Salesforce: Who Has Permission? (And what Profiles/Permission SetsGrant It?)

“Can you run me a report to see who has edit permissions on Cases?”
It’s the kind of thing that makes you cringe since it’s such a simple question and not remotely easy to achieve since the config screens are a disaster and it could be in any number of Profiles or Permission Sets.
Here’s how to find out. The following query will give you a quick list. (H/T Adam Torman)
[code lang=”sql”]
SELECT Assignee.Name
FROM PermissionSetAssignment
WHERE PermissionSetId
IN (SELECT ParentId
FROM ObjectPermissions
WHERE SObjectType = ‘My_Object__c’ AND
(PermissionsCreate = true OR PermissionsEdit = true))
and Assignee.isActive = true
[/code]
You can run this in the Developer Console under “Query Editor” tab.
Note that you have to change “My_Object__c” to your object name, and this filters by active users and Create or Edit permissions. You can run this using Workbench, dump it to Excel and deduplicate it. Problem solved.

Great. So What Profiles/Permission Sets Grant Access?

So the next question is going to be, OK, what profiles or permission sets grant that access?
This gets a little tricky because Profiles actually use Permission Sets under the hood. So when you use the above query, you are looking at Permission Set Assignments related to Users, including those assigned via a Profile. This is a little confusing. It’s driven by the isOwnedByProfile flag on PermissionSet – if the flag is true, it’s a hidden Permission Set that underpins a Profile.
So basically you need to do this twice: first, find the Profiles that include an underlying Permission Set (isOwnedByProfile = true). Then find the regular Permission Sets.
You can run the following Apex in the Anonymous Window. (If you’re not technical, don’t be scared, it’s just Your Name -> Developer Console -> Debug -> Execute Anonymous.)

This will (inelegantly) output all the Profiles that grant the permission you’re looking for. (To see the output, go to Logs tab in the Dev Console, open the topmost Log, and check the box that says “Debug Only.”)
Finally, you can check the regular Permission Sets that contain the privilege by using this query:
[code lang=”sql”]
SELECT PermissionSet.Name
FROM PermissionSetAssignment
WHERE PermissionSetId
IN (SELECT ParentId
FROM ObjectPermissions
WHERE SObjectType = ‘My_Object__c’ AND
(PermissionsCreate = true OR PermissionsEdit = true))
and Assignee.isActive = true
and PermissionSet.isOwnedByProfile = false
[/code]
Dump to Excel and dedup.
It’s an ugly solution but it should be enough to answer the question when it’s asked.

Comments

Post a Comment

Popular posts from this blog

Setting a DateTime to a Weekday in a Formula

Image
This is one of those things that took way too long to sort out. WEEKDAY() is a great formula function, but it only works on Dates.  Our requirement was to set the value to three days from now, but only if the day is a weekday, and put it in a datetime field. Thinking it through, they wanted the result to come out as follows. Cases received on Monday are due Thursday (+3 days) Cases received on Tuesday are due Thursday (+3 days) Cases received on Wednesday are due Monday (+5 days, skipping 2 weekend days) Cases received on Thursday are due Tuesday (+5 days, skipping 2 weekend days) Cases received on Friday are due Wednesday (+5 days, skipping 2 weekend days) Cases received on Saturday are due Wednesday (+4 days, skipping 1 weekend day) Cases received on Sunday are due Wednesday (+ 3 days) WEEKDAY() returns  an integer value, where 1 is Sunday and 7 is Saturday. Therefore: CASE(WEEKDAY(TODAY()), 4,now()+5, 5,now()+5, 6,now()+5, 7,now()+4, now()+3 ) Since WEEKDAY() only works o
Read more

"Disjunctions not supported" - Why Custom Metadata and Flow Don't Mix

Salesforce has been focusing a lot on Flow recently, as they should. It splits the difference nicely between Process Builder and Apex code. We recently used Flow to implement what I'd expect is a common use case - when a record is created, lookup a value from a table and update the record. In this case, it's a light lead score we call a "fireball" value. This worked great since in most use cases we'd get one record at a time. But we found during Lead conversion, we would get a few records through at a time, which caused the process to break with a really odd error: Error Occurred: This error occurred when the flow tried to look up records: Disjunctions not supported. After some research it became clear that this is the error you get when you try to query a custom metadata table using an "OR" condition. But my Flow didn't use an "OR" condition in the metadata lookup. The answer was lurking in this obscure documentation: When you define mult
Read more

Update Knowledge Articles in Bulk

Image
Recently we had a big Knowledge Centric Support (KCS) initiative where we generated a ton of Articles for use in a Community. (We're still on Classic Knowledge.) Problem is, some users forgot to tick the "Customer" box when creating the Articles. So those articles didn't appear to external users in the Community. You can update these Articles in bulk, but you need to use a few obscure hooks in Apex. This method will create a draft of the Article, update the Knowledge Article Version, and then re-publish without creating a new Version. The following code will update the 'IsVisibleInCsp' flag for a single Article specified in the 1st query, which will make it visible to Customers. Here's a bulkified version. This is heavy on the CPU so I run it 10 at a time. When going over these in bulk, you might run into a situation where there is an existing draft of an article that has been previously published; i.e., it's actively being updated. In t
Read more