How to bypass User Permissions with Flow

Have you ever come across a permission limitation that you couldn’t solve using a Permission Set?  Every once and a while we get requirements that can test the limits of what we can technically do with Salesforce.  It might be a Field Level Security issue, or it might be a License limitation.  Before Process Builder was around, if you wanted to get by some sort of limitation like this, you had to write code.  Not anymore!  Process Builder runs in the context of the System.

So… when Visual Flow is that when its autolaunched by Process Builder, it too will run in the context of the System and not the Running User.  This means any Field Level Security, Profiles, Roles, or License type can essentially be ignored.  Think of an Autolaunched Flow as temporarily giving somebody temporary Admin access.  Where this can get interesting is when we start to think of all of the different ways we might use this!

ProcessBuilderIcon

Get creative!  You can do all sorts of cool things to bypass Licenses and Security  issues by using Autolaunched Flows.  Here are a two examples to get you thinking:

Site.com Guest User Access

In this scenario we want to send an email to our clients to propose that we close a Case, and in that email present them with a Yes and No button.  If they click the button you want the Case to properly react.  That means we need to have that button click send them to a specific URL (associated to our Site.com) with a unique parameter that matches to our Case.  The problem is we are unable to have an unauthenticated User edit a Case.  We can give the Site.com Guest User access to Create on a Custom Object, and have that Custom Object then trigger a Process Builder to run and find and edit the Case.  There are some obvious security issues, but they can be solved by building your parameter and Flow correctly.

Add and Remove Permission Sets and Public Groups

We want our Marketing Manager to be able to add and remove people to a Permission Set and/or Public Group.  We can create a Checkbox or Picklist on the User Object, and have an edit to that field trigger a Process Builder to launch our Flow where we either add or remove them to the Permission Set and/or Public Group.  Access to this field can be then controlled by a Permission Set or by Profile.  With this, we can essentially delegate any Admin function to any User without given them Admin privileges!

12 thoughts on “How to bypass User Permissions with Flow

  1. Mihir Shah April 26, 2016 / 7:59 am

    Good article, But isnt it breaking salesforce security?

    Like

    • David Litton April 28, 2016 / 6:25 pm

      In a way. You’re just simplifying the ability to manage those delegated admin permissions now to a Field that you’re controlling via Profiles or Field Level Security. So, it isn’t very different in how you manage it. It is just a simplified way of administering it to non-technical users. With that said, it is not something that you’ll find in a Salesforce knowledge article.

      Like

  2. Katie October 19, 2016 / 3:29 pm

    David. Can we make a custom button call a process that calls a flow? Right now I have a button that calls a flow, but that makes the flow run as the current user. I want the flow to run as the system, so I’m thinking if I can somehow get the button to call process builder first, then that might work?

    Like

  3. kasugaipnutnu October 19, 2016 / 5:33 pm

    I’m guessing the answer is no, but can you still reference the running user (to update an owner field, for example) in the flow when launching it through process builder? I have a use case where the running user needs to be referenced AND their security needs to be bypassed to update a read-only field, and thinking I’m going to need to get creative about the approach.

    Like

    • David Litton October 24, 2016 / 1:42 am

      Correct, you can’t currently do this.

      One workaround would be to save the information from your Flow into a custom object, and have that Custom Object fire a System Level Permission update of the object (via Process Builder)… but it depends what you’re doing. They can’t query records they don’t have access to if you’re doing a Lookup of some sort.

      Like

      • Katie Rowe October 24, 2016 / 1:46 am

        What I’m trying to do is make my own “Add team member” button that will allow peers to add themselves as team members to each other’s records. I made a custom button that calls a flow… but as you would guess it still adhers to the security constraint that only the owner or above the owner can add team members (and thus errors out). Really don’t want to do a custom object or a visual force page, so was trying to see if I could use Process Builder to get around this.

        Like

      • David Litton October 24, 2016 / 2:04 am

        You could write an APEX plugin for your Flow to use or go the Custom Object route… but other than doing that you’re out of luck for now.

        One easy option: have the button or flow update a checkbox on your object. That checkbox grabs the LastModifiedById and then adds them as a Team Member. You might have to do something dynamic in your Flow to assign their Role (not sure what your Roles are). PB Triggered by the checkbox being triggered, then fires Flow to do the Record Create. Just make sure you uncheck it in the Flow or PB so that you can have it re-used.

        Like

      • kasugaipnutnu October 24, 2016 / 10:14 am

        I was able to make it work by referencing a task created by the flow and updating the read-only field in the task’s “Related to” object via a process. A little hacky, but it gets the job done declaratively. Thanks!

        Like

  4. Bas Jan September 4, 2017 / 1:33 pm

    Currently I am trying to implement a bypass solution, however I run into some errors:
    We currently run a flow on a website, where a visitor can answer questions. These questions sometimes need system actions such as creating Work Order Line Items or Required Products on a Work Order. As the Site user has limited access to the object Work Order through the Public Access Settings. We try to avoid the access limitation by using a Process Builder to run a second flow in system mode which executes the creation of the records (based on the answers in the first flow).

    After the second flow has finished and the records are created/updated, we run into the following error:
    “You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary. Insufficient Privileges”

    “Authorization Required. You must first log in or register before accessing this page.
    If you have forgotten your password, click Forgot Password to reset it. ”

    Do you have any ideas what could be causing this?

    Like

    • David Litton September 6, 2017 / 3:22 pm

      What is happening after they fill out the information and you send them to the next screen? I’m assuming you create the records, but what is the result from the website user? Are you trying to show them information or simply a thank you message? Based on what your error is, it seems to be permission related to the object. Granting your site.com user access to the record would solve it, but be careful as it’s public sharing at that point.

      Like

      • Bas Jan September 8, 2017 / 9:43 am

        Hi David, Thanks for your response. The process will go as follows:
        1. User answers questions (creates records of a custom object)
        2. After answering a last question a “trigger record” is created with a boolean on true, this triggers the Process Builder
        3. Process Builder starts the record creation flow in System mode, to create records related to a WO (such as WOLI and prod required)
        4. A thank you message should be displayed (This part is blocked by the Error message)

        Currently the site user has read access to the WO, however granting edit access is not possible (default SF I guess)

        Is it possible that the changes happening after the flow in the order of execution, specifically Roll ups, would run in user mode and cause the error?
        Do you have other suggestions?

        Like

  5. Bas Jan October 10, 2017 / 4:33 pm

    Hi David,

    A possible explanation of my permission errors:
    Because of the creation of Work Order Line Iitems during the flow running in system mode, a roll up of duration on the Work Order object gets changed.

    This creates an error because the site user does not have access to the work order object.

    Do you know if roll ups could give permission errors?

    It would be great if you could help!

    Kind regards,
    Bas Jan

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s