Note: The Insufficient Access event type is disabled by default. You can enable this event type for a period of 24 hours by contacting Salesforce Customer Support.
Insufficient Access events contain details about errors relating to insufficient account, case, contact, and opportunity record access, so that you can troubleshoot and resolve access issues for your users. The following error scenarios are currently logged:
In this article, we look at example event log files for these insufficient record access errors. Note that these errors can occur through manual operations as well as if the operation is triggered by flows or Apex code.
For descriptions of the Insufficient Access Event Type fields, see the Object Reference topic. For details about event monitoring, see the Trailhead Event Monitoring module (which includes info on querying event log files) or the REST API Developer's Guide.
This article walks through how to interpret Salesforce Insufficient Access event log files to troubleshoot record access errors. Review the key fields below when analyzing logs, then follow the worked examples for each error scenario.
Use REQUEST_ID, ERROR_TIMESTAMP, and USER_ID to confirm you are looking at the correct access error when multiple logs share the same request.
Edwin is the owner of Case C1, but isn't the owner of the case's parent account, Account A1. Edwin has edit access to Account A1 and is not above the account's owner in the role hierarchy. Edwin attempts to share Case C1 with a team member, but sees an error and can't complete the operation. After Edwin sees the error, the admin queries the event log file and finds two logs with the same REQUEST_ID.
| Field | Value |
|---|---|
| EVENT_TYPE | InsufficientAccess |
| USER_ID | 005XXXXXXXXXXX1 (Edwin) |
| RECORD_ID | 001XXXXXXXXXXX2 |
| ENTITY_TYPE | Account |
| ACCESS_ERROR | NO_ACCESS |
| REQUESTED_ACCESS_LEVEL | FULL |
| ERROR_DESCRIPTION | User 005XXXXXXXXXXX1 doesn't have full access for the record 001XXXXXXXXXXX2. |
| ACTUAL_LOGGED_IN_USER_ID | 005XXXXXXXXXXX1 (Edwin) |
| Field | Value |
|---|---|
| EVENT_TYPE | InsufficientAccess |
| USER_ID | 005XXXXXXXXXXX1 (Edwin) |
| RECORD_ID | 500XXXXXXXXXXX3 |
| ENTITY_TYPE | Case |
| ACCESS_ERROR | NO_ACCESS |
| REQUESTED_ACCESS_LEVEL | READ |
| ERROR_DESCRIPTION | Can't share record 500XXXXXXXXXXX3 to the user 005XXXXXXXXXXX4. |
| ACTUAL_LOGGED_IN_USER_ID | 005XXXXXXXXXXX1 (Edwin) |
Edwin (005XXXXXXXXXXX1) can't share Case C1 (500XXXXXXXXXXX3) with his teammate (005XXXXXXXXXXX4) because Edwin doesn't have full access to the case's parent Account A1 (001XXXXXXXXXXX2).
Because sharing the case will automatically give read access to the parent account, only the account owner or a user with sufficient permissions can complete this operation. Edwin's edit permission on the account is not sufficient.
Someone with the required permissions (such as the account owner or admin) can share the case.
Note: This same error can occur for contact or opportunity records that are children of accounts.
Anand is the owner of Contact C1, but isn't the owner of the contact's parent account, Account A1. Because he owns Contact C1, Anand has implicit read access to Account A1. Anand tries to transfer ownership of Contact C1 to his teammate Ciara, but sees an error and can't complete the operation. After Anand sees the error, the admin queries the event log file and finds two logs with the same REQUEST_ID.
| Field | Value |
|---|---|
| EVENT_TYPE | InsufficientAccess |
| USER_ID | 005XXXXXXXXXXX2 (Ciara) |
| RECORD_ID | 001XXXXXXXXXXX4 |
| ENTITY_TYPE | Account |
| ACCESS_ERROR | NO_ACCESS |
| REQUESTED_ACCESS_LEVEL | READ |
| ERROR_DESCRIPTION | User 005XXXXXXXXXXX2 doesn't have read access for the record 001XXXXXXXXXXX4. |
| ACTUAL_LOGGED_IN_USER_ID | 005XXXXXXXXXXX3 (Anand) |
| Field | Value |
|---|---|
| EVENT_TYPE | InsufficientAccess |
| USER_ID | 005XXXXXXXXXXX3 (Anand) |
| RECORD_ID | 001XXXXXXXXXXX4 |
| ENTITY_TYPE | Account |
| ACCESS_ERROR | NO_ACCESS |
| REQUESTED_ACCESS_LEVEL | FULL |
| ERROR_DESCRIPTION | User 005XXXXXXXXXXX3 doesn't have full access for the record 001XXXXXXXXXXX4. |
| ACTUAL_LOGGED_IN_USER_ID | 005XXXXXXXXXXX3 (Anand) |
Anand (005XXXXXXXXXXX3) can't change the owner of Contact C1 because Anand doesn't have full access to the contact's parent Account A1 (001XXXXXXXXXXX4) and his teammate Ciara (005XXXXXXXXXXX2) doesn't already have read access to Account A1.
Because changing the owner of the contact will automatically give read access to the parent account, only the account owner or a user with sufficient permissions can complete this operation.
Either the admin or account owner must first grant Ciara read access to the account, or someone with the required permissions (such as the account owner or admin) can directly change the contact's owner.
Note: This same error can occur for case or opportunity records that are children of accounts.
Edwin is the owner of Opportunity O1, but isn't the owner of the opportunity's parent account, Account A1. A teammate, Charlie, is granted edit access to Opportunity O1 through a manual share. Charlie tries to change the parent account on Opportunity O1 to Account A2. Charlie isn't the owner of Account A2 (he has only edit access and is below the account owner in the role hierarchy) and Edwin doesn't have access to Account A2. Charlie sees an error and can't complete the operation. After Charlie sees the error, the admin queries the event log file and finds two logs with the same REQUEST_ID.
| Field | Value |
|---|---|
| EVENT_TYPE | InsufficientAccess |
| USER_ID | 005XXXXXXXXXXX1 (Edwin) |
| RECORD_ID | 001XXXXXXXXXXX4 |
| ENTITY_TYPE | Account |
| ACCESS_ERROR | NO_ACCESS |
| REQUESTED_ACCESS_LEVEL | READ |
| ERROR_DESCRIPTION | User 005XXXXXXXXXXX1 doesn't have read access for the record 001XXXXXXXXXXX4. |
| ACTUAL_LOGGED_IN_USER_ID | 005XXXXXXXXXXX2 (Charlie) |
| Field | Value |
|---|---|
| EVENT_TYPE | InsufficientAccess |
| USER_ID | 005XXXXXXXXXXX2 (Charlie) |
| RECORD_ID | 001XXXXXXXXXXX4 |
| ENTITY_TYPE | Account |
| ACCESS_ERROR | NO_ACCESS |
| REQUESTED_ACCESS_LEVEL | FULL |
| ERROR_DESCRIPTION | User 005XXXXXXXXXXX2 doesn't have full access to the record 001XXXXXXXXXXX4. |
| ACTUAL_LOGGED_IN_USER_ID | 005XXXXXXXXXXX2 (Charlie) |
Charlie (005XXXXXXXXXXX2) can't change the parent account of Opportunity O1 because he doesn't have full access to Account A2 (001XXXXXXXXXXX4) and Edwin (005XXXXXXXXXXX1) has no current access to Account A2 (001XXXXXXXXXXX4).
Because changing the opportunity's parent account will automatically give read access to that parent account to owners of child records, only the account owner or a user with sufficient permissions can complete this operation.
The admin or Account A2 owner must first grant Edwin read access to Account A2 before Charlie can change Opportunity O1's parent account to Account A2.
Note: This same error can occur for contact or case records that are children of accounts.
000396437

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.