You need to sign in to do that
Don't have an account?
Edward Gee
Getting user permissions at the instance level via API
Is there a way, from an API standpoint, to determine whether a user has the ability to update/edit a particular instance of an object? As the documentation describes, you can enable security at the object level but also at the instance level using territory management and/or sharing rules. We tried using the MayEdit field but discovered later that this is not a standard field found on all Salesforce orgs (some of our older customers do not have this field exposed at all). I tried reverse engineering the process by querying the respective "Share" table, if it existed, and the Group, UserTerritory tables. Unfortunately there are some pieces of information I could not retrieve that would aid in my search. For instance, I couldn't find a way, via API, to determine what sharing model (Private, Public Read/Write, Public Read Only) a customer applied to an object. Is this information queryable/retrievable somewhere? DescribeSObject only gives object level permissions. Anyways, if anyone has some insight on this topic, I would like to hear from you.
- Ed
- Ed
- Ed
the problems with both solutions should be apparent. in the first, there's no accountability, and the read-only objects the user call pulled can still be updated, because all calls are made with a superuser. in the second, we can't establish permissions on the data being displayed until the second call has been processed, a call where we're intentionally generating errors!
while i've never heard of a mayEdit field, it's certainly a nice idea, especially since it would allow query criteria to be very specific to what's desired. if you want just records the user can edit, there it is! barring that, an api call that would allow a permissions check for a list of record id's would be good.
Hello All,
I'm facing with the same problem now... Does anyone know whether SF found solution for this problem?
Basically indeed we have two options, but none of them not elegant and very complicated:
- The first option is the "Try and See" option, i.e. update all the records we retrieve and separate between them according to the error response we got --> Absolutely not an elegant option and it damage our reports because it will change the LastModifyBy/Date fields.
- The second option is to simulate SF security mechanism per each record, which is very complicated since we need to count on the object_Share__c data which includes groups & users (recursively) and their are a lot of exceptions such as "Modify All" permission Etc.
It's really weird that SF not provides solution to this problem, the desired solution will be to retrieve records with direct information about the user permission according to a specific record (which user? the one that made the API call of course).
Any piece of information will help,
Thanks in advance,
Avi.
There have been no changes related to this.
Hi Is there any update on this issue? Is the MayEdit flag more reliable now?
Thanks
Abhay