Salesforce: Who Has Permission? (And what Profiles/Permission SetsGrant It?)

“Can you run me a report to see who has edit permissions on Cases?”
It’s the kind of thing that makes you cringe since it’s such a simple question and not remotely easy to achieve since the config screens are a disaster and it could be in any number of Profiles or Permission Sets.
Here’s how to find out. The following query will give you a quick list. (H/T Adam Torman)
[code lang=”sql”]
SELECT Assignee.Name
FROM PermissionSetAssignment
WHERE PermissionSetId
IN (SELECT ParentId
FROM ObjectPermissions
WHERE SObjectType = ‘My_Object__c’ AND
(PermissionsCreate = true OR PermissionsEdit = true))
and Assignee.isActive = true
[/code]
You can run this in the Developer Console under “Query Editor” tab.
Note that you have to change “My_Object__c” to your object name, and this filters by active users and Create or Edit permissions. You can run this using Workbench, dump it to Excel and deduplicate it. Problem solved.

Great. So What Profiles/Permission Sets Grant Access?

So the next question is going to be, OK, what profiles or permission sets grant that access?
This gets a little tricky because Profiles actually use Permission Sets under the hood. So when you use the above query, you are looking at Permission Set Assignments related to Users, including those assigned via a Profile. This is a little confusing. It’s driven by the isOwnedByProfile flag on PermissionSet – if the flag is true, it’s a hidden Permission Set that underpins a Profile.
So basically you need to do this twice: first, find the Profiles that include an underlying Permission Set (isOwnedByProfile = true). Then find the regular Permission Sets.
You can run the following Apex in the Anonymous Window. (If you’re not technical, don’t be scared, it’s just Your Name -> Developer Console -> Debug -> Execute Anonymous.)

This will (inelegantly) output all the Profiles that grant the permission you’re looking for. (To see the output, go to Logs tab in the Dev Console, open the topmost Log, and check the box that says “Debug Only.”)
Finally, you can check the regular Permission Sets that contain the privilege by using this query:
[code lang=”sql”]
SELECT PermissionSet.Name
FROM PermissionSetAssignment
WHERE PermissionSetId
IN (SELECT ParentId
FROM ObjectPermissions
WHERE SObjectType = ‘My_Object__c’ AND
(PermissionsCreate = true OR PermissionsEdit = true))
and Assignee.isActive = true
and PermissionSet.isOwnedByProfile = false
[/code]
Dump to Excel and dedup.
It’s an ugly solution but it should be enough to answer the question when it’s asked.

Comments

Popular posts from this blog

Custom Lookup For Flows to Avoid "Disjunctions Not Supported"

"Disjunctions not supported" - Why Custom Metadata and Flow Don't Mix

What Happens To "Inflight" Process Builders When You Activate a new Version?