Sunday, March 3, 2019

Salesforce: Query Fields Permission

In the previous blog Using Permission Set to Query User Permission, we discussed query on PermissionSet and PermissionSetAssignment to query on permissions related to the user permission, at the end of the blog we also introduce query to ObjectPermissions object to get permission related to Object.

In this blog, we are going to introduce another object called FieldPermission. As you know, basic field accessibility for a user is determined by the user Profile, then extra permission can be given to the user through Permission Set. So, a query to FieldPermission will give you an idea of why/how a user able to access a specific field, and what is the permission to that field (Read or Edit).

SELECT Id, ParentId, Parent.Name, SobjectType, Field, PermissionsEdit, PermissionsRead
FROM FieldPermissions
SobjectType = 'Account' AND Field = 'Account.Active__c'

The sample result from the above query:

The main field from the above query is ParentId, this field is referred to PermissionSet object, so you see the result of Parent.Name is PermissionSet.Name, the values are contained for both Profile and Permission Set.

For PermissionSet.Name value starts with X00e, it is a Profile (includes Standard and Custom profile), while the one not starting with X00e is PermissionSet.

From the above screenshot, let us check if Activate_Contract_2 permission set gives extra permission for the field Active__c in the Account object:

Sample 2: the below query checks the extra permissions given by the permission set to read and edit fields by a permission set called 'Activate Contract 2' and if the perm set also gives permission to edit read-only fields. 

SELECT SobjectType, Field, PermissionsRead, PermissionsEdit, ParentId, Parent.PermissionsEditReadonlyFields
FROM FieldPermissions
WHERE Parent.IsCustom=True and Parent.Name = 'Activate_Contract_2' ORDER BY Field 

Here are the read/edit permissions setting for the Account object in that perm set.  

The parent here object is PermissionSet, and the child object is the FieldPermission. 
IsCustom in PermissionSet means, if true, the permission set is custom (created by an admin); if false, the permission set is standard and related to a specific permission set license.

Sample 3: now we query the child from the parent object, this query shows the permission set or profile that gives allows to edit read-only fields and shows all fields access in the Account object

SELECT Id,Name,PermissionsEditReadonlyFields, IsOwnedByProfile, 
  (SELECT SobjectType, Field, PermissionsRead, PermissionsEdit
   FROM FieldPerms
   WHERE SobjectType = 'Account')
FROM PermissionSet
WHERE PermissionsEditReadonlyFields = true


No comments:

Post a Comment

Page-level ad