how-to-deal-with-the-salesforce-insufficient-privileges-error

How to Deal with the Salesforce Insufficient Privileges Error

By

Editor’s note: This is a popular blog post, so we’ve updated it with the latest information and resources on September 8, 2020.

In my experience, the email or phone call starts out something like this: “I clicked on this [insert link, account, etc. here] and I’m getting an ‘Insufficient Privileges’ error… I know I should be able to see this, and I need you to fix this NOW!”

As a Salesforce Admin, if you haven’t received a user email or phone call like this, don’t worry — you will. And you need to fix it, or at least gain a better understanding of the situation.

So, let’s set the context. In the case of the Insufficient Privileges error, a user can’t access a record or perform a task, like run a report, because they most likely don’t have the required permission or sharing setting. Here are six questions you should ask when tackling this error.

1. Should they really have access?

I know it’s tempting at first to dive into the problem and start checking profiles and permission sets (and I promise we will get to that), but let me tell you firsthand — this is where you start. For example, in one instance I had a user (who was part of an East Coast team) share a link to a Dashboard with another user (who was part of the West Coast team). But they couldn’t see it. And there was a reason for that: The Dashboards were in folders, and only certain users had access to view each. In this case, ask the user what they were trying to view and double-check with their manager that they should have access to that record or to perform that task. Sometimes, it’s just a simple misunderstanding.

2. What does the profile say?

So, the user was right — they do need access. Now where do we go? The profile. Verify the object permissions in the user’s profile. Object permissions, configured on Profiles and Permission sets, determine which objects a user can read, create, edit, or delete. On the user detail page, click the user’s profile. On the profile overview page, go to Object Settings or Object Permissions.

Note the permissions for the object. If the user is trying to view an account, check that the “Read” permission for the account and contact objects on the user profile is enabled. If the user is trying to run a report, check that the user has “Read” permission on an object that the report references.

Remember from your Salesforce Admin 201 course that the Profile controls all. I start by looking at the Profile to make sure the user has access to the object that contains the information. This comes in handy when someone shares a report link with another user who may not have access to the object being reported on.

3. Do they have the permission set they need?

If your organization uses the Principle of Least Privilege or is utilizing the new Minimum Access User Profile, then you’ll need to check and verify that the permissions in the user’s permission set are there. On the user detail page, scroll to the Permission Set Assignments related list and click each permission set. On the permission set overview page, click Object Settings and review the assigned object permissions. Review the user permissions in the App Permissions andSystem Permissions sections. Repeat these steps for each permission set assigned to the user.

4. Is the error at the record level?

So, we checked the profile and the permission set, and both show the user should have access to the object. Now, let’s dig a bit deeper to the record level. If your organization uses roles, check the user’s role in relation to the record owner.

For example, users can delete records only if they are the record owner, higher in the role hierarchy than the record owner, or the administrator. Similarly, users always have read access to records whose owners are below them in the role hierarchy, unless Grant Access Using Hierarchies is deselected (custom objects only).

To check the user’s Role in Hierarchy, from Setup, enter Users in the Quick Find box, then select Users.

Verify the role of the user and the role of the user who owns the record. A user can’t delete or merge accounts owned by someone in an unrelated role hierarchy, even if the user has the appropriate permissions on the objects.

It could be a sharing rule issue. Maybe the East Coast salesperson shared the link but forgot to update the record to trigger a sharing rule or manually share the record.

First, check that the user is included in the sharing rules. To do that from Setup, enter “Sharing Settings” in the Quick Find box, then select Sharing Settings. Check the public group (or other categories such as roles or queues), and verify that the user is included in that sharing rule.

If your organization uses teams for accounts, opportunities, or cases, check that you didn’t miss the user when you set up the teams. Review your teams to determine if the user is supposed to have access through a team. From Setup, enter the team that you want to check, such as Account Teams, in the Quick Find box, then select the team.

Add the user to the team, if appropriate.

Maybe the user did press the sharing button and, at one point, they could view the record. However, if the user had access via a manual share, they may have lost this access because:

  • The record owner changed, causing the manual share to be automatically dropped.
  • The record owner, an administrator, or a user above the owner in the role hierarchy removed the manual share using the Sharing button on the record detail page.
    • On the record detail page, click Sharing.
      The Sharing Detail page shows the users, groups, roles, and territories that have access to the record.
    • If the user must gain access via a manual share, create a manual share by clicking Add.

Finally, review your territories. If your organization is using territories, check that the user is included in the territories and the record is under the correct territory where the user is a member.

5. Have you checked the field-level security?

Field-level security lets you restrict users’ access to view and edit specific fields. It’s possible that since the requirement was taken, the individual’s role or position has changed. Or, maybe someone was a bit over-zealous in their restrictions. So, check the field-level security to see if that user has a Profile where the field is accessible.

6. What about the folder access?

I see the Insufficient Privileges error come up quite a bit with users sharing reports via a URL. The problem can arise when the user who is getting the report shared to them doesn’t have access to the report because it’s in a folder they can’t access. Uh, did you follow that? Let’s try that again. Let’s say Gavin has this awesome report (chart included) and wants to send it to his colleague, Claire. But Gavin forgot that he saved a report to a folder that Claire doesn’t have access to. So, when Claire clicks on the link, guess what happens? You guessed it: Insufficient Privileges error.

The key to dealing with this error is to think your way through it. Don’t let the urgency of the situation throw off a thorough process check. Remember, as a Salesforce Admin, you think and see things differently than many users do. Where they see something that is shutting them down, you see an opportunity to shine and show your skills. Be sure to investigate all of your settings. This could be a learning moment for you and a real chance to show off your professionalism. Not to mention, another reason to always be reevaluating people and processes to drive improvement.

Resources:

Salesforce Help & Training

Video resources

Trailhead resources

Security: Maintain a healthy, secure org with these latest resources for Salesforce Admins.

How to Create an Admin Page Layout

In case you haven’t noticed, but Salesforce Admins are special. As a Salesforce Admin you have to be special because you are the first one called on if there is a problem. Let’s take a simple problem, but one I run into more often than not- like data being populated in a field and troubleshooting […]

READ MORE

How to make your Salesforce Page Layouts awesome

For as much as I would like to think I’m a web designer- I am not. I think web design is fascinating especially if you look at web pages from just a few years ago to now- so much has changed. But Salesforce Admins- to some degree- have to be web designers. I mean we […]

READ MORE

How to Display Revision History in Chatter

Have you ever needed to implement something in Salesforce that didn’t have a button click solution? I recently helped out some of our #AwesomeAdmins at Salesforce so that a Chatter feature I worked on could be enabled internally. If it helped out admins at Salesforce, maybe it’ll help you too. So let’s walk through it! […]

READ MORE