Pages

Friday, November 4, 2016

Salesforce: Parent Implicit Sharing


In addition to the sharing setting defined by the system admin, there are a number of sharing behaviors that are built into the Salesforce platform. This sharing is called implicit sharing because it is not configured by administrators; it is defined and maintained by the system.

Implicit sharing is automatic. You can neither turn it off nor turn it on — it is native to the platform. In other words, this isn't configurable; however, it's very important to understand.

Parent implicit sharing provides read-only access to parent records (Account only) when the user has access to children's records through sharing rules or record owner, such as Opportunities, Cases, or Contacts for that account. This does not mean the user must be the record owner of the child record.

When the user has access to a record from other objects (NOT opportunity, case, or contact) with a lookup relationship to the Account, the user will see the Account Name only, but not access Account detail - this includes Account lookup to the Parent Account, the child account owner will see Parent Account Name only.


The same behavior applies to lookup from other objects, including custom objects.

If we look from the back end at how this is stored, there is an object called AccountShare; this object stores all the sharing defined and implicit sharing; it also has RowCause, which tells us the reason that this sharing entry exists.

One of the values is ImplicitParent — the User or Group has access because they’re the owner of or have shared access to records related to the account, such as opportunities, cases, contacts, contracts, or orders -- so, it is not always the owner of the record, but as long as the user has access to the child records via sharing rules.

sample query: SELECT Id, AccountId, UserOrGroupId, AccountAccessLevel, CaseAccessLevel, ContactAccessLevel, OpportunityAccessLevel, RowCause FROM AccountShare WHERE UserOrGroupId = '0053400000AAkhz' AND AccountId = '0013400001RhrP3'



Note: if the user has access to the child record via object permission, parent implicit sharing does not apply.

No comments:

Post a Comment

Page-level ad