Error When Accessing Child Records in Sublist via Client Script with Limited Permissions

Issue

When a client script attempts to access or manipulate a child record on a sublist (e.g., line items on a transaction), an error occurs if the user’s role has only “Create” permission for the child record type and “Edit” permission for the parent record. The error typically indicates a permission violation, such as:

“You do not have sufficient permissions to perform this action” or “Permission Violation: Access to record denied.”

Cause

This issue arises due to the role-based access control (RBAC) restrictions in the system:

  • The role has Create permission for the child record type, allowing it to create new child records but not to view, edit, or delete existing ones.
  • The role has Edit permission for the parent record, allowing modifications to the parent record and its sublists.
  • When a client script attempts to access an existing child record (e.g., via record.getLineCount or similar module), the system enforces the child record’s permission level. Since “Create” permission does not include “View” or “Edit” rights, the operation fails, and an error is thrown.

This is expected behavior to ensure that users and scripts cannot access data beyond the permissions assigned to their role.

Environment

  • Applies to: Client Scripts
  • Record Types: Any parent-child relationship (e.g., Sales Order, Invoice, Purchase Order)
  • Permission Levels: Role with “Create” only for child records, “Edit” for parent records
  • Platform Version: All supported versions

Resolution

To resolve this issue, the role must be granted sufficient permissions to access existing child records. Follow these steps:

  • Review Role Permissions:Navigate to Setup > Users/Roles > Manage Roles.
  • Locate and edit the role experiencing the issue.
  • Under the Permissions tab, find the child record type (e.g., “Item” for transaction line items).
  • Check the current permission level (e.g., “Create”).
  • Update Permissions:Increase the permission level for the child record to at least View (to read data) or Edit (to modify data), depending on the script’s requirements.
  • Save the changes to the role.
  • Test the Script:Reload the parent record and trigger the client script again.
  • Verify that the script can now access the child record without errors.

Note: Adjusting permissions may affect other workflows or user actions. Consult with your system administrator to ensure that increasing the permission level aligns with security policies.

Workaround

If modifying permissions is not feasible:

  • Restrict the client script to only interact with newly created child records (since “Create” permission is allowed).
  • Use a server-side script (e.g., User Event or Suitelet) with an elevated role or system-level access to handle operations on existing child records, then pass the results to the client script if needed.

Example Scenario

  • Role Permissions:Parent Record (Sales Order): Edit
  • Child Record (Item): Create
  • Script Code:javascript
  • var itemId = record.getLineCount('item'); // Attempts to read line 1
  • Result: Error due to lack of “View” permission for the “Item” record.
  • Fix: Grant “View” permission to the “Item” record type for the role.

Additional Information

  • Client scripts operate under the permissions of the logged-in user’s role and cannot bypass RBAC restrictions.
  • For more complex permission scenarios, consider using a custom role or workflow to manage access.

Leave a comment

Your email address will not be published. Required fields are marked *