function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Applying security for custom objects in lookup relationships

I've created a custom object that stores data for a record, including it's location (via latitude/longitude). I need to add this for a number of standard records including Leads, Contacts and Accounts. I'd like this in a single object for performance reasons. For example, now I can query what standard records are in a given area in a single query rather than querying each of Leads, Accounts, Contacts etc. separately. 


Conceptually, I'm looking for the equivalent of a master detail relationship to my custom object. However, I had to implement this as a lookup relationship as master-detail isn't supported for all records (e.g. can't have a master detail relationship from Leads to my Custom object). To this end, I had to implement my own triggers, e.g. to delete row in the custom object if the "parent" is deleted. 


As I mentioned, I'd like to make a single query to my custom object from Apex rather than make a bunch of queries to the parent records. However, now I'm concerned about security - that a user can get back records that they otherwise wouldn't have permission too. Is there any way to grant a row being inserted in my custom object the exact same permissions as on a "parent" object (I have access to the parent SObject when I'm inserting the custom object record)? Are there big gotchas in this approach (e.g. that permissions on the parent object could change and not ripple through?).



Brian SobyBrian Soby

HI Aiden,


Take a look at Apex Managed Sharing.  You can use it to create a sharing system based on arbitrary logic.


-Brian Soby



Thanks Brian. I see how I can set sharing via a standard record trigger. For example, if a lead record is inserted or updated, I can use this trigger to modify the permissions on the lookup record to same as that for lead.


However, what if an administrator changes permissions externally? For example, if they were to subsequently make the Leads table "private"? Users now locked out of the leads table would still have access to the lookup table.


I don't see any way around this problem. Is this correct?


Again, I'd like to essentially implement the equivelant of a master-detail relationship from leads, contacts, opportunities, and accounts to the record in my custom object. I can't use master-detail for all these standard records, so need to implement myself, which is fairly straightforward as a lookup but does bring in above security concern.




Brian SobyBrian Soby

Hi Aiden,


Since Apex Managed Sharing works with the sharing model of objects, making the Leads object private shouldn't impact your sharing scheme (since the purpose of putting the rules in place is to grant access to the correct parties).  If you're talking about a case where the administrator would want to revoke all access granted through the Apex Managed Sharing rules created by your application, I'd recommend building functionality into your application through which the administrator can selectively remove the Apex Managed Sharing rules that the application created.



-Brian Soby


abc batchabc batch
Hi Aiden,
       Can i know for Lookup and master detail relationship security feature?
   Thanks to arun kumar