Security and the PushTopic Query
- Field-level security access to the fields specified in the WHERE clause
- Read access on the object in the query
- Read access on the PushTopic
- Visibility of the new or modified record based on sharing rules
If the subscriber doesn’t have access to fields referenced in the query SELECT clause, then those fields aren’t included in the notification. If the subscriber doesn’t have access to all fields referenced in the query WHERE clause, then they don’t receive the notification. In addition to the field permissions that the subscriber must have, the user who creates or manipulates the record, which causes the notification to be generated, must have sufficient permissions to the fields in the SELECT clause. Otherwise, the notification that the subscriber receives doesn't include the fields the user doesn't have access to even if the subscriber has access to them.
For example, assume a user tries to subscribe to a PushTopic with this Query value.
SELECT Id, Name, SSN__c
FROM Employee__c
WHERE Bonus_Received__c = true AND Bonus_Amount__c > 20000
If the subscriber doesn't have access to Bonus_Received__c or Bonus_Amount__c, the subscription fails. If the subscriber doesn’t have access to SSN__c, then it isn’t returned in the notification. If the subscriber has access to the SSN__c field but the user who created or manipulated the record doesn't, the subscriber doesn't receive this field in the notification.
If the subscriber already successfully subscribed to the PushTopic, but the field-level security changes and the user no longer has access to one of the fields referenced in the WHERE clause, then no streamed notifications are sent.