[SalesForce] Can’t change owner of a record belonging to a role above me in the hierarchy

I am wondering if we have misused the Role Hierarchy…I have three roles like:

Manager
Team Leader
Team Member

These (and others) all belong (via their role) to the same Public Group and the same Queue. There are sharing rules to share the objects records between these public groups and queues using read/write. The users all have the same profile.

Anyway I have found that starting at the top the users can change the owner of any record including that of those belonging to their subordinates. Unfortunately at the bottom the team member can change the owner of their own records and those belonging to the queue. However they can not change the ownership of records owned by people above them in the hierarchy.

I hope that makes sense can someone suggest a way around this? (In this case all of the users should be able to change the owner of any record regardless of their role )

Best Answer

Delete permission in salesforce is always strictly per the role hierarchy. This is the case even if org wide defaults are set to public read/write.

The only exception is users with modify all data or modify all object level permission. They can delete any records.

See this help doc

Where it says

The ability to delete records in Salesforce is controlled by the role hierarchy. Setting a sharing model to ""Public Read/Write"" alone does not give users the right to delete others records.

Those below you on the role hierarchy may have read/write privileges according to the sharing model rules, however, they may not delete information from those individuals above them in that hierarchy.

Note: If a user is assigned a profile that has "Modify All" on a particular object, then the user will be able to delete any record in that object. System administrator profile has "Modify all Data" giving them the privilege to delete any record in any object

UPDATE sorry thought this was about delete permission, but change owner follows same logic for most objects, though a couple can have org wide defaults that include transfer permissions

See this doc for the details, including

A record owner, or any user above the owner in the role or territory hierarchy, can transfer a single record to another user. With some objects, like cases, leads, and campaigns, a user may be granted access to transfer records through sharing. Depending on the type of object, there may be multiple ways to transfer records to another user:

Related Solutions

[SalesForce] way to share account records to a user without sharing to someone above that user in the role hierarchy

Greg, it sounds more like a miss use of the Role Hierarchy. It is used for sharing objects and reporting; it is not meant to be the company role hierarchy.

It sounds to me like this is a Real Estate company or something similar and the agents do not want to let control of their clients or maybe for non-compete compliance reasons they shouldn't see each-others accounts.

Unfortunately this is a case where they will not be able to use the Role Hierarchy and you will need to make complex sharing rules or even apex sharing. This will also affect reporting as you will not be able to report on 'My Team' anymore. The customer needs to know these complexities and understand the trade offs.

In some instances there is no getting around this as there is legal reasons around it like conflict of interest, then Role Hierarchy needs reviewing to ensure privacy. If it is just a case that agents want to keep their personal clients, I would push to keep it open as that is the whole point of a CRM.

[SalesForce] Find users under a node in role hierarchy

I would get the UserRole records you want first and then query the User records.

Grouping UserRole Records by Parent

// public with sharing class RoleHierarchy
static Map<Id, List<UserRole>> hierarchy
{
    get
    {
        if (hierarchy == null)
        {
            hierarchy = new Map<Id, List<UserRole>>();
            for (UserRole role : [SELECT ParentRoleId FROM UserRole])
            {
                if (!hierarchy.containsKey(role.ParentRoleId))
                    hierarchy.put(role.ParentRoleId, new List<UserRole>());
                hierarchy.get(role.ParentRoleId).add(role);
            }
        }
        return hierarchy;
    }
    private set;
}

Getting Relevant UserRole Records

// public with sharing class RoleHierarchy
public static List<UserRole> getChildren(Id userRoleId)
{
    return hierarchy.containsKey(userRoleId) ?
        hierarchy.get(userRoleId) : new List<UserRole>();
}

// I would just use one of the below and name it getSubHierarchy
// Not entirely clear based on OP if top-level should be included

public static Set<Id> getSubHierarchyInclusive(Id userRoleId)
{
    Set<Id> roleIds = new Set<Id> { userRoleId };
    for (UserRole childRole : getChildren(userRoleId))
        roleIds.addAll(getSubHierarchyInclusive(childRole.Id));
    return roleIds;
}
public static Set<Id> getSubHierarchyExclusive(Id userRoleId)
{
    Set<Id> roleIds = new Set<Id>();
    for (UserRole childRole : getChildren(userRoleId))
    {
        roleIds.add(childRole.Id);
        roleIds.addAll(getSubHierarchyExclusive(childRole.Id));
    }
    return roleIds;
}

Get Users

// public with sharing class RoleHierarchy
public static List<User> getUsersUnder(Id userRoleId)
{
    return [
        SELECT Id FROM User
        WHERE UserRoleId IN :getSubHierarchy(userRoleId)
    ];
}

The above approach consumes a total of 2 SOQL statements.

Best Answer

Related Solutions

[SalesForce] way to share account records to a user without sharing to someone above that user in the role hierarchy

[SalesForce] Find users under a node in role hierarchy

Related Topic