Salesforce Validation Bypass with Custom Permissions

It’s been a little while, ok 9 months, since my last post and I wanted to share something that I take for granted but many admins and developers may not know… Bypassing Salesforce validation using a custom permission. In this context, validation refers to Object and field validation implemented through validation rules, Flows (so glad this is now available), and Apex Triggers. The primary reason one has validation is to ensure that there’s good data in the database. Validation stops bad data from being saved.

Shouldn’t validation always be used? Typically, yes, BUT there are cases where you want to bypass it such as during a data migration where sometimes it’s more important to get the data into the system and then correct it. Another typical exception is when there’s an integration and some or all of the validation doesn’t apply. Another scenario is when certain users, such as an Admin, should still be able to perform edits.

Validation Rule Bypass With Specific Users

One way to define a bypass when using a Validation rule is to exclude certain users. For example, all users with a specific profile. Let’s look at a quick Account validation rule that requires the Industry to be required except for Administrators:

ISBLANK(Text(Industry)) &&
$Profile.Name != 'System Administrator'

The first line checks to see if the Industry field is blank AND then it checks to see if the current user does not have the System Administrator profile. If both of those conditions are true, then the user receives an error message stating that the Industry is required. If another profile needs to be excluded, then one can simply add another condition to the validation rule, right? Yes BUT that’s not very scalable. Imagine having 50 validation rules that you’d like to bypass. That requires updating each of those validation rules across all your orgs.

Side Note: Don’t Use Profile Ids

Whenever possible, don’t use profile ids. They can differ across environments and they require them to be stored somewhere and then referenced in the validation rule. For example, storing them in a custom label. Referring to them by Name is better and simpler. However, the best way is to use a custom permission.

Validation Rule Bypass With Custom Permission

What is a custom permission? This is a user-defined permission that can then be referenced in some customization as needed to see if a user has that permission. For example, it can be used to grant users access to a custom feature that was built. Another example is allowing one to bypass validation. A custom permission can be assigned via profiles or permission sets.

Custom Permission Setup

First, let’s create a custom permission named “Account Validation Bypass” in setup:

  1. Search for custom permission in the Setup’s quick find and then click “Custom Permissions”.
  2. Click the New button.
  3. For the Label, enter “Account Validation Bypass”. The Name should automatically fill with “Account_Validation_Bypass” when the Label loses focus such as when one tabs away from it.
  4. Save.

Industry Validation Rule With Custom Permission

Now that the custom permission is defined, let’s update the validation rule’s formula so that it uses the custom permission instead:

ISBLANK(Text(Industry)) &&
!$Permission.Account_Validation_Bypass

To reference the custom permission in a validation rule, one starts with $Permission followed by a period followed by the “Name” of the custom permission. In this case, it’s referenced by “$Permission.Account_Validation_Bypass”. Since we want the validation to apply when someone doesn’t have that custom permission, the NOT operator, the exclamation point !, is applied before it on line 2. Line 2 checks if the current user does not have the Account_Validation_Bypass custom permission assigned.

Assigning Custom Permissions

One can assign a custom permission to either a profile or permission set so users with that profile or permission set have that custom permission. One assigns the custom permission under the “Custom Permissions” area in either a profile or permission set. It’s straightforward so I’ll skip the steps.

Benefits

Here are the benefits of using a custom permission for bypassing validation:

  • Simplifies the Validation Rule bypass – Instead of potentially have multiple profiles needing to be defined in each validation rule, one simply checks for the validation bypass custom permission in each validation rule instead.
  • Bypass User Management Much Easier – One uses regular permission sets and profiles to assign the custom permission to the users that need to have the validation bypass assigned. When a new user needs the validation bypass, then it can easily assigned.
  • Granularity – One can define the validation bypass at multiple levels. One could have a global bypass custom permission that is used in every Object’s validation, one custom permission for bypassing each Object’s validation, or even a specific custom permission for a particular validation. One can mix and match them too.

Custom Permission Bypass Guidance & Notes

  • Start with a custom permission per Object for a bypass. Don’t use a global bypass since that is too broad in my opinion.
  • Use permission sets to assign the custom permission(s). Salesforce intends to get rid of profiles eventually so permission sets are where these should be assigned.
  • 1000 custom permission limit. Keep in mind that Developer, Performance, Enterprise, and Unlimited edition orgs are limited to 1,000 custom permissions. I’ve never come close to that in my career but there is a limit and it can’t be increased by contacting support BUT one can pay for more. Source
  • One can use custom permissions in Apex code and in Flows also so a custom permission can be used across all the validation options.

How do you manage your validation rule bypasses?

Leave a Reply

Your email address will not be published. Required fields are marked *