Asset lookup returning results that end user does not have access to when Asset Sharing is enabled
Last updated 2017-04-14 ·Reference W-2811596 ·Reported By 5 users
Summary
Some customers have observed there end users are able to see results they aren’t supposed to when using the Asset lookup on a given entity, this happens when the OWD for Assets is set to Private & when the org has Asset Sharing Enabled.
Users, despite having the ability to search for these Asset Records, get the following error when attempting to save :
Insufficient Privileges
You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary. For more information, see Insufficient Privileges Errors.
Click here to return to the previous page.
Note that the same Asset record does not come up via any other means, such as:
1. Global Search/
2. SOSL
3. SOQL
4. Accessing the URL of the record.
Repro
1) Enable Asset Sharing
2) Create a custom object.
3) On the object create two fields which are Master-Detail to Asset and Opportunity respectively
4) Create a new user profile by cloning standard user and give the profile Read/Create/Edit permissions to this custom object
5) Create a Public Group and put this new user in the group
6) Change Sharing Settings as follows - Organization Wide Defaults for Account and Contract are Private. Opportunity is Private. Asset is Private.
8) Create an Account Sharing Rule to share with the group you created in Step 5, granting Read Only based on Criteria that the account name does not contain 'XYZ'
9) Create an Opportunity Sharing Rule to share with the group, granting Read/Write based on Criteria that opp name doesn't contain 'XYZ'
10) Create an Asset Sharing Rule to share with the group, granting Read/Write based on Criteria that Serial Number contains '5'
11) Create a few assets, with the following Account and Serial Number combinations and call them something like "Asset 1/2/3/etc"
(no account) / 5
(no account) / 6
(Acme) / 5
(Acme) / 6
(XYZ) / 5
(XYZ / 6
12) Add the custom object from step 2 in the opportunity page layout related lists section
13) Open an opportunity and create a new custom object from the related list
14) Using the magnifying glass icon next to Asset field, search for "Asset*"
We expect to only see results with Serial Number 5 based on the sharing rule we created. However, we will see all assets which have an Account associated with them, as long as that account is also visible to the user performing the lookup. You can still select these faulty results and attempt to save them as part of the custom object, but it will fail at that point due to sharing restrictions.
Workaround
- None at this time
Reported By (5)
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.