Friday, November 4, 2016

Salesforce: Parent Implicit Sharing

In addition to sharing setting defined by system admin, there are a number of sharing behaviors that are built into Salesforce platform. This sharing is called implicit sharing, because it is not configured by administrators; it is defined and maintained by the system.

Implicit sharing is automatic. You can neither turn it off, nor turn it on — it is native to the platform. In other words, this isn't a configurable, however, it's very important to understand.

Parent implicit sharing provide read-only access to parent records (Account only), when user has access to children record, such as: Opportunities, Cases, or Contacts for that account. This does not mean the user must be the record owned of the child record.

When user have access to a record from other objects (NOT opportunity, case, or contact) that have lookup to Account, user will see the Account Name only, but not to access Account detail - this include Account lookup to the Parent Account, child account owner will see Parent Account Name only.

The same behavior apply when lookup from other objects, including custom object.

If we are looking from the back-end on how this stored, there is an object called AccountShare, this object store all sharing defined and implicit sharing, it also have RowCause which tell us the reason that this sharing entry exists.

One of the value is ImplicitParent — the User or Group has access because they’re the owner of or have sharing access to records related to the account, such as opportunities, cases, contacts, contracts, or orders -- so, it is not always the records owner, but as long as the user have access to the child records.

sample query: SELECT Id, AccountId, UserOrGroupId, AccountAccessLevel, CaseAccessLevel, ContactAccessLevel, OpportunityAccessLevel, RowCause FROM AccountShare WHERE UserOrGroupId = '0053400000AAkhz' AND AccountId = '0013400001RhrP3'


No comments:

Post a Comment

Page-level ad