function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
chriscwharrischriscwharris 

Approval and Security

I have a custom app that has 3 levels of object in a master detail hierarchy. I had set the OWD so the top level was private. The records are created by members of TEAM A who should always have access to the records for all objects in the app. So I have given them modify all. There are then 2 levels of user below, TEAM MEMBERS can see their own records, i.e. those that related to them. In order to do this I have had to rely on TEAM A manually adding the TEAM MEMBER to the sharing on each record. I can't find a better way to do this at the moment as the app needs to be generic and I won't always know what the role hierarchy or groups are before installing.

Above TEAM MEMBERS are TEAM MANAGERS, they need to be able to view their own records like a TEAM MEMBER can, but also the records of THEIR TEAM. This is where I am struggling... TEAM MANAGERS need READ access to their teams records, but also Edit access to specific objects as they are using an approval cycle. However they can not have edit access to their own record, just their team.

I hope that makes sense. The key thing is that this is an app that will be installed in lots of orgs so I will not be aware of the security model of those beforehand.

In Summary:

TEAM A has CRUD to all records in app
TEAM MANGERS can read their own records, their teams records and be able to approve/update specific objects for their team
TEAM MEMBERS can read their own records only

Since I can't find a way to dynamically add users to a records I wonder how this might be done. The TEAM MANAGER is a new custom field added to the USER object so can be referenced.

Any ideas?
Shikha AgashiShikha Agashi
We had similar situation. We had OWD for an object A as Private. We customized our approval process. So whenever, approval goes to any user, we would give read/write access for that record to user and as soon as he approves we would revert his sharing settings on record through apex. To achieve this, we also created custom object ApproversAccess, where we will store their original sharing access to record and once record is approved/rejected we will revert his setting.
chriscwharrischriscwharris
So you used APEX to change the access to the child at submit time, then revert the security back after approve/reject? The app is curently declarative only, with a few workflows and a few approval cycles. There are no APEX classes etc..

Are you saying the only way to dynamically change the access to a record in order to give access to a user named in a field (not hardcoded etc..) is via the APEX route?
Shikha AgashiShikha Agashi
Yes, this can dynamically can achieve through Apex. Other wise, before you initate approval, manually share record with approvers and once approval completed revert those changes. 
chriscwharrischriscwharris
Was this done via a trigger? Thanks
Shikha AgashiShikha Agashi
Depends!!! If you are going for auto approval , logic can added in trigger but if you are creating custom buttom to initiate approval process, then logic needs to added to Controller class asscosiated with button.