Loading
Manage Users and Data Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Troubleshoot Object and Record Access Issues

            You are here:

            1. Salesforce Help
            2. Docs
            3. Manage Users and Data Access

            Troubleshoot Object and Record Access Issues

            Your users can experience access issues or insufficient privileges errors if object permissions or record-access features aren’t configured correctly.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            The available user and data management options vary according to which Salesforce edition you have.
            User Permissions Needed
            To access features or complete tasks mentioned in this topic: See the related Help documentation.

            Troubleshoot Why a User Doesn’t Have Correct Access to a Record

            If your user can’t access a record, work through these steps to identify and fix the problem.

            Troubleshooting flowchart for if a user can't access a record or object, depicting same steps as in topic.
            Note
            Note These steps focus on troubleshooting within Setup. If you have Event Monitoring, you can use the Insufficient Access Event Type to review errors related to insufficient record access.
            1. Check if the user has the relevant object permissions. Go to the user’s detail page in Setup, and click View Summary. In the Object Permissions tab, you can see all of the user’s assigned object permissions.
              1. Missing object permissions: Give the user the required object permissions. We recommend that you use permission sets and permission set groups to assign permissions. When possible, reuse existing permission sets and permission set groups, rather than creating new ones tailored to a specific user. However, make sure that you don’t assign more permissions than the user needs.
              2. Correct object permissions: Move to the next step. This issue involves record access, not object permissions.
            2. Check the organization-wide default sharing settings for the object on the Sharing Settings Setup page.
              1. Public Read/Write: There are no regular access restrictions for this object’s records. Move to step 12 for additional features that can possibly restrict access.
              2. Controlled by Parent: The parent object controls access. Start step 2 again for the parent object.
              3. Private: Only record owners and users above them in the role hierarchy can access this object. If you expected more permissive org-wide default access, update the setting. If this default setting is expected, move to the next step.
              Note
              Note If the object is a custom object, you can prevent users above the owner in the role hierarchy from accessing records by disabling Grant Access Using Hierarchies. Verify that this setting is as expected.
            3. Review who does have access to the specific record and how, because this list can help inform why your user is missing access. In Lightning Experience, click Sharing Hierarchy from the Action Menu on the record. In Salesforce Classic, click Sharing on the record, and then click Expand List. The Sharing Hierarchy page shows the users, groups, roles, and territories that have access to the record. In Lightning Experience, clicking View shows reasons for access, including the name of the sharing mechanism that grants access. If a restriction rule blocks access to the record, a message is shown to confirm that access is blocked.
              If you expected your user to receive access through one of the listed reasons, you can jump directly to that feature. For example, you thought your user was part of a public group that’s the target of a sharing rule. You can investigate if the user is added to the public group and if the sharing rule is configured correctly. If you don’t see any potential investigation paths, move to the next step to continue the troubleshooting walkthrough.
              Note
              Note If you don’t see the Sharing Hierarchy option and you have the right permissions, make sure that it’s added to the page layout.
            4. Check the user’s role in relation to the record owner. You can find this information on the users’ detail pages and review the role hierarchy on the Roles page in Setup. Check to make sure that both users are in the correct role. Users have automatic access to records if they’re the record owner, higher in the role hierarchy than the record owner, or the administrator. Roles can also be the target of sharing rules or manual shares. If the roles of either user are incorrect, you can edit them. Otherwise, move to the next step.
            5. Review the user’s public groups from their user detail page. Check to make sure that the user is included in the intended groups, which can be used to grant record access via sharing rules, manual sharing, or other features. You can review where a public group is used by clicking View Summary on its detail page.
              To add the user to any public groups, go to the Public Group page in Setup. If this fix doesn’t solve the issue, move to the next step.
            6. Review your sharing rules on the Sharing Settings Setup page. Is there a sharing rule that exists that was intended to give access to the user?
              1. No: If you believe other users require access to this record and other records that have the same owner or matching criteria, create a new sharing rule. If creating a sharing rule doesn’t work for your requirements, you can manually share the record with the one user.
              2. Yes: Review the sharing rule to make sure that the sharing rule includes the correct records, the rule has the correct access level, and the intended user is actually part of the group, role, or territory targeted by the sharing rule.
              If updating or creating sharing rules doesn’t solve your issue, move to the next step.
            7. Check your queues in Setup. Make sure that they’re configured as expected and that the user has the correct membership. Remember that users can be added directly to queues or via roles, groups, or territories. If you don’t use queues or your queues aren’t the source of the issue, move to the next step.
            8. Check your teams for accounts, opportunities, and cases in Setup. Make sure that the user is part of the correct teams and has read-only or read/write access as intended. If you don’t use teams or your teams aren’t the source of the issue, move to the next step.
            9. Review your territories. Check that the user is included in the territories, and that the record is under the correct territory where the user is a member. If you don’t use Enterprise Territory Management or your territory setup isn’t the issue, move to the next step.
            10. Review manual shares for the specific record. If the user previously had access via manual sharing, but they lost this access, find out if one of these events occurred.
              1. The record owner changed, causing the manual share to be removed.
              2. The record owner, an administrator, or a user above the owner in the role hierarchy removed the manual share using the Sharing button on the record detail page.
              3. An active restriction rule blocks access to the record because the rule’s user criteria includes the user, but the record criteria isn’t met.
              If needed, you can manually share the record with the user again. If this action doesn’t solve your issue, move to the next step.
            11. Check Apex-managed sharing. For custom objects, if you’re sharing records programmatically using Apex, verify that your code is working correctly. If you don’t use Apex-managed sharing or this feature isn’t the issue, move to the next step.
            12. Verify if any of these features restrict access to the user.
              1. Restriction rules prevent users from accessing records if they meet certain criteria. You can see if you have restriction rules for an object in Object Manager.
              2. Custom Apex logic can be used to restrict users’ access to data.

            Troubleshoot Why a User Has Unexpected Access to a Record

            If your user can access a record, but this access isn’t intended, work through these steps to remediate the issue.

            Troubleshooting flowchart for if a user has unexpected access to a record or object, depicting same steps as in topic.
            1. Check if the user’s base-level object permissions are correct. Go to the user’s detail page in Setup, and click View Summary. In the Object Permissions tab, you can see all of the user’s assigned object permissions.
              1. If the user has more object permissions than they need, click the permission's row-level action, and then click Access Granted By to see which profile, permissions sets, or permission set groups are granting this access. You can change the user’s profile or remove their permission set or permission set group assignments. You can also modify the included permissions, but doing so affects all users assigned the same profile, permission set, or permission set group.
                Remember that if users are assigned the View All Records or Modify All Records permissions for an object, they have access to all records of that object, regardless of the sharing settings. The same applies for the View All Data or Modify All Data user permissions. You can review sharing overrides in the object’s details on the Sharing Settings Setup page.
              If the object permissions are correct, move to the next step. This issue is related to record access.
            2. Review who does have access to the specific record. In Lightning Experience, click Sharing Hierarchy from the Action Menu on the record. In Salesforce Classic, click Sharing on the record, then click Expand List. The Sharing Hierarchy page shows the users, groups, roles, and territories that have access to the record. In Lightning Experience, clicking View shows reasons for access, including the name of the sharing mechanism that grants access.
              From the sharing reasons, you can find that the user has access because they have a certain role or they’re a member of a specific public group. Depending on your sharing configuration, you can update the user’s assignments, or the sharing rule or manual share that grant access.
              If you don’t see the user listed as being shared the record, move to the next step.
              Note
              Note If you don’t see the Sharing Hierarchy option and you have the right permissions, make sure that it’s added to the page layout.
            3. Check Apex-managed sharing. For custom objects, if you’re sharing records programmatically using Apex, verify that your code is working correctly.

            See Also

             
            Loading
            Salesforce Help | Article