To dynamically limit data access to specific users, roles, and groups, you can create data access rules. Data access rules add another layer of access control beyond what is provided by permissions and shares. DARs function as filtering conditions that apply to one or more fields in records of specific objects, and show only the records that meet the conditions to the relevant users. For example, you can hide details about existing accounts from sales prospects who are granted access to a demo instance. Data access rules are inherited from parent roles, but are not inherited from parent groups.

To further control data access, you can configure specific object types as read-only. After you configure an object type as read-only, users cannot create, update, or delete records of that object type from the Service Board UI. You can still use the API to create, update, and delete records for an object type configured as read-only in the UI.