PermissionSet

Represents a set of permissions that’s used to grant additional access to one or more users without changing their profile or reassigning profiles. You can use permission sets to grant access, but not to deny access. This object is available in API version 22.0 and later.

Supported Calls

create(), delete(), describeSObjects(), query(), retrieve(), update(), upsert()

Fields

Field Name Details
Description
Type
string
Properties
Create, Filter, Nillable, Group, Sort, Update
Description
A description of the permission set. Limit: 255 characters.
Label
Type
string
Properties
Create, Filter, Group, Sort, Update
Description
The permission set label, which corresponds to Label in the user interface. Limit: 80 characters.
Name
Type
string
Properties
Create, Filter, Group, Sort, Update
Description
The unique name of the object in the API. This name can contain only underscores and alphanumeric characters, and must be unique in your organization. It must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores. Label corresponds to API Name in the user interface. Limit: 80 characters.
NamespacePrefix
Type
string
Properties
Filter, Group, Nillable, Sort
Description
The namespace prefix for a permission set that's been installed as part of a managed package. If the permission set isn't packaged or is part of an unmanaged package, this value is empty. Available in API version 23.0 and later.
PermissionsPermissionName
Type
boolean
Properties
Create, Filter, Update
Description
One field for each permission. If true, users assigned to this permission set have the named permission. The number of fields varies depending on the permissions for the organization and license type.
UserLicenseId
Type
reference
Properties
Create, Filter, Group, Sort
Description
ID of the UserLicense associated with this permission set.

Usage

Use the PermissionSet object to query existing permission sets.

For example, to search for all permission sets that contain the “Modify All Data” permission:

SELECT Name, PermissionsModifyAllData
FROM PermissionSet
WHERE PermissionsModifyAllData=true

When combined with the PermissionSetAssignment object, you can create a nested query that returns all users assigned to a particular permission like “Modify All Data”:

SELECT Name, (SELECT AssigneeId FROM Assignments)
FROM PermissionSet
WHERE PermissionsModifyAllData=true

You can also create a permission set, or delete a permission set if it isn't assigned to a user.

Every permission set is associated with a user license. You can only assign permission sets to users who have the same user license that’s associated with the permission set. If you want to assign similar permissions to users with different licenses, create multiple permission sets with the same permissions, but with different licenses.

Child Objects

When using the API, think of each permission set or related set of access controls as starting as an empty container that you fill with permission records.

In the API, a permission set can contain user, object, and field permissions. (Object and field permissions objects are available in API version 24.0 and later.) Only user permissions are managed in the PermissionSet API object; all other permission types are managed in child API objects.

ERD of user, profile, and permission objects

In these child objects, access is stored in a record, while the absence of a record indicates no access. In order to return a record in a SOQL query, a minimum permission is required for each child object.

Child Object Minimum Permission Required to Return a Record
ObjectPermissions Read
FieldPermissions Read

Because permissions are stored in a number of related sObjects, it’s important to understand what questions to ask when using SOQL. For example, you may want to know which permission sets have “Delete” on an object or have the right to approve a return merchandise authorization (where the approval checkbox is controlled with field permissions). Asking the right questions when using SOQL with permission sets will ensure that you get the information you need to make an informed decision, such as whether to migrate permissions or assign a permission set to a user.

For example, the following will return all permission sets where the “Read” permission is enabled for the Merchandise__c object.

SELECT SobjectType, ParentId, PermissionsRead
FROM ObjectPermissions
WHERE PermissionsRead = True AND SobjectType = 'Merchandise__c'

You can query for all permission sets that have “Read” on an object. However, you can’t query for permission sets that have no access on an object, because no records exist for that object. For example, the following will return no records because the object must have at least “Read” to return any records.

SELECT SobjectType, ParentId, PermissionsRead
FROM ObjectPermissions
WHERE PermissionsRead = False AND SobjectType = 'Merchandise__c'

If you have at least the “Read” permission on an object, you can create a conditional query on other permissions in the same object. For example, the following will return any records where the object has at least the “Read” permission but not the “Edit” permission.

SELECT ParentId, PermissionsRead, PermissionsEdit
FROM ObjectPermissions
WHERE PermissionsEdit = False AND SobjectType = 'Merchandise__c'

To set an object or field permission to no access, just delete the record that contains the permission. For example, to disable all object permissions in the Merchandise__c object for a particular permission set, first query to retrieve the ID of the object permission record.

SELECT Id
FROM ObjectPermissions
WHERE SobjectType = 'Merchandise__c'

Then delete the IDs returned from the query.

Note
If you try to update the object or field permissions by setting all permissions to false, the permission record is automatically deleted. As a result, any subsequent queries for the record ID won’t return any results and you must add a new permission record to grant access.

Viewing a Permission Set with Nested Queries

You can build on the PermissionSet object using child relationships that show all of the permissions in a single permission set. For example, the following will return all permission sets and display the “Transfer Leads” permission as well as any “Read” permissions on any objects and fields.

SELECT Label, PermissionsTransferAnyLead,
(SELECT SobjectType, PermissionsRead from ObjectPerms),
(SELECT SobjectType, Field, PermissionsRead from FieldPerms)
FROM PermissionSet
See Also:
ObjectPermissions
FieldPermissions
PermissionSetAssignment
© Copyright 2000–2012 salesforce.com, inc. All rights reserved.
Various trademarks held by their respective owners.