Pages

Sunday, September 19, 2021

Salesforce: Sharing Detail

More than 5 years ago, we wrote about Sharing Button URL, where you can check Sharing Detail and Access, which is useful to troubleshoot why a user is able to view or edit a record.

On the Sharing Detail page, it will show you all User, Public Group, Role, Role and Internal Subordinates and the access level. In this blog I am using Opportunity as a sample, Opportunity visibility in my org is Private.

https://johantest.my.salesforce.com/p/share/OppSharingDetail?parentId=0062H0000123456QAN


We can get the same result from SOQL: SELECT Id, OpportunityAccessLevel, RowCause, UserOrGroupId FROM OpportunityShare WHERE OpportunityId = '0062H0000123456QAN' ORDER BY UserOrGroupId 


Let us compare from Sharing Detail page:
  1. Sharing Detail #1 = SOQL row #7, reason = Account Sharing which = Implicit Child [in Account Sharing Rules, to Role]
  2. Sharing Detail #2 = SOQL row #6, reason = Opportunity Sharing Rule which = Rule [in Opportunity Sharing Rules, to Role and Internal Subordinates]
  3. Sharing Detail #3 = SOQL row #5, reason = Account Sharing which = Implicit Child [in Account Sharing Rules, to Role and Internal Subordinates]
  4. Sharing Detail #4 = SOQL row #4, reason = Opportunity Sharing Rule which = Rule [in Opportunity Sharing Rules, to Public Group] 
  5. Sharing Detail #5 = SOQL row #1, reason = Account Sharing which = Implicit Child [User is Account Owner] 
  6. Sharing Detail #6 = SOQL row #2, reason = Owner which = Owner [User is Opportunity Owner]
  7. Sharing Detail #7 = SOQL row #3, reason = Opportunity Team with Split which = Team [User in Opportunity Split]
  8. Sharing Detail #8 = SOQL row #8, reason = Account Sharing which = Implicit Child [in Account Sharing Rules, to Public Group]

Access level comparison:
- In Sharing Detail, Full Access = All in SOQL
In Sharing Detail, Read/Write = Edit in SOQL
In Sharing Detail, Read Only = Read in SOQL

Copy from Sharing Detail

  • Full Access - User can view, edit, delete, and transfer the record. User can also extend sharing access to other users.
  • Read/Write - User can view and edit the record, and add associated records, notes, and attachments to it.
  • Read Only - User can view the record, and add associated records to it. They cannot edit the record or add notes or attachments.
  • Private - User cannot access the record in any way.

Summary:
  • Sharing Detail page will only show User, Public Group, Role, Role and Internal Subordinates, but does not show: users in the higher role hierarchy of another user, users in the higher role hierarchy of a role hierarchy, users in the higher role hierarchy of user in Public Group. Click the Expand List button to see each user, access level, and the why.
  • Query to OpportunityShare will show the same thing as on Sharing Detail page, so you can't just depend on OpportunityShare to determine all users that have access to a record.


Reference:

No comments:

Post a Comment