Exporting Salesforce Field Level Security and Object Access with the Data Loader
Using the Data Loader, you can export field level security settings and object access information for every profile and permission set in your Salesforce system.
You can download:
- Field permissions: which profiles & permissions sets let users read and edit fields, for every field in your system
- Object level permissions: which profiles & permissions sets allow users to read, create, edit and delete objects as well as whether they have "View All" data and "Modify All" data permissions on those objects
You can take this one step further and answer questions like “which users have Read on Accounts and why” and "what are all of the Account fields where a user has at least Read access and why".
Export Field Level Security for All Profiles and Permission Sets
Let's start with exporting the field level security for every profile and permission set in your Salesforce org using the Data Loader. This can be done in 6 easy steps:
1. Open the Data Loader and press the Export button
2. Log in…
…then press the Next button
3. Select the "Show all Salesforce objects" checkbox
4. Select the Field Permissions object
5. Choose a "Target for extraction" and press the Next button
6. In the text box / text area under the label "The generated query will appear below. You may edit it before finishing" paste the following:
SELECT Parent.Profile.Name, Parent.Label, Parent.IsOwnedByProfile, SobjectType, Field, PermissionsEdit, PermissionsRead FROM FieldPermissions ORDER BY Parent.Profile.Name, Parent.Label, SobjectType, Field7. Press the Finish button and select Yes on the box that asks “Do you want to proceed?”
When you open the file that is exported, it should look like this:
Column by column, here is what you get:
PARENT.PROFILE.NAME: if the field level security is from a profile, the profile name will be here; if it is from a permission set, the profile name will be blank. Remember, this export shows profiles and permission sets together; later we'll see how to just export field level security for profiles on their own
PARENT.LABEL: if the field level security is from a permission set, the permission set label will be here; if it is from a profile, you will see gibberish. (It's not actually gibberish but if you're interested in what's going on, have a look at the references below)
PARENT.ISOWNEDBYPROFILE: if the field level security is from a profile, this is TRUE; if it's not from a profile, it's FALSE
SOBJECTTYPE: the name of the object that the field is on
FIELD: the field you are extracting Field Level Security information on
PERMISSIONSEDIT: whether the profile or permission set has edit access to the field
PERMISSIONSREAD: whether the profile or permission set has read access to the field
Export Field Level Security for All Profiles
If you want to export field level security just for profiles, repeat steps 1 - 7 above but, at step 6, paste the following:
SELECT Parent.Profile.Name, Parent.IsOwnedByProfile, SobjectType, Field, PermissionsEdit, PermissionsRead FROM FieldPermissions WHERE Parent.IsOwnedByProfile = true ORDER BY Parent.Profile.Name, Parent.Label, SobjectType, FieldExport Field Level Security for All Permission Sets
If you want to export field level security just for permission sets, repeat steps 1 - 7 above but, at step 6, paste the following:
SELECT Parent.Label, Parent.IsOwnedByProfile, SobjectType, Field, PermissionsEdit, PermissionsRead FROM FieldPermissions WHERE Parent.IsOwnedByProfile = false ORDER BY Parent.Profile.Name, Parent.Label, SobjectType, FieldExport Object Level Permissions for All Profiles and Permission Sets
To export object level permissions, i.e. which profiles & permissions sets allow users to read, create, edit and delete objects as well as whether they have "View All" data and "Modify All" data permissions on those objects, do the following
1. Repeat steps 1 - 7 above but...
2. In step 2, select the Object Permissions object
3. In step 6, paste the following:
SELECT Parent.Profile.Name, Parent.Label, Parent.IsOwnedByProfile, SobjectType, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, PermissionsViewAllRecords, PermissionsModifyAllRecords FROM ObjectPermissions ORDER BY Parent.Profile.Name, Parent.Label, SobjectTypeWhen you open the file that is exported, it should look like this:
Column by column, here is what you've get (a lot of it is the same as before):
PARENT.PROFILE.NAME: if the field level security is from a profile, the profile name will be here; if it is from a permission set, the profile name will be blank. Remember, this export shows profiles and permission sets together; later we'll see how to just export object access for profiles on their own
PARENT.LABEL: if the field level security is from a permission set, the permission set label will be here; if it is from a profile, you will see gibberish. (It's not actually gibberish but if you're interested in what's going on, have a look at the references below)
PARENT.ISOWNEDBYPROFILE: if the field level security is from a profile, this is TRUE; if it's not from a profile, it's FALSE
SOBJECTTYPE: the name of the object
PERMISSIONSREAD: whether the profile or permission set has Read permissions on the object
PERMISSIONSCREATE: whether the profile or permission set has Create permissions on the object
PERMISSIONSEDIT: whether the profile or permission set has Edit permissions on the object
PERMISSIONSDELETE: whether the profile or permission set has Delete permissions on the object
PERMISSIONSVIEWALLRECORDS: whether the profile or permission set has View All permissions on the object
PERMISSIONSMODIFYALLRECORDS: whether the profile or permission set has Modify All permissions on the object
Export Object Level Permissions for All Profiles
If you want to export object level permissions just for profiles, at step 6, paste the following:
SELECT Parent.Profile.Name, Parent.IsOwnedByProfile, SobjectType, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, PermissionsViewAllRecords, PermissionsModifyAllRecords FROM ObjectPermissions WHERE Parent.IsOwnedByProfile = true ORDER BY Parent.Profile.Name, Parent.Label, SobjectTypeExport Object Level Permissions for All Permission Sets
If you want to export object level permissions just for permission sets, at step 6, paste the following:
SELECT Parent.Label, Parent.IsOwnedByProfile, SobjectType, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, PermissionsViewAllRecords, PermissionsModifyAllRecords FROM ObjectPermissions WHERE Parent.IsOwnedByProfile = false ORDER BY Parent.Profile.Name, Parent.Label, SobjectType
You can also answer questions like “which users have Read on Accounts and why?” and "what are all of the Account fields where a user has at least Read access and why?". To find out how, check out the article “Using SOQL to Determine Your Force.com User’s Permissions“ on the Salesforce developer blog.
Good to know
- The FieldPermissions and ObjectPermissons objects have a parent called PermissionSet
- The queries above retrieve profile and permission set information because, according to the documentation for the PermissionSet object, "every profile is associated with a permission set that stores the profile’s user, object, and field permissions, as well as setup entity access settings"
- Note the special considerations for “Modify All Data” described in the section “Determining Object Access with “Modify All Data”” of the documentation for the ObjectPermissions object.
