[SalesForce] Doing query as specific user

Situation:

We are doing SOAP API (custom made apex webservice) calls to service using admin user.
Those calls do search on Accounts (millions of records, search mostly on Name field)
Account are set Private (org-wide) with many sharing rules and hierarchy sharing
Calls pass userId (or email) of user in whose context result should be returned

Is there a way to apply sharing restrictions to the query I'm doing?

I have tried following:

Use UserRecordAccess but it only allows to query for 200 records which is definitely not enough
Use AccountShare table but it contains Groups for Role and Subordinates, which doesn't have any members in GroupMember table that means I would have to query for all the roles in role hierachy (which we have over 1000) also this table doesn't include sharing above in the hierarchy

Any ideas?

Best Answer

The only way to automatically enforce sharing is to log in as the user whom the query should be performed as, not as an admin user. As you've noted, using UserRecordAccess is exceptionally limited, so you'd have to perform many queries based on an initial query result. Assuming the account query returned less than about 20,000 rows, you could probably use UseRecordAccess without running out of query statements (and if it's more than that, you should consider narrowing the results anyways).

Related Solutions

[SalesForce] How to query list of roles that has access to a Account record shared via sharing rule

Yes sure.

You can use SOQL like bellow:

SELECT AccountAccessLevel , AccountId , CaseAccessLevel , ContactAccessLevel , Id , IsDeleted , LastModifiedById , LastModifiedDate , OpportunityAccessLevel , RowCause , UserOrGroupId FROM AccountShare WHERE RowCause = 'Rule'

This will give you all account rows those are shared to Role. If you are interested in perticuler role then you can add condition like AND WHERE UserOrGroupId = 'ROLE_ID_XXXX'

Query Indirect GroupMember Records

My experimentation seems to indicate that for a UserRole you add to a Group, Salesforce adds a Group with Type = 'Role' and RelatedId = <UserRole.Id>. You may need to separately process RoleAndSubordinates and/or RoleAndSubordinatesInternal, depending on your requirements.

Regardless, you should be able to query for the Id of the UserRole by iterating through the GroupMember records and filtering by Type. As there are many Type values to inspect, if you want to properly handle all of them you may need to do more legwork, as you shouldn't trust my back-of-the-napkin implementation. But it should get you started, hopefully.

Set<Id> roles = new Set<Id>();
Set<Id> rolesWithSubordinate = new Set<Id>();

Set<Id> groupIds = new Set<Id>();
for (GroupMember member : myGroup)
    groupIds.add(member.UserOrGroupId);

for (Group record : [
    SELECT Type, RelatedId FROM Group WHERE Id IN :groupIds
]){
    switch on record.Type
    {
        when 'Role'
        {
            roles.add(record.RelatedId);
        }
        when 'RoleAndSubordinates'
        {
            rolesWithSubordinate.add(record.RelatedId);
        }
    }
}
// query users with the above roles here

Best Answer

Related Solutions

[SalesForce] How to query list of roles that has access to a Account record shared via sharing rule

Query Indirect GroupMember Records

Related Topic