A user can't see a record they should — how to fix it
Why a Salesforce user can't see a record they should — a checklist across object permissions, field-level security, sharing and restriction rules.
The mirror image of “why can this user see that record” is just as common: someone should be able to see a record and can’t. The good news is that access in Salesforce passes through a fixed sequence of checks — so you can isolate the failure methodically instead of guessing.
The two checks every record access must pass
Salesforce grants access only if both of these succeed:
- Object level — does the user have CRUD on the object, and field-level security on the relevant fields? (From profiles and permission sets.)
- Record level — does the sharing model grant this specific record?
A failure in either hides the record. So the first job is to figure out which check is failing — and the symptom tells you.
Read the symptom first
| Symptom | Failing check | Go to |
|---|---|---|
| Can’t find the object/tab at all | Object permission or app/tab visibility | Step 1 |
| Sees the object, but not one record | Record-level sharing (or restriction rule) | Step 3 |
| Opens the record, but fields are blank | Field-level security | Step 2 |
| Saw it yesterday, not today | A recent change / recalculation | Step 4 |
Step 1 — Object permissions and visibility
If the user can’t reach the object or its tab:
- Confirm Read on the object in their profile or a permission set.
- Confirm the app and tab are visible to them.
No object access means no records, regardless of sharing. Fix this first. (If the failure is on saving a record rather than viewing one, the cause is usually a related record the user can’t reach — see insufficient access rights on cross-reference id.)
Step 2 — Field-level security
If the record opens but specific fields are empty, the record-level access is fine — field-level security is hiding the fields. Grant FLS for those fields on the user’s profile or a permission set. (This is a profile/permission-set setting, not sharing — see profiles vs permission sets vs sharing.)
Step 3 — Record-level sharing
If the user has object access but can’t reach one record, walk the sharing model:
- Org-wide default — if it’s Private, the user only sees records they own, ones owned by someone below them in the role hierarchy, or ones granted by a rule/team/manual share. If none applies, that’s your answer — add a sharing rule, team membership, or manual share.
- Role hierarchy — does the user actually sit above the owner? If not, no roll-up.
- A restriction rule is filtering them out — restriction rules reduce access on top of sharing. The user may have access via sharing but be excluded by a restriction rule’s criteria. Check restriction rules on the object for the user’s permission set.
Step 4 — Recent changes and recalculation
If access disappeared:
- Look for changes to ownership, the role hierarchy, sharing rules, a restriction rule, or the user’s permission set assignments — any can remove access.
- Confirm a sharing recalculation has finished. After ownership/role/rule changes, Salesforce reprocesses shares asynchronously and access can lag during that window.
A diagnosis checklist
- Can they reach the object/tab? → object permission + app/tab visibility.
- Do fields show? → field-level security.
- Is the OWD Private with no applicable share? → add sharing.
- Are they above the owner in the hierarchy? → if needed.
- Is a restriction rule excluding them? → adjust criteria.
- Recent change or recalculation in flight? → wait / revert.
The first failing check is your fix. And note the inverse problem — too much access — in a user can see a record they shouldn’t.
Skip straight to the failing layer
The slow part is testing each layer in turn, often by logging in as the user. AgentForceAccess collapses that: ask why a user can’t see a record and it reports which check blocks them — object permission, field-level security, a missing share, or a restriction rule — so you fix the right layer the first time.
Frequently asked questions
The user can see the object but not one specific record. Why?
That is a record-level problem. With a Private org-wide default, a user only sees records they own, that are owned by someone below them in the role hierarchy, or that a sharing rule, team or manual share grants them. If none applies, the record stays hidden. A restriction rule can also be filtering it out.
The user can open the record but key fields are blank. Why?
That is field-level security, not record sharing. The user has access to the record but their profile or permission sets hide those fields. Grant field-level security for the fields on the relevant permission set.
The user can't see the object or tab at all. What is wrong?
They likely lack object Read permission, or the app/tab is hidden for their profile. Object permissions and tab/app visibility come from profiles and permission sets — fix those before looking at the sharing model.
Access was working yesterday and stopped. What changed?
Look for a recent change to ownership, the role hierarchy, sharing rules, a restriction rule, or the user's permission sets — any of these can remove access. Also confirm a sharing recalculation has finished, since access can lag during reprocessing.
See it on your own org
AgentForceAccess explains, in plain English, why any user can see any record or file — across every Salesforce sharing mechanism.
Request early access