'View All' on Parent Object Does Not Automatically Give Access To Child That Is Controlled By Parent
|Knowledge Article Number||000240369|
|Description||Administrators can grant View All permissions to specific objects, alleviating the need to grant the much more powerful "View All Data" permission to users. When the sharing model is set to Private for a Parent object, and the child is set to Controlled by Parent, the expected behavior for access to child records is as follows:|
|Resolution||-Users will be able to see all records of the Parent Object.
-Users will be able to see all Child records associated to Parent records which they have 'Read' permission granted via sharing rules, manual sharing, apex sharing, territory sharing, Role Hierarchy, and so on.
-Users will NOT be able to see any Child records associated to Parent records in which the only access granted is through the View All [Parent Object] permission.
-Suppose the sharing settings (OWD) for Accounts is Private, and Contacts is Read Only.
-Suppose User A has View All on Accounts, and only "Read" on Contacts
-Suppose User B, who is not below User A in the hierarchy, owns Account A, underneath which resides Contact A (also owned by User B)
-Suppose User B has not shared this account with User A at all.
In this case, User A will be able to see the Account record because of View All Accounts, but will not be able to see the Contact, because the account technically hasn't been 'shared' with User A. If User B manually shares the Account with User A, then User A will subsequently be able to see the Contact.
The underlying reason for this is that the most restrictive permissions win, and this allows greater control over users' levels of access to various objects.