a different way (the Add/Edit Family Tool, for example, to edit Contact record information). Alternatively, consider creating a Process or an Item Notification to trigger when there are changes to the field you want to restrict.
• Be aware that some fields are set to Read-only on a database level and you can't control them through field-level restrictions. These fields start with an underscore (_) in their field name.
• To determine which Security Roles have Field Level Restrictions, use a View on the Security Roles page.

Best Practices

Restriction Only Roles: The best way to use Field Restrictions is to create a Security Role for each set of Field Restrictions and put anyone who should have those restrictions in the role. This overrides their other permissions. Do not grant Page permissions in these roles.

Adopt a Naming Convention: By placing "Restrictions" or some other keyword in your Security Roles used for these restrictions, you can manage them more easily.