Apex Code Development You need to sign in to do that
Don't have an account?
Tolga Sunar Ownership of Junction Object Record
Hello,
I have a security related issue here. Let me explain how I tried to reproduce the issue in my developer org I faced during a project:
I defined two users, one with CEO role and other with Worker role. Obviously, the CEO is above the Worker in hierarchy.
I defined three simple objects; ObjectA is the child of both ObjectX and ObjectY. I created the Master-Detail relationship between ObjectX and ObjectA first, therefore I expect ObjectA records to inherit the ownership from ObjectX according to SFDC documentation. Moreover, ObjectX and ObjectY possess a Private org-wide sharing setting.
Thanks in advance.
I have a security related issue here. Let me explain how I tried to reproduce the issue in my developer org I faced during a project:
I defined two users, one with CEO role and other with Worker role. Obviously, the CEO is above the Worker in hierarchy.
I defined three simple objects; ObjectA is the child of both ObjectX and ObjectY. I created the Master-Detail relationship between ObjectX and ObjectA first, therefore I expect ObjectA records to inherit the ownership from ObjectX according to SFDC documentation. Moreover, ObjectX and ObjectY possess a Private org-wide sharing setting.
- Test 1: CEO creates ObjectX record. Worker creates ObjectY record. CEO creates ObjectA record (Worker can't create because it won't see the ObjectX record created by CEO). I expect the Worker to not see the ObjectA record, and I couldn't see. That's OK.
- Test 2: Worker creates ObjectX record. CEO creates ObjectY record. CEO creates ObjectA record. I expect the Worker to see the ObjectA record, and I couldn't see. This is unexpected, I should have had access to the ObjectA record.
Thanks in advance.
Hi Tolga,
Theory of record ownership mentioned above is only revelant when you delete master-detail(both) relationships.In your case, CEO is the owner of junction object's record because he has created this record. And according to role hierarchy worker will not have the access on those records that CEO owns.
You may look into following documentation (https://help.salesforce.com/apex/HTViewHelpDoc?id=dev_security.htm&language=en_US) that says:
"If the record has two master records in a many-to-many relationship, the user must have read access to both master records." // to view junction object's record
Thanks,
Abhishek
All Answers
You need to check Object X or Object Y reference which one is created earlier becuase there is concept of Primary and Secondary master-detail and so child will inherent Primary obect sharing.
-Thanks
Ashlekh Gera
Yes, I aware of this concept. In my post, I stated that I've created the Master-Detail relationship between ObjectX and ObjectA first, therefore this relationship automatically should be the primary (unless I have to set this from somewhere) and ObjectA record should inherit ownership from the ObjectX record.
Here, I quote the SFDC documentation below:
The first master-detail relationship you create on your junction object becomes the primary relationship. This affects the following for the junction object records:
Thanks.
Hi Tolga,
Theory of record ownership mentioned above is only revelant when you delete master-detail(both) relationships.In your case, CEO is the owner of junction object's record because he has created this record. And according to role hierarchy worker will not have the access on those records that CEO owns.
You may look into following documentation (https://help.salesforce.com/apex/HTViewHelpDoc?id=dev_security.htm&language=en_US) that says:
"If the record has two master records in a many-to-many relationship, the user must have read access to both master records." // to view junction object's record
Thanks,
Abhishek
You are correct. If the worker has to see the junction object's record, it should have at least "read" permission to both master records. That's the point I was missing.
Thanks for your help!