Loading

Salesforce: How to Interpret Insufficient Access Event Log Files

Julkaisupäivä: Jul 16, 2026
Kuvaus

Note: The Insufficient Access event type is disabled by default. You can enable this event type for a period of 24 hours by contacting Salesforce Customer Support.

Insufficient Access events contain details about errors relating to insufficient account, case, contact, and opportunity record access, so that you can troubleshoot and resolve access issues for your users. The following error scenarios are currently logged:

  • User can't share a case, contact, or opportunity because the user doesn't have permission to share the parent account or the recipient of the share doesn't currently have read access to the parent account.
  • User can't change ownership of a case, contact, or opportunity because the user doesn't have permission to share the parent account or the new owner doesn't currently have read access to the parent account.
  • User can't change the parent account of a case, contact, or opportunity because the user doesn't have permission to share the new parent account or the owner of the case, contact, or opportunity doesn't have read access to the new parent account.

In this article, we look at example event log files for these insufficient record access errors. Note that these errors can occur through manual operations as well as if the operation is triggered by flows or Apex code.

For descriptions of the Insufficient Access Event Type fields, see the Object Reference topic. For details about event monitoring, see the Trailhead Event Monitoring module (which includes info on querying event log files) or the REST API Developer's Guide.

Ratkaisu

This article walks through how to interpret Salesforce Insufficient Access event log files to troubleshoot record access errors. Review the key fields below when analyzing logs, then follow the worked examples for each error scenario.

Key Fields to Review

  • ACTUAL_LOGGED_IN_USER_ID — The user who was actually logged in and performed the operation.
  • USER_ID — The user whose access is being checked (may differ from ACTUAL_LOGGED_IN_USER_ID when operating on behalf of another user).
  • RECORD_ID — The ID of the record the access check was performed on.
  • ENTITY_TYPE — The object type of the record (e.g., Account, Case, Contact, Opportunity).
  • ACCESS_ERROR — The type of access error that occurred.
  • REQUESTED_ACCESS_LEVEL — The level of access that was required for the operation.
  • ERROR_DESCRIPTION — A plain-language description of the access failure.

Use REQUEST_ID, ERROR_TIMESTAMP, and USER_ID to confirm you are looking at the correct access error when multiple logs share the same request.

Example: User Can't Share a Case

Edwin is the owner of Case C1, but isn't the owner of the case's parent account, Account A1. Edwin has edit access to Account A1 and is not above the account's owner in the role hierarchy. Edwin attempts to share Case C1 with a team member, but sees an error and can't complete the operation. After Edwin sees the error, the admin queries the event log file and finds two logs with the same REQUEST_ID.

Log 1

FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX1 (Edwin)
RECORD_ID001XXXXXXXXXXX2
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELFULL
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX1 doesn't have full access for the record 001XXXXXXXXXXX2.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX1 (Edwin)

Log 2

FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX1 (Edwin)
RECORD_ID500XXXXXXXXXXX3
ENTITY_TYPECase
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELREAD
ERROR_DESCRIPTIONCan't share record 500XXXXXXXXXXX3 to the user 005XXXXXXXXXXX4.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX1 (Edwin)

Cause

Edwin (005XXXXXXXXXXX1) can't share Case C1 (500XXXXXXXXXXX3) with his teammate (005XXXXXXXXXXX4) because Edwin doesn't have full access to the case's parent Account A1 (001XXXXXXXXXXX2).

Reason

Because sharing the case will automatically give read access to the parent account, only the account owner or a user with sufficient permissions can complete this operation. Edwin's edit permission on the account is not sufficient.

Solution

Someone with the required permissions (such as the account owner or admin) can share the case.

Note: This same error can occur for contact or opportunity records that are children of accounts.

Example: Can't Change Owner of a Contact

Anand is the owner of Contact C1, but isn't the owner of the contact's parent account, Account A1. Because he owns Contact C1, Anand has implicit read access to Account A1. Anand tries to transfer ownership of Contact C1 to his teammate Ciara, but sees an error and can't complete the operation. After Anand sees the error, the admin queries the event log file and finds two logs with the same REQUEST_ID.

Log 1

FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX2 (Ciara)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELREAD
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX2 doesn't have read access for the record 001XXXXXXXXXXX4.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX3 (Anand)

Log 2

FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX3 (Anand)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELFULL
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX3 doesn't have full access for the record 001XXXXXXXXXXX4.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX3 (Anand)

Cause

Anand (005XXXXXXXXXXX3) can't change the owner of Contact C1 because Anand doesn't have full access to the contact's parent Account A1 (001XXXXXXXXXXX4) and his teammate Ciara (005XXXXXXXXXXX2) doesn't already have read access to Account A1.

Reason

Because changing the owner of the contact will automatically give read access to the parent account, only the account owner or a user with sufficient permissions can complete this operation.

Solution

Either the admin or account owner must first grant Ciara read access to the account, or someone with the required permissions (such as the account owner or admin) can directly change the contact's owner.

Note: This same error can occur for case or opportunity records that are children of accounts.

Example: Can't Change Parent Account of an Opportunity

Edwin is the owner of Opportunity O1, but isn't the owner of the opportunity's parent account, Account A1. A teammate, Charlie, is granted edit access to Opportunity O1 through a manual share. Charlie tries to change the parent account on Opportunity O1 to Account A2. Charlie isn't the owner of Account A2 (he has only edit access and is below the account owner in the role hierarchy) and Edwin doesn't have access to Account A2. Charlie sees an error and can't complete the operation. After Charlie sees the error, the admin queries the event log file and finds two logs with the same REQUEST_ID.

Log 1

FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX1 (Edwin)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELREAD
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX1 doesn't have read access for the record 001XXXXXXXXXXX4.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX2 (Charlie)

Log 2

FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX2 (Charlie)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELFULL
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX2 doesn't have full access to the record 001XXXXXXXXXXX4.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX2 (Charlie)

Cause

Charlie (005XXXXXXXXXXX2) can't change the parent account of Opportunity O1 because he doesn't have full access to Account A2 (001XXXXXXXXXXX4) and Edwin (005XXXXXXXXXXX1) has no current access to Account A2 (001XXXXXXXXXXX4).

Reason

Because changing the opportunity's parent account will automatically give read access to that parent account to owners of child records, only the account owner or a user with sufficient permissions can complete this operation.

Solution

The admin or Account A2 owner must first grant Edwin read access to Account A2 before Charlie can change Opportunity O1's parent account to Account A2.

Note: This same error can occur for contact or case records that are children of accounts.

Knowledge-artikkelin numero

000396437

 
Ladataan
Salesforce Help | Article