Security groups provide a powerful, secure, and flexible mechanism that you can use to define access control schemas. You can use this functionality to group users into logical sets, grant access to appropriate records, and prevent access to restricted data.

To configure this functionality, you first enable security group functionality for an object (the "security group object"), and then create object-specific Security Group Rule records. When enabled, Group records are automatically generated for records of the configured object for access-control purposes, and data access rules are automatically generated to filter records of related objects.

Security group rules automatically synchronize changes to their related records. For example, if the left-hand side of a filtering expression in a rule changes, the related data access rule changes for every associated record created before or after the security group rule was configured. Similarly, if the target object for the rule changes, all associated records are updated accordingly. When you delete a Security Group Rule record, all associated automatically generated data access rules are also deleted.