Loading

How to Check Salesforce User Record Access Using UserRecordAccess and Share Objects

Дата публикации: Jun 2, 2026
Описание

This article explains how to determine whether a specific Salesforce user has access to a particular record. The UserRecordAccess object provides detailed information about a user's access to a specific set of records in your Salesforce org. You can query this object to check access levels for a given user.
Two approaches are available: querying the UserRecordAccess object by providing both the Record ID and the User ID, or querying the Share object (for example, AccountShare) for the specific Salesforce object you are evaluating.


 

Решение

Determine Specific User Access

To determine a specific user's access to a record, use one of the following approaches:

  • Query the UserRecordAccess object by providing both the Record ID and the User ID, or
  • Query the Share object for the specific Salesforce object you are evaluating.

    Query Using the Share Object (AccountShare)

    To query access using the AccountShare object, run a SOQL (Salesforce Object Query Language) query providing the Account ID. The query returns fields including AccountAccessLevel, CaseAccessLevel, ContactAccessLevel, and RowCause. These fields indicate the type of access granted and the reason why access was granted to that user or group.
    The AccountShare object stores sharing rules for Account records. The RowCause field explains the reason for the sharing entry, such as whether it was granted by the owner, an organization-wide default, a sharing rule, or manual sharing.
    Query fields returned: AccountAccessLevel, AccountId, CaseAccessLevel, ContactAccessLevel, Id, IsDeleted, LastModifiedById, LastModifiedDate, OpportunityAccessLevel, RowCause, UserOrGroupId. Filter by AccountId to see all sharing entries for a specific Account record.

    Query Using the UserRecordAccess Object

    To query access using the UserRecordAccess object, provide both the Record ID and the User ID. The result returns boolean (true/false) values for the following fields: HasReadAccess, HasEditAccess, HasDeleteAccess, HasTransferAccess, and HasAllAccess. The MaxAccessLevel field also indicates the highest level of access the user has to that record.

    Filter Accounts by a Specific User Using Apex

    The following approach uses Apex code to iterate over all Account records and check whether a specific user has read access to each record using the UserRecordAccess object. This is useful when you need to programmatically determine access for reporting or automation purposes.
    The code queries all Account records and all User records, then iterates through each Account. For each Account, it queries the UserRecordAccess object filtering by a specific User ID and by HasReadAccess equals True. The Record IDs of accessible accounts are collected into a list. The result is logged using System.debug() statements.
    Note: The code provided is an example. Review and modify it for your specific organization before executing.
    Important: The User ID used in the example query (00590000001OZ5bAAG) is a placeholder. Replace it with the actual 15 or 18-character Salesforce User ID for the user you want to check.


Use the example queries below as a reference.
Example Query (Share Object):

SELECT AccountAccessLevel, AccountId, CaseAccessLevel, ContactAccessLevel, Id, IsDeleted,
       LastModifiedById, LastModifiedDate, OpportunityAccessLevel, RowCause, UserOrGroupId
FROM AccountShare
WHERE AccountId = 'account_id'

Example Query (UserRecordAccess Object):

SELECT RecordId, HasReadAccess, HasEditAccess, HasDeleteAccess, HasTransferAccess,
       HasAllAccess, MaxAccessLevel
FROM UserRecordAccess
WHERE RecordId = 'record_id' AND UserId = 'user_id'

Filter table by a specific User :

NOTE: The code provided is an example. You'll need to review and make modifications for your organization.

List <Account> a = new List <Account>(); 
List <User> u = new List <User>(); 
List <ID> sRecordIDs = new List <ID>(); 
a = [select id from Account]; system.debug('>>>'+a.size()); 
u = [select id from User]; 
system.debug('>>>'+u.size()); 
for(Account c : a) 
{ 
    UserRecordAccess i =null; i = [SELECT RecordID FROM UserRecordAccess 
                                    WHERE UserId = '00590000001OZ5bAAG' 
                                    AND RecordID=: c.id AND HasReadAccess = True]; 
    sRecordIDs.add(i.id); 
} 
system.debug('>>>'+ sRecordIDs.size()); 
system.debug('>>>'+ sRecordIDs); 

Additional Option: stripInaccessible() Method

You can also use the stripInaccessible() method in Apex. This method checks source records for fields that do not meet the field-level security (FLS) check for the current user, and returns a list of sObjects with those inaccessible fields removed. To ensure secure processing in Apex, this method can also be used to remove inaccessible fields from sObjects before a DML (Data Manipulation Language) operation — for example, before inserting or updating a record — to avoid exceptions and to sanitize sObjects.

Дополнительные ресурсы

Additional Resources (Updated)

Номер статьи базы знаний

000386023

 
Загрузка
Salesforce Help | Article