I am unable to successfully delete a file from Salesforce with Apex when executed as a web service call from an external service. Running the following code behaves differently depending on whether it is executed anonymously via dev console or from the external service via the SOAP API. I've simplified the code to keep it succinct, but this captures the essence of what I'm trying to do.
 

global with sharing class CRMDocumentIntakeService{

    // CRM Document Metadata elements
    global class CRMDocMetadata{
        webservice String filenetGUID;
        webservice String documentID;
        webservice String docTitle;
        webservice String docDescription;
        webservice String docType;
        webservice Date   docReceivedDate;
        webservice String source;
        webservice String channel;
        webservice String workflowSubscription;
        webservice String indicator1;
        webservice String objectType;
        webservice String recordID;
    }    
}

global with sharing class CRMSFDCDocumentService{

    WebService static void processCRMDocument(CRMDocumentIntakeService.CRMDocMetadata filenetDoc,String messageID) {
        System.debug('Running user: ' + UserInfo.getUserName());
        CRMSFDCDocumentServiceHelper.processCRMDocument('0691g000000GkaNAAS');
    }
    
}

public with sharing class CRMSFDCDocumentServiceHelper {
  public static void processCRMDocument(Id documentId) {
      ContentDocument objContentDoc;
     
      objContentDoc = [SELECT Id FROM ContentDocument WHERE Id = :documentId];

      delete objContentDoc;

  }
}

I created a file by uploading a PDF to a Case record with my own user account. I have the Salesforce Files setting enabled to automatically use the "set by record" sharing option.

When I execute the code via the external service (triggered by outbound message), then I receive the following error message: Delete failed. First exception on row 0 with id 0691g000000GkaNAAS; first error: INSUFFICIENT_ACCESS_OR_READONLY, insufficient access rights on object id: []
If I log in as the same service account user and execute the code via developer console, then no error occurs and the file is successfully deleted. Here's the anonymous apex block I'm running:

CRMDocumentIntakeService.CRMDocMetadata filenetDoc = new CRMDocumentIntakeService.CRMDocMetadata();
filenetDoc.source = 'P8';
filenetDoc.indicator1 = 'CRM-a0g1g000000mT9p';
filenetDoc.filenetGUID = '{70949B73-0000-C210-9788-ECC0F8579CCE}';
filenetDoc.documentID = 'a0g1g000000mT9p';
filenetDoc.channel = 'WEB';

CRMSFDCDocumentService.processCRMDocument(filenetDoc, '6bc2316ed1bf13eaaef8');

I am aware that permissions around Salesforce Files work much differently than the old attachments object, but the fact that the service account user is able to delete the file from the Files tab in the UI and through Anonymous Apex leads me to believe that this difference may be due to how the web service call runs within system context.

I tried changing the classes to be "without sharing", but that did not make any difference. I also updated the API version to current (49.0) for all 3 classes to no avail. I also confirmed that the user has a CRM Content feature license and that the profile has the "Manage Salesforce CRM Content" permission enabled.

Any help would be most appreciated.

Thanks!

 

I came across an issue when attempting to access certain fields on the PermissionSet object when traversing the Parent relationship from the ObjectPermissions object. The Apex compiler fails and says variable does not exist when I try to reference the Parent.IsOwnedByProfile and Parent.Label fields. It works fine to reference Parent.Name and even Parent.Profile.Name, but fails when attempting to access other fields.

Here's some sample code:

List<ObjectPermissions> opList = [SELECT Id, SObjectType, ParentId, Parent.IsOwnedByProfile, Parent.Label, Parent.Name, Parent.Profile.Name FROM ObjectPermissions LIMIT 10];

if(!opList.isEmpty()) {
    system.debug('Parent Name: ' + opList[0].Parent.Name);  //This works just fine
    system.debug('Label: ' + opList[0].Parent.Label);       //This causes a compile error (Variable does not exist: Label)

    PermissionSet newPS = new PermissionSet();
    newPS = opList[0].Parent;
    system.debug('Label: ' + newPS.Label); //This works fine
}

Attempting to access the Label field with dot notation via the Parent relationship fails, but once I create a new instance of a PermissionSet and assign it to the same parent, then I can access it just fine.

This kind of feels like this is a polymorphic relationship. Epsecially given the generic "Parent" name of the relationship. The API documentation for the ObjectPermissions object does not mention any polymorphism for the ParentId field however. 

In any case, I was able to work around this by running a separate query for the parent PermissionSet records and creating a map to do lookups, but I found this behavior odd.

Does anyone know why this is happening and/or can confirm relationship polymorphism?

Thanks!

I am unable to successfully delete a file from Salesforce with Apex when executed as a web service call from an external service. Running the following code behaves differently depending on whether it is executed anonymously via dev console or from the external service via the SOAP API. I've simplified the code to keep it succinct, but this captures the essence of what I'm trying to do.
 

global with sharing class CRMDocumentIntakeService{

    // CRM Document Metadata elements
    global class CRMDocMetadata{
        webservice String filenetGUID;
        webservice String documentID;
        webservice String docTitle;
        webservice String docDescription;
        webservice String docType;
        webservice Date   docReceivedDate;
        webservice String source;
        webservice String channel;
        webservice String workflowSubscription;
        webservice String indicator1;
        webservice String objectType;
        webservice String recordID;
    }    
}

global with sharing class CRMSFDCDocumentService{

    WebService static void processCRMDocument(CRMDocumentIntakeService.CRMDocMetadata filenetDoc,String messageID) {
        System.debug('Running user: ' + UserInfo.getUserName());
        CRMSFDCDocumentServiceHelper.processCRMDocument('0691g000000GkaNAAS');
    }
    
}

public with sharing class CRMSFDCDocumentServiceHelper {
  public static void processCRMDocument(Id documentId) {
      ContentDocument objContentDoc;
     
      objContentDoc = [SELECT Id FROM ContentDocument WHERE Id = :documentId];

      delete objContentDoc;

  }
}

I created a file by uploading a PDF to a Case record with my own user account. I have the Salesforce Files setting enabled to automatically use the "set by record" sharing option.

When I execute the code via the external service (triggered by outbound message), then I receive the following error message: Delete failed. First exception on row 0 with id 0691g000000GkaNAAS; first error: INSUFFICIENT_ACCESS_OR_READONLY, insufficient access rights on object id: []
If I log in as the same service account user and execute the code via developer console, then no error occurs and the file is successfully deleted. Here's the anonymous apex block I'm running:

CRMDocumentIntakeService.CRMDocMetadata filenetDoc = new CRMDocumentIntakeService.CRMDocMetadata();
filenetDoc.source = 'P8';
filenetDoc.indicator1 = 'CRM-a0g1g000000mT9p';
filenetDoc.filenetGUID = '{70949B73-0000-C210-9788-ECC0F8579CCE}';
filenetDoc.documentID = 'a0g1g000000mT9p';
filenetDoc.channel = 'WEB';

CRMSFDCDocumentService.processCRMDocument(filenetDoc, '6bc2316ed1bf13eaaef8');

I am aware that permissions around Salesforce Files work much differently than the old attachments object, but the fact that the service account user is able to delete the file from the Files tab in the UI and through Anonymous Apex leads me to believe that this difference may be due to how the web service call runs within system context.

I tried changing the classes to be "without sharing", but that did not make any difference. I also updated the API version to current (49.0) for all 3 classes to no avail. I also confirmed that the user has a CRM Content feature license and that the profile has the "Manage Salesforce CRM Content" permission enabled.

Any help would be most appreciated.

Thanks!

 

I came across an issue when attempting to access certain fields on the PermissionSet object when traversing the Parent relationship from the ObjectPermissions object. The Apex compiler fails and says variable does not exist when I try to reference the Parent.IsOwnedByProfile and Parent.Label fields. It works fine to reference Parent.Name and even Parent.Profile.Name, but fails when attempting to access other fields.

Here's some sample code:

List<ObjectPermissions> opList = [SELECT Id, SObjectType, ParentId, Parent.IsOwnedByProfile, Parent.Label, Parent.Name, Parent.Profile.Name FROM ObjectPermissions LIMIT 10];

if(!opList.isEmpty()) {
    system.debug('Parent Name: ' + opList[0].Parent.Name);  //This works just fine
    system.debug('Label: ' + opList[0].Parent.Label);       //This causes a compile error (Variable does not exist: Label)

    PermissionSet newPS = new PermissionSet();
    newPS = opList[0].Parent;
    system.debug('Label: ' + newPS.Label); //This works fine
}

Attempting to access the Label field with dot notation via the Parent relationship fails, but once I create a new instance of a PermissionSet and assign it to the same parent, then I can access it just fine.

This kind of feels like this is a polymorphic relationship. Epsecially given the generic "Parent" name of the relationship. The API documentation for the ObjectPermissions object does not mention any polymorphism for the ParentId field however. 

In any case, I was able to work around this by running a separate query for the parent PermissionSet records and creating a map to do lookups, but I found this behavior odd.

Does anyone know why this is happening and/or can confirm relationship polymorphism?

Thanks!