September 4, 2018

How to Query Object Permissions for a Profile in Salesforce?

Sample SOQL:

SELECT sObjectType, PermissionsCreate, PermissionsRead, PermissionsEdit, PermissionsDelete, PermissionsModifyAllRecords, 
   PermissionsViewAllRecords FROM ObjectPermissions 
 WHERE ParentId IN ( SELECT Id 
   FROM permissionset 
  WHERE PermissionSet.Profile.Name = 'System Administrator' )


3 comments:

  1. Hi,
    I'm using this query to get the object Level permissions -
    SELECT sObjectType, PermissionsCreate, PermissionsRead, PermissionsEdit, PermissionsDelete, PermissionsModifyAllRecords,
    PermissionsViewAllRecords FROM ObjectPermissions
    WHERE ParentId IN ( SELECT Id
    FROM permissionset
    WHERE PermissionSet.Profile.Name = 'System Administrator' )

    But its giving more than one objectPermissions for some of the standard objects, i.e. Account, Order.
    Is there any way to get only one objectPermssion for a specified profile and for a specified sObjectType?

    ReplyDelete
    Replies
    1. Use like below
      SELECT sObjectType, PermissionsCreate, PermissionsRead, PermissionsEdit, PermissionsDelete, PermissionsModifyAllRecords,
      PermissionsViewAllRecords FROM ObjectPermissions
      WHERE ParentId IN ( SELECT Id
      FROM permissionset
      WHERE PermissionSet.Profile.Name = 'System Administrator' ) AND sObjectType = 'Case'

      Delete
    2. https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_objectpermissions.htm

      The above document explains why there are two records showing up for some profiles.

      When using SOQL to query object permissions, be aware that some object permissions are enabled because a user permission requires them.

      The exception to this rule is when “Modify All Data” is enabled. While it enables all object permissions, it doesn’t physically store any object permission records in the database. As a result, unlike object permissions that are required by a user permission—such as “View All Data” or “Import Leads”—the query still returns permission sets with “Modify All Data,” but the object permission record will contain an invalid ID that begins with “000”. This ID indicates that the object has full access due to “Modify All Data” and the object permission record can’t be updated or deleted. To remove full access from these objects, disable “Modify All Data” and then delete the resulting object permission record. This ensures that when using SOQL to find all the objects that have full access, it returns all objects that have this access regardless of whether it’s due to “Modify All Data” or because an administrator set full access.

      Delete