[SalesForce] Is is possible to grant delete permissions using apex managed sharing

I have Custom_Object__c with:

Org-Wide Default Settings as: Private
Object Permissions in the user Profile: Create, Read, Edit, Delete.

I have a small development in Apex that is creating some apex managed sharing rules, to give certain users access to records they don't own.
So far I only needed to give the users either "Read" or "Edit" permissions. So all worked ok.

However, now I need to grant users delete permissions for records they don't own. Without touching profile nor org-wide default settings.
This would mean creating the apex managed sharing rules with accessLevel = 'All'.

I looked into the documentation, it seems to say that it's not possible to do that. (http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_bulk_sharing_understanding.htm)

All: This access level can only be granted with Force.com managed sharing.

Does anybody know a workaround to give the user delete permissions for records they don't own using apex managed sharing?

Best Answer

See this answer I had asked another question on this topic because the answer by Ralph Callaway didn't work for me (but I really wanted it to)

I am copying the answer from the original question I asked because I don't want it to be a link only answer. I'm putting it here so others are not misled to think giving Delete access on the object and an edit apex managed share wil let the user delete the record.

The credit for the answer goes to ca_peterson and is reposted here:

The statement from the docs http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_bulk_sharing_understanding.htm

is key here:

This access level can only be granted with Force.com managed sharing.

in reference to the "full control" sharing setting.

Force.com managed sharing is the term for sharing that is granted by the platform itself - so record owner and manager of record owner if you simplify the statement.

Per the docs linked there you need "Full Access" to be allowed to delete.

Pair these two facts together and it turns out that nope - there's no way to grant delete access via apex sharing rules. The only options are to use force.com managed sharing (i.e. change the owner, or be above the owner in the role hierarchy), or grant modify all on the profile/perm set.

The other option would be to make a custom VF page or action that allows deleting the record via without sharing apex if the user has edit rights, but that doesn't allow the normal delete DML event, so has some drawbacks.

Related Solutions

[SalesForce] revoking apex managed sharing permission

You will need to delete a specific type of sharing record, those with a RowCause value of 'Manual'.

Delete all manual sharing records on a custom object contained in the trigger:

List<MyCustomObject__Share> sharesToDelete = [SELECT Id 
                                                FROM MyCustomObject__Share 
                                                WHERE ParentId IN :trigger.newMap.keyset() 
                                                AND RowCause = 'Manual'];
if(!sharesToDelete.isEmpty()){
    Database.Delete(sharesToDelete, false);
}

Similarly for a standard object (Account):

List<AccountShare> sharesToDelete = [SELECT Id 
                                        FROM AccountShare 
                                        WHERE AccountId IN :trigger.newMap.keyset() 
                                        AND RowCause = 'Manual'];
if(!sharesToDelete.isEmpty()){
    Database.Delete(sharesToDelete, false);
}

[SalesForce] Object Level Apex Sharing vs Record Level Apex Sharing

Object level permissions are typically controlled through profiles and permission sets. Sharing is only really needed for record-level permissions.

Best Answer

Related Solutions

[SalesForce] revoking apex managed sharing permission

[SalesForce] Object Level Apex Sharing vs Record Level Apex Sharing

Related Topic