Till I post this question, I was in assumption that the answer for my question is "No, it is not possible to update owner of a record to a user who does not have Read access at the object level". But, my simple tiny program made me so confused.
Here is the scenario,
Let us consider there are two users:
- 'Admin User'(Myslef) – having System Admin profile
- 'Restricted User' – having some custom profile, and does not have read access on Account object. Do not have View All an Modify All permissions, and no other permission sets are assigned.
Now, I(Admin user) have created an Account record in standard UI; let's say A1 is the record. As expected in this case, the user who created becomes the owner by default.
Now, when I try to change the owner of that record to 'Restricted User'(who does not have read access on Account) in Standard UI by clicking on 'Change' link at the owner field, I am getting 'Transfer Requires Read – The new owner must have "Read" permissions on this type of record.' error. This is expected, as per my knowledge.
But, when I try to change the owner of that record to 'Restricted User'(who does not have read access on Account) using Apex, I am able to change the owner successfully, which I didn't expect. I have used the below code for updating the owner:
Account acc = new Account();
acc.Id='00190000024XXXX'; //Record Id
acc.OwnerId = '0059000000XXXXX'; //Restricted User Id
update acc;
I have tried this in three different places/ways: 1.Running as Anonymous Code in Developer Console, 2.in Apex Cpntroller using Without Sharing, 3.in Apex Cpntroller using With Sharing. It is getting succeeded in all the three ways.
Can some help me to understand, if this is expected behavior, or is there any silly mistake that I might be doing.
Let's say this is expected behavior, then what is the purpose of System.DmlException: Update failed. first error: TRANSFER_REQUIRES_READ, The new owner must have read permission: []
exception, and when does it will throw if the above scenario is expected.
Best Answer
Being an owner won't magically allow you to view that record if you don't have Permission to View that Object.
Profile Permission means do you have the ability to read or edit(OBJECT BASIS), Can I edit/view account?
OWD/Sharing/Owner means do you have access to that record or not(RECORD By RECORD BASIS). Do I have access to edit/view this specific account record?
So coming to your question. The Restricted profile User can be owner, It means he can Access the record if he has permission to view the Object. As OwnerID is just a field in the database, its nothing more than having a text field.
In Standard UI(Transfer Owner Wizard) , SF UI Presentation Layer(Change Owner Button) has added few extra validations to alert all users when they share or change ownership if that assigned user won't be able to access that record(Low price licenses which do not have Apex)
src: https://www.youtube.com/watch?reload=9&v=jDYfTfaqclk
According to Salesfoce Knowledge :
All the above mention this error when standard change ownership is used. Same validations don't apply in Custom Apex, as there is No SF UI presentation layer to enforce it.
Source:https://help.salesforce.com/articleView?id=000004200&type=1