We have Account access team in our CRM system.
This account access team is able to view/edit all opportunities associated with the account. But, the account access team is not able to even view leads associated with the account.
Need to know why is the behavior different for opportunities/leads? Where are the access team cascade permissions defined or derived from?
*This post is locked for comments
1. Filling in the lookup field for the first time, before or after creating the record is changing the parent from "nothing" to "something", so this is a reparent action, exactly the same as (2)
2. When the parent of the Opp is change by filling in, or changing the lookup to the parent Account, then the cascading behaviour for "Reparent" determines whether or not anything happens. "Cascade All" or "Cascade Active" will add an implicit share to the Opp granting access for the owner of the Account, and for the Access Team of the Account (if there is one already), and for anyone that has an explicit or implicit share on the Account.
Owner gets full rights (but their privileges might trump this - eg if Alice (the owner of the Account) has Delete:None for Opps, then they can't delete this Opp any more than they can delete their own. Basically they can do anything to this Opp that they could do to it if they owned it, even though they do not.
Shares from the Account (whether user, team, or Access Team) are copied with the same shared rights down to Opp. Again, privileges might overrule these - if Bob has Delete:User on Account, and this Account record is shared with Bob with Delete rights, this will cascade down to the Opp. But if Bob has delete:none on Opps, he still can't delete it.
All of this is done by reparent: the only thing that changed is the lookup, not ownership or sharing or anything else.
3. Access Teams use sharing. The system creates a Team, adds a user to it and shares the record with the Team. Sharing cascade rules determine if this is cascaded down the Opps or not.
If Cascade:All, the Access team will have shared rights to the Opp the same as to the Account, which means that users in that Team have those rights too. Cascade:Active will only affect Open Opps. Cascade:User Owned would only share Alice's Opps, not Charlie's (under the same Account).
4. If you have Assign cascading, then the Opps will also get assigned. If you have reparent Cascading, there is a cleanup here - Alice will no longer have rights to the Opps she does not own. The new owner does not gain any rights.
5 Account>Account changes, yes this is a reparent, but a reparent of the Account in the Account: Parent Company / Account relationship. So this would give rights to the owner or sharers of the parent account over the child account. This might then cascade down to the Opportunities, depending on the Account:Opp relationship cascading behaviours.
Phew!
Sorry...Let me rephrase my question
What cascade permissions from Account - Opportunity apply to the Account Access team for the following cases : Share/Reparent/Assign
1. When a opportunity is associated to the account during creation
2. When the parent of an opportunity is changed
3. When access team is added to an account already having opportunities
4. When an account is assigned to different user, opportunity records get cascaded as per which permission
5. When a child account's parent account is changed is it also reparenting?
Thanks!
Thanks Adam for the detailed response.
Can you advise on the below cases
Case 1: An account with access team exists. If new opportunity is added (and not reparented by changing account) would Share or Reparent permissions kick in for the access team?
Case 2: Also, you said the changes are not retrospective in nature. So, if there are 3 opportunities are associated with an account and "then" the access team is added, would Share permissions still kick in?
You need to look at the 1:N relationships from Account to Opp, and Account to Lead. In the cascading behaviours section, look at the cascade for Share and Reparent and set to something appropriate. These will only affect future changes, there is nothing retrospective here.
If an Account has 3 Opps, and then an Access Team is added to the Account, the Account record is shared with the Team and this cascades down to the Opps according to the "Share" cascade rules (All, Active, User Owned, or none).
If an Account has an Access team already, and you add a new Opp to the Account, the Access Team share cascades down to the new Opp according to the Reparent cascade rule.
Share kicks in when the parent record is shared, or the shares are changed. Reparent kicks in when a record is linked (via a lookup) to the parent record.
This post has a SQL script that you might find useful as a starting point to investigate this, if you have on-prem with access to the SQL server:
Figuring out shares in the PrincipalObjectAccess POA table in CRM
You would probably want to filter for entity (object) type codes 1, 3 and 4 (Account, Opp, Lead) and it might be helpful to add some extra joins to get the parent Account for the Leads and Opps so you can see which belongs to which.
Just to add the account access team is able to view/edit all opportunities for the account regardless of the BU
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,269
Super User 2024 Season 2
#2
Martin Dráb
230,198
Most Valuable Professional
#3
nmaenpaa
101,156
Share
Report
All responses (
Answers (