+ Start a Discussion
Tolga SunarTolga Sunar 

Ownership of Junction Object Record

Hello,

I have a security related issue here. Let me explain how I tried to reproduce the issue in my developer org I faced during a project:

I defined two users, one with CEO role and other with Worker role. Obviously, the CEO is above the Worker in hierarchy. 

I defined three simple objects; ObjectA is the child of both ObjectX and ObjectY. I created the Master-Detail relationship between ObjectX and ObjectA first, therefore I expect ObjectA records to inherit the ownership from ObjectX according to SFDC documentation. Moreover, ObjectX and ObjectY possess a Private org-wide sharing setting.
  • Test 1: CEO creates ObjectX record. Worker creates ObjectY record. CEO creates ObjectA record (Worker can't create because it won't see the ObjectX record created by CEO). I expect the Worker to not see the ObjectA record, and I couldn't see. That's OK.
  • Test 2: Worker creates ObjectX record. CEO creates ObjectY record. CEO creates ObjectA record. I expect the Worker to see the ObjectA record, and I couldn't see. This is unexpected, I should have had access to the ObjectA record.
The sayings in documentation regarding ownership inheritance in junction objects simply contradicts with this test outcome here. Could anyone point me out the possible mistake in my methodology here? Am I missing something? 

Thanks in advance.
 
Best Answer chosen by Tolga Sunar
Abhishek_DEOAbhishek_DEO

Hi Tolga,

Theory of record ownership mentioned above is only revelant when you delete master-detail(both) relationships.In your case,  CEO is the owner of junction object's record because he has created this record. And according to role hierarchy worker will not have the access on those records that CEO owns.

You may look into following documentation (https://help.salesforce.com/apex/HTViewHelpDoc?id=dev_security.htm&language=en_US) that says:

"If the record has two master records in a many-to-many relationship, the user must have read access to both master records." // to view junction object's record


Thanks,

Abhishek 

All Answers

AshlekhAshlekh
Hi,

You need to check Object X or Object Y reference which one is created earlier becuase there is concept of Primary and Secondary master-detail and so child will inherent Primary obect sharing.

-Thanks
Ashlekh Gera
Tolga SunarTolga Sunar
Hi Ashlekh,

Yes, I aware of this concept. In my post, I stated that I've created the Master-Detail relationship between ObjectX and ObjectA first, therefore this relationship automatically should be the primary (unless I have to set this from somewhere) and ObjectA record should inherit ownership from the ObjectX record.

Here, I quote the SFDC documentation below:

The first master-detail relationship you create on your junction object becomes the primary relationship. This affects the following for the junction object records:
  • Record ownership: The junction object records inherit the value of the Owner field from their associated primary master record. Because objects on the detail side of a relationship do not have a visible Owner field, this is only relevant if you later delete both master-detail relationships on your junction object.

Thanks.
Abhishek_DEOAbhishek_DEO

Hi Tolga,

Theory of record ownership mentioned above is only revelant when you delete master-detail(both) relationships.In your case,  CEO is the owner of junction object's record because he has created this record. And according to role hierarchy worker will not have the access on those records that CEO owns.

You may look into following documentation (https://help.salesforce.com/apex/HTViewHelpDoc?id=dev_security.htm&language=en_US) that says:

"If the record has two master records in a many-to-many relationship, the user must have read access to both master records." // to view junction object's record


Thanks,

Abhishek 

This was selected as the best answer
Tolga SunarTolga Sunar
Hi Abhishek,

You are correct. If the worker has to see the junction object's record, it should have at least "read" permission to both master records. That's the point I was missing.

Thanks for your help!