Troubleshooting Salesforce user access and permission issues requires a systematic approach that examines profiles, roles, permission sets, and record-level sharing settings. The most common problems stem from misconfigured object permissions, field-level security, role hierarchy limitations, or incorrect permission set assignments. Salesforce provides built-in tools like the User Access Summary and Permission Assistant to streamline diagnosis, while community discussions highlight frequent pitfalls like role hierarchy conflicts or missing API access for integrations.

Key findings from the sources:

• Primary troubleshooting steps: Review user profiles, permission sets, and role hierarchy assignments first ^[6]
• Common errors: "Insufficient privileges" messages often relate to field-level security or record ownership conflicts ^[1]
• Marketing Cloud specifics: Integrated users require both 'Marketing Cloud Admin' and 'User' permissions ^[3]
• API limitations: Some Salesforce versions restrict API access, blocking third-party connectors like Supermetrics ^[5]

Systematic Troubleshooting for Salesforce Access Issues

Diagnosing Permission Problems with Built-in Tools

Salesforce includes dedicated features to identify permission gaps before manual checks. The User Access Summary (introduced in Winter '25) consolidates all permission assignments in one view, while the Permission Assistant tool provides automated analysis. Start with these tools to avoid time-consuming manual reviews.

For immediate issues, follow this workflow:

• Check the User Access Summary: Navigate to Setup → Users → [User Name] → User Access Summary. This displays:
• Assigned profiles and permission sets
• Object-level permissions (Create/Read/Edit/Delete)
• Field-level access for each object
• Group memberships and role hierarchy position ^[7]
• Run the Permission Assistant: Install via AppExchange to analyze:
• Permission conflicts between profiles and permission sets
• Inherited permissions from role hierarchies
• Field accessibility issues across different record types ^[1]

When users report "insufficient privileges" errors, verify these specific settings:

• Profile assignments: Confirm the user has the correct base profile with minimum required permissions ^[6]
• Permission set layers: Check for conflicting permission sets that might override profile settings ^[4]
• Field-level security: Even with object access, individual fields may be restricted ^[1]
• Record ownership: Users need explicit sharing rules or higher role hierarchy position to edit others' records ^[10]

For Marketing Cloud integrations, additional checks are required:

• Verify the user has both 'Marketing Cloud for AppExchange Admin' and 'Marketing Cloud for AppExchange User' permissions ^[3]
• Confirm the Email Send permission is enabled for Marketing Cloud Engagement users ^[3]
• Check that the connected app has proper API access configured ^[1]

Resolving Common Access Scenarios

Object and Record-Level Access Issues

When users cannot view or edit specific records despite having object permissions, examine these layers in order:

1. Org-Wide Defaults: Start with the broadest setting: - Navigate to Setup → Security Controls → Sharing Settings - Verify the default access level (Private, Public Read Only, etc.) for the affected object - Public Read/Write overrides most restrictions, while Private requires explicit sharing ^[10]

1. Role Hierarchy Implications: - Users can only edit records owned by users below them in the hierarchy - A common error occurs when reorganizing roles - users lose access to records owned by formerly subordinate users ^[10] - Solution: Use the "Grant Access Using Hierarchies" setting or implement sharing rules

1. Sharing Rules and Manual Sharing: - Create sharing rules when role hierarchy doesn't suffice (Setup → Security → Sharing Settings) - For one-off access, use the "Sharing" button on individual records - Audit sharing changes via Setup → Security → View Setup Audit Trail ^[6]

1. Permission Set Groups: - When assigning multiple permission sets, processing order matters - Errors like "processing failed" may indicate license conflicts between sets ^[4] - Reorder Grant actions in the User Access Policy to resolve dependency issues

Field-Level and Feature Access Problems

Field-level security operates independently from object permissions. Common scenarios include:

• Visible but non-editable fields:
• Check field-level security in both the profile and any assigned permission sets
• Navigate to Setup → Object Manager → [Object] → Fields & Relationships → [Field] → Set Field-Level Security ^[1]

• Missing tabs or features:
• Verify the feature is enabled in Setup → Feature Settings
• Check "Customize Application" permissions in the user's profile
• For Lightning Experience, ensure the app includes the required tabs ^[2]

• API access restrictions:
• Third-party tools like Supermetrics require:
• API Enabled permission in the user profile
• No IP restrictions on the connected app
• Sufficient API call limits (monitor via Setup → Company Settings → API Usage) ^[5]
• Error messages like "API access disabled" indicate version limitations - contact Salesforce support to enable

• Time-based access issues:
• Some organizations implement login hour restrictions
• Check Setup → Security Controls → Session Settings
• Time-based workflows may temporarily revoke permissions ^[5]

For persistent issues, use these diagnostic queries:

// Check object permissions
SELECT Id, SobjectType, PermissionsRead, PermissionsEdit FROM ObjectPermissions WHERE Parent.ProfileId = '00eXXXXXXXXXXXX'
// Verify field accessibility SELECT Id, Field, PermissionsEdit, PermissionsRead FROM FieldPermissions WHERE Parent.ProfileId = '00eXXXXXXXXXXXX' AND SobjectType = 'Account'