[SalesForce] How to allow users in specific roles to change the account owner

I'm fairly new to Salesforce and am having trouble wrapping my brain around all the different permissions settings. So far the other guys on my team have been handling that stuff while I've been having fun with Apex. But, lucky me, they just handed me a requirement involving permissions. Two related requirements actually. And I'm a bit stuck.

First I should provide a little background: We're using Enterprise Edition. We have 50 offices and have structured our role hierarchy to look something like this (sorry about the spacing):

OverallCompanyAdmin
- Office1Admin
  - Office1Manager
    - Office1User
- Office2Admin
  - Office2Manager
    - Office2User
    - etc.

The first requirement is to make it so that users in the OfficeManager role can change the account owner for any record where the account owner is a user in their office, but not in other offices ("Office" is a custom field on the user record). So, if there is an account owned by Office1UserA or Office1UserB, etc., Office1ManagerA should be able to change the account owner. But, Office2ManagerA should not be able to change the owners on those accounts. We have a number of sharing rules in place, as well as profile definitions, but it seems like we can only achieve all or nothing — either the OfficeManager role can't change the owner on any accounts but his own, or can change owners on all accounts.

The second requirement is for dealing with "unassigned" accounts. We created a user named "Unassigned" who is in Office51. If an account is owned by "Unassigned," then any Office Manager in any office should be able to change the account owner (the idea being that if an account is unassigned, any office manager can reassign it). We created a sharing rule for the Unassigned user, but it's not working.

Is it possible to achieve these two requirements with the standard security tools in Salesforce? Or would I need to create an Apex sharing rule? By the way, I have read the Salesforce documentation, have read a bunch of other articles, and have pored through forums to try to get a handle on this and find a situation similar to mine, but I'm still not sure at all how to approach this. Any pointers would be greatly appreciated. Thanks.

Edit/Update:

I've spent some time digesting your responses and going over our security settings, and I've found that with the role hierarchy in place and the users assigned to the proper roles and the correct profiles, the OfficeManager role is able to transfer record ownership for users in his office. An OfficeManager is not able to transfer record ownership for other OfficeManagers in his office, but we can live with that.

However, I'm a little unclear on the suggestions about how to handle the "Unassigned" accounts. It appears that sharing rules do not confer the right to transfer ownership, and because in our company all users can see all accounts, we have not given that permission to the non-SysAdmin profiles. So I think that creating an "Unassigned" role and sharing it wouldn't achieve the desired result of allowing any OfficeManager to transfer ownership of an "Unassigned" account…unless we could somehow put "Unassigned" at very bottom of the role hierarchy. Is this possible?

Best Answer

Depending on how your permissions are set, then yes, this should be doable. A user can only transfer record ownership of records to which they have access, so people in Office 1 should be able to transfer their records around.

If people in Office 1 do have access to Office 2's records then you'll have problems. You could circumvent this with custom coding that enforces your business rules or (my recommendation) train users to not transfer records from outside of their office (and you could use field history to maintain an audit trail of ownership.)

The second part, for "Unassigned" accounts would be easy; just give every office manager access to those records via sharing rules.

Related Solutions

[SalesForce] Sharing access to partner community users based on record owner

Update 03-11-16

Two important revisions to communities have occurred since I wrote this answer that should be considered. First is that User Sharing and visibility restrictions on the User Object in an Org are now in place (SU 15 as I recall). This impacts SF Users visibility to other users both inside an Org and within an Org's Customer Community.

The 2nd one is the introduction of Customer Community Plus licenses. These licenses DO NOT have the same sharing model as regular Customer Communities. That sharing is vastly different. However, Customer Community Plus licenses support Managed Apex Sharing which is often the only way in which records can be shared. Sharing groups are not available as they are with regular Customer Communities. Please keep this in mind when reading this answer.

EDIT 3

I just found this: "You can share a standard or custom object with users or groups. Apex sharing is not available for Customer Community users." on the following page http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_bulk_sharing_creating_with_apex.htm. I think that's the definitive answer regarding Apex Sharing with Community Users. You'll need to either change owners or set up a sharing group.

EDIT 2

I'd gotten that the customer wasn't a contact, but that the Portal User was. You still need to get the Owner of the Portal User.contact to set up your sharing if you're going to do it by User. Remember: Portal Users do not have a Role. You're not going to be able to do any kind of role based sharing unless you do it as a child of the Owner.

Your idea of transferring ownership to the system admin has a lot of merit, especially if the Portal User doesn't need to retain ownership and only needs to be able to view the record. That would likely be the simplest solution to your problem.

EDIT 1

I've edited my post to included some of my comments below and try to clarify them rather than create a long back and forth thread.

Fist, depending on your actual schema, I believe the above query should retrieve the Owner's ID and UserRoleId, not the Portal User's RoleId provided the contact__c object is the same as the contact object.

Since both Owners who have SF Licenses and Portal Users that have Communities licenses are all Users, in theory, you could get them all in one query. You can also do them as two separate queries. How best to do them depends on what info you need and whether one depends on the other. Its also a matter of what method you're most comfortable with.

The Owner(a SF User) owns the Contact and the Account associated with the Contact, but not the Communities User. To be clear, a Communities User cannot own another Contact nor an Account simply because they don't have anything other than read access to those objects for their own information (both contact and account)!

However any kind of User can be retrieved via a query on User. Additionally, a User's Contact info can be retrieved by a query on User (contact = User.contact.Id, contact.Name = User.contact.Name, etc.).

You say below that the Owner of the contact for the Portal User is also a Portal User, the question I'd have is what license that Portal User has? It can't be a Communities License.

If this helps, here's how Communities Users are created using Apex:

Account> a = new Account(Name = Acme ); 
/* OwnerID will either be specified or will be ID of User who performs this operation.*/
insert a;

Contact c = new Contact(FirstName = John, LastName = Doe, Account = a[0].Id (ID of Ajax Acct), email = test@salesforce.stackexchangetest.com, Phone = 800-555-1212, MailingStreet = .....); 
/* you know the drill for the rest of the data required. */
/* Again, the OwnerID is for the User who performs the operation unless an OwnerID is specified */
insert c;

User u =new User(ContactID = c[0].Id (John Doe's contact.Id), Alias = 'PrtlUsr1', Email= c[0].Email, FirstName= c[0].FirstName, LastName= c[0].LastName, userName=c[0].Email, ProfileID = CommunitiesLicenceID for your org);
/* Again, the OwnerID is for the User who performs the operation unless an OwnerID is specified */
Insert u;

In my experience, it requires a SF User license to create a Portal User.

The owner of the customer is a portal user tho, i guess thats what im not understanding. Are you saying is should be getting the portal user -> Contact -> and that owner? how does that help when what im trying to share is the "customer" I think people are getting confused because they are called "customers" but they are just a custom object.

This could very well be the "disconnect" that's been occurring. Since there is no "role hierarchy", yes, you need to be retrieving the Portal User Contact and the Owner of the Portal User Contact in order to share anything that belongs to the Portal User. Why? Because the only other person that can see everything the Portal User "owns" is the Owner of the Portal User Contact -> (Portal) User.contact.OwnerID!

The only other way that immediately comes to mind that might help you accomplish what you desire would be to utilize your trigger to add these Users to a Sharing Group of some kind; something you might also want to consider as an alternative.

I hope this provides the clarification you needed in order to help you move forward with your trigger.

BTW, when you do your test class, I recommend you utilize "Run As" when you create your Account, Contact and Portal User. That will automatically create the Portal User with the Run As User as it's Owner.

Original Answer

Communities Users have an Owner. They do not have a Role, all they have is a User Profile. Essentially, they quasi inherit their Role from their Owner. Their Owner can see any of the records they create. So, if you want to share something a Communities User "owns", you're going to need to do that through their Owner.

trigger shareCustomer on Customer__c (after insert, after update) {

   List<Customer__Share> customerShares  = new List<Customer__Share>();
   Customer__Share customerShare;

I agree with Greenstork, you need the User Role Id from related Owners (Users) in the trigger set. Now the question is:

Are your customers logging in as Communities Users or as Customers (Contacts)?

If as Users, then your query may need to reflect that. Your query currently shows as Customer__c, which is a Custom Object. Is there a relationship between Customer__c and either Contacts or Communities Users?

List<Customer__c> enhancedCustomerList = [SELECT id, Owner.UserRoleId, OwnerID FROM Customer__c WHERE id IN :trigger.new];

If there is, you may want to utilize that relationship in your trigger. That's for you to decide. I primarily say that because it may simplify things for you because of Ownership when it comes to Communities Users.

The rest of your trigger would look pretty much the same as what Greenstork has shown depending on the relationships you use between contact, account, Portal User, and Portal User.OwnerID. The sharing is going to occur based on the Owner of contact/customer__c/Portal User.

[SalesForce] Limit who can add/edit specific contact roles

Your gut feeling is correct. You can't restrict Contact Roles by the use of triggers. Keep in mind that a custom object will use 2kb of data storage per record, instead of the free cost that contact roles offer. Other than that drawback, this solution would work as you intend. Contact roles have no "additional" functionality that you'd have to consider.

Best Answer

Related Solutions

[SalesForce] Sharing access to partner community users based on record owner

[SalesForce] Limit who can add/edit specific contact roles

Related Topic