InstallHandler runs under a special ghost user. What rights does it have?

When you install a managed package with a post-install script, Salesforce creates a special ghost user under which all of the post install activities occur. I think this is undocumented. Here are some details.

This can be great from an audit point of view (you can see which package has ‘touched’ all the data). But can problematic in several examples:

  • Certain objects are inaccessible by SOQL (I’ve found CronTrigger and ApexClass so far)
  • Scheduled Jobs (and any code they call) will forever run under the post-install context,
  • Batch Jobs execute as the post-install user and suffer the same issues above,

I’ve tried querying the user by id in SOQL to no avail, and the debug log monitor don’t record anything.

How crippled is this special ghost user? Does he have a documented profile?

Edit: I’ve emailed myself some post install context UserInfo return values. Interesting ones in bold:

  • UserType: LicenseManager (Aha! Who knows what privileges he has!?)
  • ProfileId: 00eF0000000XXXXAAA (viewing URL gives Insufficient Privileges!)
  • UserName: 033g0000000XXXXAAA@00df0000000XXXXAAA (package-id@org-id)
  • UserId: 005F0000003XXXXAAA (viewing URL gives Insufficient Privileges!)
  • Email:
  • DefaultCurrency: USD
  • FirstName: null
  • Language: en_US
  • LastName: [managed package name]
  • Locale: en_US
  • Name: [managed package name]
  • OrganizationId: [installing org id]
  • OrganizationName: [installing company name]
  • SessionId: null
  • TimeZone: America/Los_Angeles
  • UiTheme: Theme3
  • UiThemeDisplayed: Theme3
  • UserRoleId: null


After trial and error investigation, it appears the InstallHandler can run with unlimited privileges given one special condition; the InstallHandler implementor must have without sharing annotation.

Running without sharing allows the install user context to:

  • view all data
  • modify all data
  • interrogate system data (like CronTrigger and ApexClass)

The install user context cascades into any Batch Apex and Scheduled Apex jobs that are invoked as part of the post install script. If those classes are also annotated without sharing, it offers the capability of long-running “super user” processes.

Source : Link , Question Author : Matt and Neil , Answer Author : Matt and Neil

Leave a Comment