SalesForce: Query objects a user has read permission for

Question

How can I Query all Accounts a given user has read permission for? I tried the following but, returned the error "semi join sub selects can only query id fields, cannot use: 'RecordId'"

User u = new User();    
Account[] account = [SELECT Name FROM Account a
                            WHERE Id IN
                            (
                                SELECT RecordId
                                FROM UserRecordAccess
                                WHERE RecordId = :a.Id
                                AND UserId = :u
                                AND HasReadAccess = true
                            )
                    ];

The code is being executed as part of a scheduled batch job run as system so use of "with sharing" is not applicable.

Thanks

Answer 1

If you are only looking to do this for Account you could try this:

User u = new User();
list<Account> accs = [select Id, Name from Account where Id in (select AccountId from AccountShare where UserOrGroupId = :u.Id) or OwnerId = :u.Id];

That should give you all of the account records that the user has access to or owns. In the general case each sObject has its own 'Share' sObject that represents visibility against it, unless it is degenerate in some way (i.e. it is the detail in a master-detail).

Answer 2

The salesforce documentation says that RecordID is a picklist field which seems odd. If it is a picklist field that might explain why it does not work in a subquery.

You could try building a set of RecordIDs first and then using this to filter the Account query.

Set<ID> sRecordIDs = [SELECT RecordID FROM UserRecordAccess WHERE UserId = :u AND HasReadAccess = True];

Account[] accs =[SELECT ID,Name FROM Account WHERE Id in :sRecordIDs];

This might fall over governor limits if the number of records in UserRecordAccess is high.