I was troubleshooting a scenario where a User was trying to create a Related Record (say Object A) on Opportunity which had a Master Detail relationship and was facing insufficient rights access issue.
Upon investigation I found the below configurations:
- Opportunity on Profile is set to Read
- Object A on Profile has CRUD access
- OWD for Opportunity is Private (Object A because of M-D is Controlled by Parent)
- Opportunity was shared with the User using a Sharing Rule with "Read" access only
- The way M-D relationship was set on Object A is as below (and honestly I didn't know it can have an impact):
It seemed like because of the Sharing Rule where the User here had a "Read" access only on the Opportunities and because of the way the M-D relationship was set, they were not able to create the related record on Opportunity.
The time I extended the Sharing Rule to "Read/Write", it worked fine.
This is what leads to my question (I may be completely missing something very basic here):
What does "Read/Write" access on Sharing Rule really signify if an Object has only "Read" access on the Profile and that the record can actually never be edited?
Note that if the Sharing Setting definition on the M-D field was set to "Read" only, then this worked perfectly fine. In this case the master record didn't require to be shared as "Read/Write" necessarily. The whole point of sharing the master record as "Read/Write" really seems redundant here. And it just seems the overall issue is where while creating the detail record, the system validates the "access level" on Sharing Setting irrespective of if the Object itself is set to "Read" only on profile.
Best Answer
You'll want to read Sharing Considerations for most of the usual complications of sharing.
However, for the purpose of this question, it's important to make a distinction. A feature that requires a certain Sharing level of access to the record does not evaluate Profile Permissions regarding that feature. You can have Edit access to a record without having the Edit Object Profile Permission for that object.
If you have Edit access to an Opportunity, you can do all of the Edit-level features to that Opportunity, even if they can't edit the Opportunity itself because of Profile Permissions.
For example, the user can add Notes and Attachments, add Opportunity Team Members, Contact Roles, and so on, even if the Profile Permissions don't allow editing any Opportunity.