You need to sign in to do that
Don't have an account?
Apex managed sharing giving exception when using a role
I am trying to create an apex managed sharing rule for a custom object where a share to a UserRole is setup. As a test, I setup a Role, Group, custom object, sharing reason using the force.com UI and then ran this test method:
static testMethod void test() { UserRole testRole; Group testGroup; Custom_object__c obj; testGroup = [SELECT id from Group where name='test']; testRole = [SELECT id from UserRole where name='test']; obj = [SELECT id from Custom_object__c LIMIT 1];
// This works OK insert new Custom_object__Share(ParentId = obj.id, UserOrGroupId = testGroup.id, rowCause = Custom_object__Share.rowCause.Apex_test_share__c, AccessLevel = 'Edit');
// This gives an exception
insert new Custom_object__Share(ParentId = obj.id, UserOrGroupId = testRole.id, rowCause = Custom_object__Share.rowCause.Apex_test_share__c, AccessLevel = 'Edit'); }
When I try this, the share for the testGroup.id works ok, but the attempt to set UserOrGroupId to the testRole.id gives the following exception:
System.DmlException: Insert failed. First exception on row 0; first error: FIELD_INTEGRITY_EXCEPTION, User/Group ID: id value of incorrect type: 00EA0000000De5gMAC: [UserOrGroupId]
From the apex reference manual, it seems to indicate you can set the UserOrGroupId to a role:
UserOrGroupId | The user or group IDs to which you are granting access. A group can be a public group, role, or territory. This field cannot be updated. |
Does anybody have any ideas what this is not working?
All Answers
If you use a group, does it stay up to date with any changes users in roles?
i.e.
Point in time A
-create 'managers' role
-for the user craig, make his role 'manager'
-create a group 'all managers' and point it to the 'managers' role
-call apex code to setup a sharing rule between an object and the 'all managers group'
Point in time B
-lets say I goto the user craig and change his role to something else
-lets say I create a new user mark and make his role be 'manager'
Will things automatically get figured out based on the earlier sharing rule? i.e. craig no longer has access but now mark does. Note that in this example, neither craig or mark have anything to do with the owner of the custom object record - the owner says the same.
Or more generally when you setup a sharing rule to grant access to a group or role, when a user tries to access a record do the sharing rules get examined in real time to see if the user can access (vs being set at the time the rule was created)
That's certainly my understanding and experience of how things work. There wouldn't be much value to allowing groups of roles to be created if the role to user mapping was based on a single point in time snapshot.