Foiled by FLS… The Hunt for a Missing Report

I’ve been working on an org with some fairly complicated security requirements that has been causing me lots of lost sleep. I thought we were finally rounding the bend with this project when yet another problem arose. After a few hours, we resolved the issues caused by process builder not being bulkified and I turned back to working on the required dashboards. All seems well until I switch the running user. The refresh runs and one, two, three components load. I wait. But the the last component on the top row does not. I get an insufficient privileges error. And my day gets further derailed with me trying to find why I am getting this error.

First I check to make sure that the user has access to the objects in the report. 2 objects, 1 with read access. 1 with create, read, and edit access.

Next step is to make sure the report is deployed. Its a standard report that is created by Salesforce when you link two custom objects with a lookup. No deployment necessary.

What next, hmmmm? I double check to make sure I shared the report folder appropriately. Good to go there. I have it shared with everyone using role + subordinates shared at the highest level of the role hierarchy. I also contemplate if there is a problem with the report formula I have, consider that I didn’t have to worry about rollups, and note that these are pretty simple objects without cross object formulas.

Next I click through to field level security of each object from the profile. This is where I made my mistake. I have a huge list of fields on each object with each field have a carefully decided security. ***Spoiler Alert… I missed a field that needs to be read instead of no access.***

By this point, I’m getting frustrated. I can’t figure out why this one report won’t share. I head back to my dashboard and take a look at the components that are displaying. The report driving those components are just object A. I take this as a hint that my problem lies with object B and login as a user who is experience the problem. Heading to that object I check out the record and take some screenshots so I can compare them to what I am expecting to see. Bingo. Pretty quickly I notice a blank space where there should be a field. Back as myself, the system admin I quickly find the missing field, a lookup field and this time go the route of checking just its FLS. Check, check, check to give all the profiles read access and I am in business. I was missing read access to the lookup to object A and my report was object B with object A. If you don’t have access to that field, that really puts a damper on that report type. My component loads, my dashboard is working, and I am only feeling a little foolish for that wild goose chase that I went on to hunt down something I had checked to begin with.

To hopefully avoid my frustration, if you have report access issues remember to chec:

  • Object access – the user must have at least read for all objects
  • Report is deployed
  • Report Folder is shared to the user
  • Field Level Security for lookups is at least read for record type lookups
  • User has access to objects that are part of rollups in report
  • Cross object formulas don’t reference objects the user does not have access to

In the end its really just a matter of finding the point where the user has insufficient access. Just don’t overlook the most critical field like I did.

Leave a Reply

Your email address will not be published. Required fields are marked *