function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

task and attachment security on accounts

This post is slightly similar to a previous post found here.  In particular I am concerned with the following quote


"Attachments will follow the same security as the parent record."


It seems as if activities fall in line with this same principle.  Does this mean that there is no way to allow users access to an account, but not access to the related attachments and tasks?  It's easy enough to lock down all of the other related (lists) items of an Account, but apparentley these fall through the cracks?


Can anyone verify that this is indeed the case and there are no workarounds.


Tasks are their own object type (00T) and the tasks associated with a record (such as an Account) are a related list.

If the user has access to the Account record, they will be able to see the Tasks associated with this account.  As far as I know, there isn't a way to specifically hide Tasks associated to an Account if the user has access to the Account record.


There is a bit of a work-around.  Let's say I have the Acme Account Record, and User 1 and User 2 both have Read access.  Let's also say that I have a Contact called John Smith, but only User 1 has Read access to the John Smith Contact Record.


If I associate the task with only the Acme Account, both users can see the Task.  If I associate the task with the Acme Account and the John Smith Contact, only User 1 can see the Task.






The below assumes you have your Activities set to private and contacts is controlled by parent


if the task is related to the contact then you also see it on the account (provided the contact itself is associated to the account)


if the task is related to the account then you also see it on the account


if the task is related to the contact and the account then you see it on the contact&account (again provided the contact is associated to the account)


So to not see it on the account then you would have to relate it to a contact that is not related to that account but you will still see it on the contact

But overall if you can see the account then you can see the activities, it makes sense as you need to know what activity/communication has been
taken/sent to this customer otherwise you could have your users sending your clients the same information twice


I suppose you also need to take the opinion that if they are not able to work on the account and interact with the client, performing daily activities then should
they really be concerned with the account itself at all, in other words why would they need to see the account.





We would like our users to be aware of what companies that others are dealing with, so they do not start up a communication with them when we already have an existing relationship.  They really have no need to see anything other then that we have established communication, and the basic information that is available freely on the web.  So it was decided that they should not be able to see the communication that we have engaged in with companies that does not directly concern them. 


Not really my call, just what was requested of me.  I just put a workaround in place that checks some conditionals and either shows a user the related lists on an account page or not depending on what they should see.


In that case then you would have removed the entire activities related list from the page layout and in turn that page layout was assigned to a particular profile


So I guess you now have more profiles and tighter controls


But overall if they have no need to work on the account and just view the account then do they really need to see the account at all if they are doing no work at all on it, isnt this then just clutter for them, things that they see that they dont need to see because it does not affect their work!


I think this is a general overall problem of data overload, if we are not working on something then we dont really need to know about it,

what we dont know doesnt hurt us :-)


I actually used visualforce pages to remove the related lists since if I removed them at a profile level then the user would not be able to see the related lists for accounts that they own.  I have all requests to view account details routed through a page which then decides who gets to see what. 


The main purpose of this was so we did not start multiple conversations with the same company from different users in our organization.  This way, our users have access to see what companies we already have in the system.  So if, for example, one of our users is referred to another account (from one of their existing accounts), they can first check to see if they already exists in our system.  If so, they can discuss with the account owner as to the relationship we have with them and they can mutually decide if sharing the account would be appropriate.  Essentially we are trying to prevent our selves from looking unprofessional by continually trying to start communication with the same company.


That being said, I am definitely open to hearing suggestions about how others might be accomplishing the same thing.