function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
aztockaztock 

Run Query as User in APEX class / getting Object permissions (sharing rules)

 We need to execute a query on behalf of another user.

 

Ex: User creates an Action Item record (think of it as question to the field force), the question needs to apply only to Accounts accessible to the user. To do so we have an intermediate object, ActionItemAccount.

 

ActionItemAccount is refreshed nightly to reflect any changes in the users's access overtime. 

The batch Deletes existing records, and recreates records based on the currently accessible to the user Accounts.

To do so the batch needs to query the Account object (Run As) the Owner of the Action Item.

 

Hope the above makes sense, can you please share your thoughts on the desired approach,

 

thank you,

A. 

SatgurSatgur

Is this nightly Batch process catering to all the field engineers/ Sales Reps?

 

If it is a universal batch process, retrieving accessible Account records for each SALES USER/Rep, then you may not need to do RUN AS here.

 

Simply retrieve list of target Sales USERS from 1 SOQL.Store it inside a SET

    i.e. Set<User> usrIds = new Set<User>() ;

           usrIds = [Select id, name from User ] ; //appropriate Where clause to retrieve only designated Sales Reps

 

Now perform a query on ACCOUNT record

        List<Account> accList = [select id, name, annualrevenue from Account where ownerId=:usrIds ] ;

 

So you can retrieve the accessible account records for each User with ownerId Where clause.

 

Next you can segregate the User and their respective account records from above Account list using intermediate collection Map<UserId, List<Account>> type variable.

 

Does this provide a viable approach to your question, problem?

 

Thanks
SatgurSatgur

I missed to note the Sharing rules part of this requirement.

 

I know runAs is primary used while developing test methods, and not in mainstream Apex class. Also there are governor limits on usage of runAs() with Apex code.

 

To cater to sharing rules requirement, and extending what I already described in my previous post, try doing following -

 

Perform 2nd SOQL as below

    List<AccountShare> lstAccShare = [select targetObjectId, UserorGroupId from AccountShare where UserOrGroupId =:usrIds] ;

 

So here you get all Account records which have been shared with given User (or list of Users in current example).

 

Read TargetObjectId from above (this denotes Id of Account records), you can requery Account object now to retrieve the details.

 

Thanks
aztockaztock

Hello Satgur,

 

To clarify ActionItem is created by managers at the Head Office. In other words these managers do not own Accounts directly, however have access to accounts either via Role Hierarchy, Territory Mgmt, or Sharing Rules, or Org Wide Defaults.

(The batch runs nightly to generated records for accessible to the user accounts)

 

Hence we considered using AccountShare object. The problem with AccountShare is that it not always clear when there are records in AccountShare. That is SFDC does a "good" job of keeping the records to a minimum in this table however there is no documentation on it. Ex: if org wide default is set to "Public Read/Write" there are no Records in the AccountShare. There are also many other situations that are confusing.

 

In short it is not clear how AccountShare is managed, and how it is affected by Org Wide Defaults, ViewAllData permissions in the profiles, or the Role Hierarchy. Is there any documentation on it?

 

thank you,

A. 
Martin DernerxnMartin Dernerxn
thanksa lot