Represents a set of permissions that’s used to grant more
access to one or more users without changing their profile or reassigning profiles. This object is available in API version 22.0 and
later.
You can use permission sets to grant access, but not to deny access.
Supported Calls
create(),
delete(),
describeSObjects(), query(),
retrieve(), search(),
update(),
upsert()
Child Relationships
PermissionSet has a read-only child relationship with PermissionSetGroup. PermissionSet
contains the aggregated permissions for the group.
Fields
| Description |
- Type
- string
- Properties
- Create, Filter, Nillable, Group, Sort, Update
- Description
- A description of the permission set. Limit: 255 characters.
|
| HasActivationRequired |
- Type
- boolean
- Properties
- Create, Defaulted on create,
Filter, Group, Sort, Update
- Description
- Indicates whether the permission set requires an associated active session
(true) or not (false).
|
| IsCustom |
- Type
- boolean
- Properties
- Defaulted on create, Filter, Group, Sort
- Description
- If true, the permission set is custom
(created by an admin); if false, the
permission set is standard and related to a specific permission set
license.
|
| IsOwnedByProfile |
- Type
- boolean
- Properties
- Defaulted on create, Filter, Group, Sort
- Description
- If true, the permission set is owned by
a profile. Available in API version 25.0 and later.
|
| Label |
- Type
- string
- Properties
- Create, Filter, Group, Sort, Update
- Description
- The permission set label, which corresponds to Label
in the user interface. Limit: 80 characters.
|
| LicenseId |
- Type
- reference
- Properties
- Create, Filter, Group, Nillable, Sort
- Description
- The ID of either the related PermissionSetLicense or UserLicense associated with this permission set. Available in API version 38.0 and
later. Use this field instead of UserLicenseId, which is
deprecated and only available up to API Version 37.0.
|
| Name |
- Type
- string
- Properties
- Create, Filter, Group, Sort, Update
- Description
- The unique name of the object in the API. This name can contain only
underscores and alphanumeric characters, and must be unique in your
organization. It must begin with a letter, not include spaces, not end with an
underscore, and not contain two consecutive underscores. Corresponds to
API Name in the user interface. Limit: 80
characters.
|
| NamespacePrefix |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The namespace prefix for a permission set that's been installed as part of a
managed package. If the permission set isn't packaged or is part of an
unmanaged package, this value is empty. Available in API version 23.0 and
later.
|
| PermissionsPermissionName |
- Type
- boolean
- Properties
- Create, Filter, Update
- Description
- One field for each permission. If true,
users assigned to this permission set have the named permission. The number of
fields varies depending on the permissions for the organization and license
type.
To get a list of available permissions in the SOAP
API, use describeSObjects().
|
| PermissionSetGroupId |
- Type
- reference
- Properties
- Filter, Group, Nillable, Sort
- Description
- If the permission set is owned by a permission set group, this field returns
the ID of the permission set group. If the permission set isn’t owned
by a permission set group, this field returns a null value. Available in API
version 45.0 and later.
-
We provide this feature to selected customers through a
pilot program that requires agreement to specific terms and conditions. To be
nominated to participate in the program, contact Salesforce. Because pilot programs are subject to change, we can’t
guarantee acceptance. This pilot feature isn’t generally available, as
referenced in this document or in press releases or public statements. We can’t
guarantee general availability within any particular time frame or at all. Make
your purchase decisions only on the basis of generally available
features.
|
| ProfileId |
- Type
- reference
- Properties
- Filter, Group, Nillable, Sort
- Description
- If the permission set is owned by a profile, this field returns the ID of
the Profile. If the permission set isn’t owned by a profile, this field returns
a null value. Available in API version 25.0 and later.
|
| Type |
- Type
- reference
- Properties
- Filter, Group, Nillable, Sort
- Description
- Available in API version 46.0 and later.
|
| UserLicenseId |
- Type
- reference
- Properties
- Create, Filter, Group, Nillable, Sort
- Description
- ID of the UserLicense associated with this permission set. This field is nillable in API version
26.0 and later and available up to API version 37.0 In API version 38.0 and
later, use LicenseId.
|
Usage
Use the PermissionSet object to query
existing permission sets.
For example, to search for all permission sets that contain the “Modify All
Data” permission:
When combined with the PermissionSetAssignment object, you can create a nested query that returns all users assigned to a particular
permission like “Modify All Data”:
If the permission set isn’t assigned to a user, you can also create or delete a permission
set.
User Licenses
The user license controls the permissions that are available in a permission set.
Every permission set can be associated with a user license or permission set license. If
you plan to assign a permission set to multiple users with different user and permission set
licenses, leave LicenseId empty. If only users with one type of license
use this permission set, set the LicenseId to that single user or
permission set license. If you want a permission set associated with a permission set
license, then set LicenseId to the permission set license. To get the
LicenseId, run this query:
Alternatively, to query a user or profile for the LicenseId.
Child Objects
When using the API, think of each permission set or related set of access controls as an
empty container that you fill with permission records.
In the API, a permission set can contain user, object, and field permissions, and setup
entity access settings for other settings, such as Apex classes.
- ObjectPermissions and FieldPermissions objects are available in API version 24.0 and later.
- The SetupEntityAccess object is available in API version 25.0 and later.
- The PermissionSetGroupComponent object is available in API version 45 and later.
Only user permissions are managed in the PermissionSet API object; all other permission
types are managed in child API objects.
In these child objects, access is stored in a record, while the absence of a record
indicates no access. To return a record in a SOQL query, a minimum
permission or setting is required for each child object.
Because permissions are stored in related objects, it’s important to understand what
questions to ask when using SOQL. For example, let’s say you want to know which permission
sets have “Delete” on an object. You also want to know which ones include
permissions that allow approval of a return merchandise authorization (where the approval
checkbox is controlled with field permissions). Asking the right questions when using SOQL
with permission sets ensures that you get the information you need, such as whether to
migrate permissions or assign a permission set to a user.
For example, the following returns all permission sets where the “Read”
permission is enabled for the Merchandise__c object.
You can query for all permission sets that have “Read” on an object. However,
you can’t query for permission sets that have no access on an object, because no
records exist for that object. For example, the following returns no records because the
object must have at least “Read” to return any records.
If you have at least the “Read” permission on an object, you can create a
conditional query on other permissions in the same object. For example, the following
returns any records where the object has at least the “Read” permission but
not the “Edit” permission.
To set an object or field permission to no access, delete the record that contains the
permission. For example, to disable all object permissions in the Merchandise__c object for
a particular permission set, first query to retrieve the ID of the object permission
record.
Then delete the IDs returned from the query.
If you try to update the object or field permissions by setting all permissions to
false, the permission record is automatically deleted. Any subsequent queries for the record
ID won’t return results and you must add a new permission record to grant
access.
View a Permission Set with Nested Queries
You can build on the PermissionSet object
using child relationships that show all of the permissions in a single permission set. For
example, the following returns all permission sets and displays the “Transfer
Leads” permission, as well as any “Read” permissions on any objects and
fields.
Associated Profiles
In API version 25.0 and later, every profile is associated with a permission set that
stores the profile’s user, object, and field permissions, as well as setup entity
access settings. You can query permission sets that are owned by profiles but not modify
them.
The following example returns all permission sets, including those owned by a profile.
The following returns all permission sets except those owned by
profiles.
Because
permission sets have child objects in the API, you can query their values on permission sets
owned by a profile. For example, the following returns all enabled object permission records
for profiles
only.
Once
you have the IDs for permission sets that are owned and not owned by profiles, use the
PermissionSetAssignment object to see if users can access objects or fields via their profile
permissions or their permission sets. For example, the following SOQL query returns all
users who have the “Read” permission on the Merchandise__c object. It also
specifies whether the permission is granted through a profile or permission
set.
For permission sets that are owned by profiles, don’t use Name and Label values
that are returned in a query. Name and Label values from queries can change.