I want to know what level of CRUD access the current user has on a particular record.   In other words, can this user read, update and/or delete this record.  On the surface this seems like it should be simple using Apex.  However I'm at a loss.

 

This is particularly painful because the UI gives me the answer.  Go to a Record Detail page, click Sharing, click Expand List.  Voila!   A complete list of users that have access to that record, and what that access is.

 

So what's the best way to achieve this programmatically?

 

At least 3 things to consider:

 

1) Profile Permissions.  This part is simple.  The sObject's various Describe Result methods tell me whether a User's Profile permits him to read (isAccessible()) or update  (isUpdatable()) or delete (isDeletable()) records of this object type.   This is a top-level check.  It doesn't address this particular record, just records of this type.

 

2) Record ownership.  If 1) is satisfied, and the current user is the owner of this particular record, all CRUD operations should be available

 

3) Managed and Manual Sharing.  **Here's where I'm having trouble.**  Is there a simple way to discover if this record is shared with this user and with what level of access? The sharing information for a record can be found by querying its equivalent Share object (AccountShare is the sharing object for the Account object).  But if a sharing rule is defined on a Role (or Role plus subordinates), you cannot see all users given access by that rule!   As far as I can tell, you must:

 

  a) query the Share object's userOrGroupId column

  b) figure out if that Id is a User, Group or Role

  c) If it's a Role, query the groups table to find all users in that role

  d) If it's a Role, use recursive logic to find all users above that role in the role heirarchy

  e) If it's a Role and the sharing applies to this Role *and subordinates*, use recursive logic to find all users subordinate to that role in the role heirarchy

 

Isn't there a simpler way?

 

 

 

 

Is there a way to determine the record level access (view/edit) for a user? (Note: this is record level not object level)

 

The code will be running under a single user and for every record we need to determine which users in Salesforce have view and which users have edit access to the record.

 

Thanks! 

 

Is it possible to determine whether the current user has delete permissions (aka Full Access) for a particular record (custom object), without actually attempting to delete the record?

I'm creating some custom actions using VF/apex, and for some of them I want to limit who can perform the action to the same users who can delete the record.  The action does not involve deleting the record, but I want it to be more restrictive than who can perform an edit.

I looked into the sharing table (object_share) but that only lists the owner as Full Access.  Since anyone above the owner in the role hierarchy also has full access, and the hierarchy might be several levels tall, it seems like a tall order for my code to walk the entire hierarchy and determine if that applies.  Is there an easier way?

Thanks much!