How do I edit the data access permissions for a custom role and an object?

You can update existing and future-dated policies for a custom role and object, and grant access to new subsets of data for the role, using the Active Policies edit page of the Sales and Service Access Management work area.

For example, you can:

Add or remove all access to individual policies
Configure read, update, and delete permissions for a specific policy
End-date policies to inactivate them
Configure advanced permissions for policies

Follow these steps to edit the permissions to object data for a custom role.

Sign in to the application as a user who has either the IT Security Manager or Customer Relationship Management Application Administrator job role.
Select Navigator > Tools > Sales and Service Access Management.
On the Sales and Service Access Management page, click the Manage Data Policies tab.
Search for or select a role in the Role field.

You can't edit policies on predefined roles, so search for and select a custom role. For example, if you copied the predefined Salesperson role to create a custom version of the role, you could select it.
Select an object in the Object field, for example, select the Sales Lead object.

Note: Select the Trading Community Party object to view access policies for both accounts and contacts.
Click Find Policies.
Click the Edit icon and the Active Policies edit page for the selected role and object is displayed.

The Access Policies table shows all available policies for the selected role and object by default but you can use the Show Conditions filter to display only policies that are granted or only policies that aren't granted.
Configure the access provided to the selected object for the selected custom role by selecting or deselecting the Read, Update, or Delete checkboxes for a policy.

For example, if you're editing policies for a custom Salesperson role and the Sales Lead object, you can perform data configuration tasks such as:
- Restrict the ability to delete leads to lead owners by finding any policies that provide lead access to team members and deselecting the Delete checkbox for these policies.
- Allow sales representatives to view retired leads by finding the policy that grants this access, then clicking the Read checkbox.
You can remove all access granted by a policy. For example, if your company doesn't use territory access, you can remove territory access to lead data using one of the following methods:
- Review the Condition column to find the policies that grant territory access, then deselect the Read, Update and Delete checkboxes for each of these policies.
- End-date the policies so that they're no longer active by selecting a date that has passed in the End Date field, for example, select yesterday's date.
Note: To reactivate a policy that's deactivated, reassign the appropriate read, update, and delete permissions to the relevant criteria and specify a start date for the policy.
If a policy has an advanced permission associated with it, then you can edit the advanced permission to specify more granular levels of access to the object.

For example, a policy might provide full access to lead data for a resource in the territory assigned to the sales lead. You can restrict this access by selecting the policy, then scrolling to the Advanced Permissions table for the policy. You can remove update access to the lead data but retain read access by deselecting the Update checkboxes.

Note: You can update the advanced permissions for a policy only if the related permission in the parent row in the Access Policies table is checked. For example, if the read permission in the parent row of a policy isn't selected, none of the read permission options in the Advanced Permissions table can be edited.
Click Save and Close.

Your changes are saved and the Manage Data Policies page is displayed where you can review your changes. If you've end-dated a policy, note that the number in parentheses beside the Inactive policies checkbox is incremented.