Overview
The Salesforce Query Non Vetoed Files user permission is intended for specific system-to-system integrations, especially Data Cloud file ingestion scenarios. It is not intended for standard human users or administrators.
When this permission is assigned to a regular user and the org-level setting Enable Files to be ingested into Data Cloud is enabled, Salesforce can apply a restrictive background filter to file access. This can cause normal Salesforce Files behaviour to break in Lightning, API queries, Apex, automation, and restore processes.
Impact
Affected users may experience one or more of the following issues:
- Vanishing Files
- Upload and API Failures
- SOQL Query Results Are Missing Files
- Automation or Restore Errors
Vanishing Files
Users may upload files successfully but be unable to find, view, or access those files afterward in the Lightning UI.
When this occurs, the following error may be seen in the Riva logs.Error occurred synchronizing attachments for [Item Name]
Upload and API Failures
File uploads may fail through:
- Salesforce Lightning UI
- REST API
- Apex
- Third-party integrations or restore tools
SOQL Query Results Are Missing Files
Queries against file-related objects such as ContentDocument, ContentVersion, or ContentDocumentLink may return zero records or significantly fewer records than expected.
Automation or Restore Errors
Automation, integrations, or data restore tools may fail with unexpected errors, including:
INVALID_CROSS_REFERENCE_KEY
Root Cause
The issue is caused by the combination of:
- The user having the Query Non Vetoed Files permission.
- The org-level setting Enable Files to be ingested into Data Cloud being enabled.
Together, these settings can restrict Salesforce Files visibility and query results to public, non-vetoed files used for Data Cloud ingestion.
Resolution
Query Non Vetoed Files should not be assigned to standard users, human administrators, or general integration users, including the Riva Salesforce connection user. This permission should only be assigned to a dedicated machine-to-machine account that is specifically configured for Salesforce Data Cloud file ingestion.
Steps to Identify and Remove the Permission
- Go to Setup.
- Open the affected user’s detail page.
- Click View Summary.
- Select the User Permissions tab.
- Search for Query Non Vetoed Files.
- If the permission is enabled, click the dropdown chevron next to it.
- Select Access Granted By.
- Identify the Profile or Permission Set granting the permission.
- Edit that Profile or Permission Set.
- Uncheck Query Non Vetoed Files.
- Save the change.
After the permission is removed, standard file visibility and access behaviour should be restored.
For more information on tracking down where a user permission is granted, see Understanding "Query Non Vetoed Files" Permission and File Access.
Recommended Permission for Admin or Data Management Access
For administrators, integration users, or data management users who need broad access to Salesforce Files, use the standard Query All Files permission instead of Query Non Vetoed Files.
Query All Files allows eligible users to query files across the org, including files in non-member libraries and unlisted groups. This permission is intended for broader administrative or data access use cases and is the correct option when users need full file query visibility.
Important Notes
- Do not assign Query Non Vetoed Files to standard users.
- Do not assign Query Non Vetoed Files to human administrators unless Salesforce Support or a validated Data Cloud ingestion use case specifically requires it.
- Reserve Query Non Vetoed Files for dedicated machine-to-machine Data Cloud ingestion users.
- Use Query All Files for users who need broad file query access for administration, backup, restore, or data management purposes.
- If file visibility issues continue after removing the permission, review the org setting Enable Files to be ingested into Data Cloud under Salesforce Files settings.