Non-View All Data users cannot get a record through a REST External ID resource if the external ID is not unique
Last updated 2018-10-23 ·Reference W-2264598 ·Reported By 23 users
A user who doesn't have a "View All Data" permission can not retrieve field values on a record using the HTTP GET through a "SObject Rows by External ID" REST resource if the external ID is not unique. The request fails with the "Provided external ID field does not exist or is not accessible" error.
This behaviour may be modified, or it may be documented.
1. Create a custom field on Account and make it an external ID and non-unique.
2. Create an Account recored and set some value to the external ID.
3. Login to workbench as a user who doesn't have the VAD permission, like a Standard User profile user.
4. Retrieve the Account record using the GET method through an external ID resource:
HTTP/1.1 404 Not Found
"errorCode" : "NOT_FOUND",
"message" : "Provided external ID field does not exist or is not accessible: RestIndexTest__c"
User who has read access to the record can retrieve the record details via REST.
- Make the ExternalID field Unique
- Give the user a profile with the View All Data permission **Be aware** that this will expose all of your organization's data to the user.
Reported By (23)
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.