Apex Code Development You need to sign in to do that
Don't have an account?
BBeaird Apex Managed Sharing for High Volume Portal Users
We are starting development on a new customer portal. Our users will be High-Volume Portal users. Our requirements for granting record access are beyond what the built-in sharing wizards can handle, so we were advised to use apex managed sharing instead. The problem is that when we have tried doing inserts into share tables (either standard of custom objects), we're getting this error:
System.DmlException: Insert Failed. First Exception on row 0; first error: FIELD_INTEGRITY_EXCEPTION, User/Group ID: id value of incorrect type: --3Z0000006vM70IAU: [UserorGroupId]
This was the code used:
AccountShare accountShare = new AccountShare();
accountShare.AccountId = '001Z00000078hL1';
accountShare.AccountAccessLevel = 'Edit';
accountShare.OpportunityAccessLevel = 'Edit';
accountShare.UserOrGroupId = '003Z0000006vM7O';
insert accountShare;
This error seems to be telling me that you can't use apex to share records with high volume portal users. If we can't do this, I do not know how else we will be able to provide customers with the access they need. I have read over the limitations at https://login.salesforce.com/help/doc/en/customer_portal_about_HVPUs.htm, but those do not explicitly rule out apex managed sharing.
We will not be using the out of the box customer portal. Ours will be 100% custom apex and visualforce. Our main objects are Account, Asset, Contract (a custom object referencing Account), and Payment (a custom object referencing contract) . We need the ability for users to view contracts from other accounts other than the account they are listed as a contact under. This is a core use case for us. We also need users to be able to view records from the Payment object that are related to any contract they have access to. The portal sharing wizards do cover these use cases - all they do is give the user access to objects directly related to the account under which they are a contact.
Any suggestions for how to do this sharing would be greatly appreciated.
It is telling you that you UserOrGroupID is an ID that is not of type user or group....
are you trying to share to users in a profile or users in a group?
You should query for the IDs and itenerate over them to add the sharing rules for each. Hardcoding the id is not best practice.
**After reading through the special case of HVPU I am not sure it is possible either.**
I am trying to share to a specific user - a high volume portal user. I did realize that I was referencing the portal user's contactID and not userID. However, when I tried the userID instead, I got a different error:
First exception on row 0; first error: FIELD_INTEGRITY_EXCEPTION, field integrity exception: unknown (invalid user or group: 005Z0000000ELiO): [unknown]
I copied and pasted that exact ID into a query for the user table, and it worked. Not sure why the insert into AccountShare still doesn't like it.
Just for testing, I switched out the portal user's ID for my own userid, and the statement completed successfully. It looks like it just doesn't like portal users. :-(
Also, the pasted code is just for the sake of a simple example. If we ever get it working, it would certainly not be hard-coded. This particular piece of code will only be dealing with one user at a time; it's essentially granting the user needed access during the self-registration process.
From what I read it says HVPU cannot be used in sharing rules and thus I believe that includes managed sharing.
A google search found similar problems and all responses seemd to indicate that it was not possible.
You can share records related to their account via sharing sets. Share account by setting them to public read (would affect everyone) etc, but it appears you can not pick and choose via sharing rule.
If that is the case, it is very bad news for us. That seems to leave us with 2 options:
1.) Only use portal managed users, which are a lot more expensive (we have 28,000 users we would be migrating from our existing portal)
2.) Abandon the use of salesforce sharing altogether and manage all permissions ourselves.
Neither of those options sound promising and kind of negate our whole reason for choosing salesforce to host our new portal to begin with.
Hi did you find a solution to this problem?
Yes portal users cannot be managed used Apex..however they have sharing settings...Did u explore this option.?
Our solution was to switch to Customer Portal Manager licenses, which allow Apex Managed rules.
High Volume Portal users do have sharing settings, but they are too limited for us. We need the ability for customers to gain access to Accounts and Contracts other than the one they register under. They gain access by providing some validation information. As the settings are now, there is no way for Contacts to access multiple Accounts/Assets/Contracts.
Thanks for mentioning that. We are currently trying to reconfigure the security setup where the portal users need to see the custom objects that belong to their Account and we are hoping to stick to the high volume users.
You should be ok as long as your custom objects have a lookup or master detail relationship directly to that customer's Account. Then it's just a matter of creating the portal sharing rules on those objects that match on account ID.
That is exactly what we ended up doing and it works great for us.
I am just doing some research to understand if there are any cons of using this license in terms of limitations. I know we cant transfer cases from non high volume to high volume users and these user cannot access the CRM content libraries.
Hi BBEaird.
I'm facing the same issue. Please let me know if you got any resolution for this problem.
Even I'm not able to give access of records to customer community users which having lookup to Account and Contact.
Please reply as soon as possible.
Thanks
I'm facing the same issue. Please let me know if you got any resolution for this problem.
Even I'm not able to give access of records to customer community users which having lookup to Account and Contact.
Please reply as soon as possible.
Thanks