2

Is there any possible way to fetch the SFDC standard objects such as Accounts, Opportunity, Contacts and Leads based on the accessiblty rules configured in the SFDC using REST API of SFDC? If yes, then how exactly we can pass the user specific details along with passing the admin users access key for connected-app.

Raj Bhavsar
  • 23
  • 3

1 Answers1

1

So you want single login to API as system administrator but to run queries filtered by Salesforce as if user X would be asking, to take into account org wide defaults, sharing rules etc?

You might want to experiment with UserRecordAccess, simpler than checking AccountShare tables, traversing groups, all that mess. But you might have to do it in 2 steps.

This doesn't work:

SELECT RecordId
FROM UserRecordAccess
WHERE UserId = '005700000012zKY' AND HasReadAccess = true
AND RecordId IN (SELECT Id FROM Account)

But this is promising

Set<Id> ids = new Map<Id, Account>([SELECT Id FROM Account LIMIT 200]).keyset();

System.debug([SELECT RecordId
    FROM UserRecordAccess
    WHERE UserId = '005700000012zKY' AND HasReadAccess = true
    AND RecordId IN :ids
]);

(yes, there's some limit to 200 records)

If this feels too clunky maybe best would be to really not have admin account in the integration but let people log in to SF through your app and "naturally" fetch / edit only what they can see? For current user UserRecordAccess can be used directly in the main query, select id, name, userrecordaccess.haseditaccess from account. You could then even use "scopes" if you have fancy queues setup or territories.

eyescream
  • 18,088
  • 2
  • 34
  • 46
  • Thanks, It makes sense. by 2nd approach in which you mentioned not integrating the admin account and allowing users to log in to SF through the external app, does that mean rendering the SF login page in the external app? or are there any REST API support for login from the external app without using SFDC connected app configuration? – Raj Bhavsar Feb 09 '22 at 11:12
  • However you want. Your app can have username/password form and users would enter these in the app, you pass them over to SF (search "username password flow" in SF help). Not too secure but you planned similar thing with dedicated admin account? But if your app can open a webpage, point guy to SF login screen and capture callback back to the app - that'd be better. Look how sfdx or data loader does it, you don't need to be a website to use browser (although it helps). bonus points that displaying SF login screen lets your users login with single sign on. Search help for "web server flow" – eyescream Feb 09 '22 at 13:13
  • https://stackoverflow.com/q/69799243/313628 might be a good read – eyescream Feb 09 '22 at 13:14
  • Im trying to do something similar to your answer @eyescream but I have an issue. Im trying to do [SELECT UserRecordAccess.HasEditAccess FROM Account] on an account I know the current user does not have edit access to. But it always returns true. Do you know why? – billg118 Jan 03 '23 at 13:23
  • @billg118 might be better as separate question. Are you sure you didn't mark the class as `without sharing`? If it's an internal user - can you switch to Classic UI, click the sharing button, expand list, find that user and verify they really have readonly? The url will be similar to `/p/share/AccSharingDetail?parentId=0015J00000Pdi0e` (put your account id). If it's community user - trickier, check "sharing sets" maybe. And remember "ogres have layers". Profiles/PermissionSets are checked first to see if you can edit accounts at all. Sharing of this particular record is checked in step 2. – eyescream Jan 03 '23 at 16:52