Loading

Interpret Insufficient Access Event Logs

Julkaisupäivä: Feb 5, 2026
Kuvaus

Note: The Insufficient Access event type is disabled by default. You can enable this event type for a period of 24 hours by contacting Salesforce Customer Support.

Insufficient Access events contain details about errors relating to insufficient account, case, contact, and opportunity record access, so that you can troubleshoot and resolve access issues for your users. The following error scenarios are currently logged:
 

  • User can’t share a case, contact, or opportunity because the user doesn’t have permission to share the parent account or the recipient of the share doesn’t currently have read access to the parent account.
  • User can’t change ownership of a case, contact, or opportunity because the user doesn’t have permission to share the parent account or the new owner doesn’t currently have read access to the parent account.
  • User can’t change the parent account of a case, contact, or opportunity because the user doesn’t have permission to share the new parent account or the owner of the case, contact, or opportunity doesn’t have read access to the new parent account.

In this article, we look at example event log files for these insufficient record access errors. Note that these errors can occur through manual operations as well as if the operation is triggered by flows or Apex code.

For descriptions of the Insufficient Access Event Type fields, see the Object Reference topic. For details about event monitoring, see the Trailhead Event Monitoring module (which includes info on querying event log files) or REST API Developer’s Guide.

Ratkaisu

We recommend that you review the ACTUAL_LOGGED_IN_USER_ID, USER_ID, RECORD_ID, ENTITY_TYPE, ACCESS_ERROR, REQUESTED_ACCESS_LEVEL, and ERROR_DESCRIPTION fields, as they are the most helpful in troubleshooting errors. You can use fields like REQUEST_ID, ERROR_TIMESTAMP, and USER_ID to confirm that you’re looking at the correct access error.  

Example: User can’t share case

Edwin is the owner of Case C1, but isn’t the owner of the case’s parent account, Account A1. Edwin has edit access to Account A1 and is not above the account’s owner in the role hierarchy. Edwin attempts to share Case C1 with a team member, but Edwin sees an error and can’t complete the operation. After Edwin sees the error, the admin can query the event log file. The admin sees that there are two logs with the same REQUEST_ID. The admin focuses on these values:

Log 1:
 
FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX1 (Edwin)
RECORD_ID001XXXXXXXXXXX2
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELFULL
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX1 doesn't have full access for the record 001XXXXXXXXXXX2.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX1 (Edwin)

Log 2:
 
FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX1 (Edwin)
RECORD_ID500XXXXXXXXXXX3
ENTITY_TYPECase
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELREAD
ERROR_DESCRIPTIONCan’t share record 500XXXXXXXXXXX3 to the user 005XXXXXXXXXXX4.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX1 (Edwin)

Cause: From the logs, the admin determines that Edwin (005XXXXXXXXXXX1) can’t share Case C1 (500XXXXXXXXXXX3) with his teammate (005XXXXXXXXXXX4) because Edwin doesn’t have full access to the case’s parent Account A1 (001XXXXXXXXXXX2).

Reason: Because sharing the case will automatically give read access to the parent account, only the account owner or a user with sufficient permissions can complete this operation. (Edwin's edit permission on the account is not sufficient.)

Solution: Someone with the required permissions (such as the account owner or admin) can share the case.

Note that this same error can occur for contact or opportunity records that are children of accounts.

Example: Can’t change owner of contact

Anand is the owner of Contact C1, but isn’t the owner of the contact’s parent account, Account A1. Because he owns Contact C1, Anand has implicit read access to Account A1. Anand tries to transfer ownership of Contact C1 to his teammate Ciara, but Anand sees an error and can’t complete the operation. After Anand sees the error, the admin can query the event log file. The admin sees that there are two logs with the same REQUEST_ID. The admin focuses on these values:


Log 1:
 
FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX2 (Ciara)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELREAD
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX2 doesn't have read access for the record 001XXXXXXXXXXX4.
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX3 (Anand)

Log 2:
 
FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX3 (Anand)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELFULL
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX3 doesn't have full access for the record 001XXXXXXXXXXX4. 
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX3 (Anand)

Cause: From the log, the admin determines that Anand (005XXXXXXXXXXX3) can’t change the owner of Contact C1 because Anand doesn’t have full access to the contact’s parent Account A1 (001XXXXXXXXXXX4) and his teammate Ciara (005XXXXXXXXXXX2) doesn’t already have read access to the Account A1.

Reason: Because changing the owner of the contact will automatically give read access to the parent account, only the account owner or a user with sufficient permissions can complete this operation.

Solution: Either the admin or account owner must first grant Ciara read access to the account or someone with the required permissions (such as the account owner or admin) can directly change the contact’s owner.

Note that this same error can occur for case or opportunity records that are children of accounts. 

Example: Can’t change parent account of opportunity

Edwin is the owner of Opportunity O1, but isn’t the owner of the opportunity’s parent account, Account A1. A teammate, Charlie, is granted edit access to Opportunity O1 through a manual share. Charlie tries to change the parent account on Opportunity O1 to Account A2. Note that Charlie isn’t the owner of Account A2 (he has only edit access and is below the account owner in the role hierarchy) and Edwin doesn’t have access to Account A2. Charlie sees an error and can’t complete the operation. After Charlie sees the error, the admin can query the event log file. The admin sees that there are two logs with the same REQUEST_ID. The admin focuses on these values:


Log 1:
 
FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX1 (Edwin)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELREAD
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX1 doesn't have read access for the record 001XXXXXXXXXXX4. 
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX2 (Charlie)

Log 2:
 
FieldValue
EVENT_TYPEInsufficientAccess
USER_ID005XXXXXXXXXXX2 (Charlie)
RECORD_ID001XXXXXXXXXXX4
ENTITY_TYPEAccount
ACCESS_ERRORNO_ACCESS
REQUESTED_ACCESS_LEVELFULL
ERROR_DESCRIPTIONUser 005XXXXXXXXXXX2 doesn't have full access to the record 001XXXXXXXXXXX4. 
ACTUAL_LOGGED_IN_USER_ID005XXXXXXXXXXX2 (Charlie)

Cause: From the log, the admin determines that Charlie (005XXXXXXXXXXX2) can’t change the parent account of Opportunity O1 because he doesn’t have full access to Account A2 (001XXXXXXXXXXX4) and Edwin (005XXXXXXXXXXX1) has no current access to Account A2 (001XXXXXXXXXXX4).

Reason: Because changing the opportunity’s parent account will automatically give read access to that parent account to owners of child records, only the account owner or a user with sufficient permissions can complete this operation.

Solution: The admin or Account A2 owner must first grant Edwin read access to Account A2 before Charlie can change Opportunity O1’s parent account to Account A2.

Note that this same error can occur for contact or case records that are children of accounts.
 
Knowledge-artikkelin numero

000396437

 
Ladataan
Salesforce Help | Article