I was trying to determine through trial and error how a user had access to a particular salesforce account record. Our org-wide defaults are Private for Accounts and yet when logging in as this user I was able to see the account record. I removed each sharing rule, one-by-one, in my sandbox, and tried to see if this user still had access to the account record. To my surprise, after all sharing rules were removed, I was still able to see the account record as this user. When I opened up apex explorer and looked at the AccountShare for this account record, I saw only one rule and it was specific to the owner. While researching this issue, I came across a foot note in some documentation that indicated that the View All permission on the standard objects will override the org wide default and any sharing! If this is checked, it means that sharing is ignored. Once I unchecked this setting on the user's profile, the account was not visible to the user.
For future reference, here is add'l info on the topic from salesforce's online help:
It's not obvious because there is no AccountShare record created and I do not believe, although I could be wrong, displayed in any logging. Won't soon forget this one.
No comments:
Post a Comment