I'm trying to prevent standard users from accessing employee records/being able to search for information within them. Right now we're doing this through form restrictions, but if someone is clever enough, they can get sensitive information. Is there a best practice for this? Right now we need Lists > Employees & Lists > Employee Search in order for some client scripts to run (on customer record, look at at sales rep, retrieve Class from sales rep...stuff like that). Ideally, I'd like to eliminate those two permissions, but still let the script run as is. It doesn't look like client scripts have an "Execute As Role" option.