function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Derrek Harrison 1Derrek Harrison 1 

Salesforce UserRecordAccess query not returning results

I have an apex class that is declared 'without sharing'. This class does some background processing and as a part of that processing, determines whether or not record owners have access to other records. This is accomplished by querying the UserRecordAccess object and filtering on RecordId and UserId (this is not the running user by instead different record owners from the system). 

When I run controller as a System Administrator, I get the expected results (results from the UserRecordAccess query with values in MaxAccessLevel). However, when I run the controller as a user with limited record access, queries to UserRecordAccess for any records that the running user does not have access to simply return no results. I see there is a line in the documentation for the object that says:
SOQL restrictions for API version 29.0 and earlier:
     
When the running user is querying a user's access to a set of records, records that the running user does not have read access to are filtered out of the results.
I am using API version 35 for my class so I would expect to get results back even when the current running user does not have read access to the record in question (I can query for that record without issue because I am in a 'without sharing' context). Am I missing something here for why I cannot get UserRecordAccess records? This seems like a bug to me since the purpose of the UserRecordAccess object is to be able to check access levels for a user that is not the current running user.

I have discovered an additional detail for this problem. If the current user does not have access to a record, the user can get their own UserRecordAccess, but not for a different user. This is still a problem because I am trying to answer the question 'Does the record owner for this record have access to another record?'. The record owner is frequently not the running user.

Here is a link to a gist for the basic controller/page I am using when I see these results: https://gist.github.com/dsharrison/b0b03c661bf65fc18348.

This question is also available at: http://salesforce.stackexchange.com/questions/102261/salesforce-userrecordaccess-query-not-returning-results 

Thanks for any insight,

D.S.
James LoghryJames Loghry
This is a security feature.  If a user can't see the record, they can't see the userrecordaccess for that record either.  Your System Administrator profile works because it has a "View All Data" permission by default, which enables it to see all UserRecordAccess instances.  If you're running user's profile had the same permission, I suspect it too would be able to view all userrecordaccess instances.

Seems odd that you still see this issue even with "without sharing" in your Apex class.  Does it by reference other classes that have "with sharing" turned on?
Derrek Harrison 1Derrek Harrison 1
I understand that with the sharing model enforced, I would not get a result from the query to UserRecordAccess, nor a result from the query to Opportunity. However, when I am in the 'without sharing' context (you can see in the gist (https://gist.github.com/dsharrison/b0b03c661bf65fc18348) I posted that the class is very simple and is not calling other methods from a 'with sharing' helper or anything like that) I still get no results from the query to UserRecordAccess, but I do get a result from the query to Opportunity.

I understand the Salesforce Security model when it comes to sharing and records, but I am baffled as to why when I am in a context where I can successfully query the record, I cannot query the UserRecordAccess for the record. My understanding of 'without sharing' is that it ensures that the sharing rules for the current user are not enforced. This is exhibited when I get a result back for Opportunity when the user has no read access to that record. What I am not understanding (and cannot find any documentation explaining what I am seeing) is why I cannot get UserRecordAccess when I am not enforcing sharing rules.