Insufficient Privileges. You do not have the level of access necessary to perform the operation you requested.
Object-level access — the user lacks Read/Edit/Create/Delete on the object itself, not on a particular row. Different from "You don't have access to this record" (which is sharing on one row). Granted via profile or permission set; auditable in Setup.
Also seen asInsufficient Privileges·You do not have the level of access necessary·Insufficient Privileges. You do not have
Salesforce's permission model is layered. This error fires at the object level: the user's profile (and assigned permission sets) doesn't grant the operation they tried. Distinct from the row-level You don't have access to this record, which is a sharing problem.
How to read which permission is missing
The error itself doesn't say. The user's action does:
| User did | Object permission missing |
|---|---|
| Visited a tab | Read on the object |
| Tried to create a record | Create on the object |
| Edited a record | Edit (and the user has Read or sharing) |
| Deleted a record | Delete |
| Used a custom button or app | Read on the underlying object, plus app/page access |
Find the gap
In Setup → Profiles → user's profile → Object Settings, find the object. Confirm Read / Create / Edit / Delete / View All / Modify All as needed.
If the user has multiple permission sets, the union applies. So a tight profile + a permissive permission set lets the user act. Check Setup → Users → the user → Permission Set Assignments.
"View All Data" / "Modify All Data" — handle with care
These two permissions are scary. They bypass sharing — a user with View All Data sees every record on every object regardless of sharing rules. Granted to admins by design; granted to a Standard User by accident, you've created a privilege-escalation vulnerability.
If a custom Apex controller declares without sharing and the calling user has Modify All Data, the user can edit every record in the org via that controller — even records they couldn't otherwise touch.
Apex-specific: AuraEnabled methods on a class without with sharing
A controller declared without with sharing/without sharing runs in the running user's context for sharing but in system context for object/field permissions. So the running user might lack Edit on Account at the profile level, but the controller's update Account succeeds.
Lock down by declaring with sharing:
public with sharing class AccountController {
@AuraEnabled
public static void rename(Id id, String newName) {
Account a = [SELECT Id FROM Account WHERE Id = :id];
a.Name = newName;
update a; // throws Insufficient Privileges if user lacks Edit on Account
}
}
A surprising case: "Your administrator has not enabled this app"
Sometimes the same generic message fires when the user lacks the App assignment, not the object permission. Check Setup → Profiles → Assigned Apps. The user must be assigned the app whose tabs they're trying to use.
Tooling for fast diagnosis
The User Access Audit report (Setup → Users → User Access) shows everything that user can and cannot do. Faster than walking through Profile + Permission Sets manually for a complex permission setup.