Apex Code Development You need to sign in to do that
Don't have an account?
dwright-glgroup How to find out if current user has 'read all access' to an sobject
Is it possible to write apex code to see if the current user has 'read all access' (not just accessibility, which is 'read' access to records he or his subordinates own).
To check for read access to Account objects, for example, you do this:
boolean mayAccessAccounts = Schema.sObjectType.Account.isAccessible();
Is it necessary to check the user's profile for the 'read all access' capability (I assume there is code to do that but I haven't found any), and also check the various permission sets for him to see if any of them have it? Seems like a simpler API should exist...
public class PermissionChecker { // report whether a given user has 'Read all' permission on a particular type of sObject public static PermissionReport HasReadAllPermission(String sObjectName, Id userId) { PermissionReport r = new PermissionReport(); List<PermissionSetAssignment> psas = [SELECT Assignee.Name, PermissionSet.Id, PermissionSet.isOwnedByProfile, PermissionSet.Profile.Name, PermissionSet.Label FROM PermissionSetAssignment WHERE PermissionSetId IN (SELECT ParentId FROM ObjectPermissions WHERE SObjectType = :sObjectName AND PermissionsViewAllRecords = true) AND Assignee.Id = :userId]; r.HasPermission = psas.size() > 0; if (r.HasPermission) { PermissionSetAssignment psa = psas[0]; r.IsProfile = psa.PermissionSet.isOwnedByProfile; r.Label = r.IsProfile ? psa.PermissionSet.Profile.Name : psa.PermissionSet.Label; } return r; } public class PermissionReport { public boolean HasPermission {get; set;} // true if have permission via profile or permission set public boolean IsProfile {get; set;} // true if profile, false if permission set public String Label {get; set;} // the name of the profile or permission set granting access } }Example usage:
PermissionChecker.PermissionReport pReport = PermissionChecker.HasReadAllPermission('Account', UserInfo.getUserId()); if (pReport.HasPermission) { if (pReport.IsProfile) { System.debug('You have read all permission via profile ' + pReport.Label); } else { System.debug('You have read all permission via permission set ' + pReport.Label); } } else { System.debug('You do not have read all permission'); }All Answers
public class PermissionChecker { // report whether a given user has 'Read all' permission on a particular type of sObject public static PermissionReport HasReadAllPermission(String sObjectName, Id userId) { PermissionReport r = new PermissionReport(); List<PermissionSetAssignment> psas = [SELECT Assignee.Name, PermissionSet.Id, PermissionSet.isOwnedByProfile, PermissionSet.Profile.Name, PermissionSet.Label FROM PermissionSetAssignment WHERE PermissionSetId IN (SELECT ParentId FROM ObjectPermissions WHERE SObjectType = :sObjectName AND PermissionsViewAllRecords = true) AND Assignee.Id = :userId]; r.HasPermission = psas.size() > 0; if (r.HasPermission) { PermissionSetAssignment psa = psas[0]; r.IsProfile = psa.PermissionSet.isOwnedByProfile; r.Label = r.IsProfile ? psa.PermissionSet.Profile.Name : psa.PermissionSet.Label; } return r; } public class PermissionReport { public boolean HasPermission {get; set;} // true if have permission via profile or permission set public boolean IsProfile {get; set;} // true if profile, false if permission set public String Label {get; set;} // the name of the profile or permission set granting access } }Example usage:
PermissionChecker.PermissionReport pReport = PermissionChecker.HasReadAllPermission('Account', UserInfo.getUserId()); if (pReport.HasPermission) { if (pReport.IsProfile) { System.debug('You have read all permission via profile ' + pReport.Label); } else { System.debug('You have read all permission via permission set ' + pReport.Label); } } else { System.debug('You do not have read all permission'); }