FieldPermissions

Supported Calls

create(), delete(), describeSObjects(), query(), retrieve(), update(), upsert()

Special Access Rules

In API version 49.0 and later, only users with the View Setup and Configuration permission can access this object.

Fields

In API version 50.0 and later, for lookup field inserts and queries, you can leave off the Id in the field name or include it. The rows returned always use the API name. For example:

1SELECT SobjectType, Field
2FROM FieldPermissions
3WHERE Field='Contact.Account'

and

1SELECT SobjectType, Field
2FROM FieldPermissions
3WHERE Field='Contact.AccountId'

both return

1Contact, Contact.AccountId

Field Name	Details
Field	Type picklist Properties Create, Filter, Group, Restricted picklist, Sort Description The field’s API name. This name must be prefixed with the SobjectType. For example, `Merchandise__c.Description__c`
ParentId	Type reference Properties Create, Filter, Group, Sort Description The Id of the field’s parent PermissionSet. This is a relationship field. Relationship Name Parent Relationship Type Lookup Refers To PermissionSet
PermissionsEdit	Type boolean Properties Create, Defaulted on create, Filter, Group, Sort, Update Description If `true`, users assigned to the parent PermissionSet can edit this field. Requires PermissionsRead for the same field to be `true`.
PermissionsRead	Type boolean Properties Create, Defaulted on create, Filter, Group, Sort, Update Description If `true`, users assigned to the parent PermissionSet can view this field. A FieldPermissions record must have at minimum PermissionsRead set to `true`, or it will be deleted.
SobjectType	Type picklist Properties Create, Filter, Group, Restricted picklist, Sort Description The object’s API name. For example, `Merchandise__c`.

Usage

FieldPermissions work similarly to ObjectPermissions. However, FieldPermissions includes a Field attribute to return the name of the field.

For example, the following query returns all FieldPermissions records that have at least the “Read” permission. The results include the field, object, and permission set names.

1SELECT SobjectType, Field, PermissionsRead, Parent.Name
2FROM FieldPermissions
3WHERE PermissionsRead = True

Include the field’s parent object when querying FieldPermissions. For example, to find all rows that match the Account object’s Type field, create the following query:

1SELECT Id, SobjectType, Field
2FROM FieldPermissions
3WHERE Field = 'Account.Type' AND SobjectType = 'Account'

To find which permission sets are backed by profiles with the Account object, you can use a query like the following example:

1SELECT Id, ParentId, SobjectType, Field, PermissionsEdit, PermissionsRead, Parent.Name
2FROM FieldPermissions
3WHERE SobjectType = 'Account' and Parent.IsOwnedByProfile = true
4ORDER BY SObjectType, Field

Both SobjectType and Field must be included in the SELECT line of the query. Provide the full API name of the field in the form of SobjectType.Field when querying for a field.

When using the FieldPermission object to download records, depending on the SOQL query you use, you might not receive all expected records. Results can also appear incomplete. However, all records do download; fields that don't support field security and rows for entities not visible to the org are hidden.

Note

Special Properties for Field Permissions

The auto-number and formula fields have special rules for how field permissions work. Both have FieldPermissions records, but inserting and updating is limited to PermissionsRead. PermissionsEdit isn’t allowed for either field type, since these fields must be read-only for users.

The following field types don’t return a FieldPermissions record because they are assumed to always be readable.

Id
CreatedById
CreatedDate
IsDeleted
LastModifiedById
LastModifiedDate
SystemModStamp

The following field types don’t return a FieldPermissions record because they are assumed to always be readable and writable.

OwnerId
Master-detail custom (relationship) fields
Universally required custom fields

As a result, the following query returns no records, even though users do have some access to some of the fields.

1SELECT Field, SobjectType, PermissionsRead
2FROM FieldPermissions
3WHERE Field='Id'

To determine if a field can return a FieldPermissions record, you can call a describeSObject() on the field. For example, describeSObject('Merchandise__c'), returns all the properties of the Merchandise custom object, including field properties. If you use a field whose permissionable property is false (like the field types listed in this section), you can’t query, insert, update, or delete field permissions records, because they don’t exist.

Working with Custom Activity Fields

While tasks and events are considered separate objects, they share a common set of activity custom fields. As a result, when a custom task field is created, a custom event field is also created, and vice versa. You can display the custom field on the event layout, task layout, or both event and task layouts.

Although custom activity fields are shared between tasks and events, you see separate FieldPermissions records for the task and event. However, changes made to one field permission record are automatically made to the other. For example, if you create a custom activity field, assign field permissions to it in a permission set, and run the following query, the query returns two records with the same permission value.

1SELECT Field, Id, ParentId, PermissionsEdit, PermissionsRead, SobjectType
2FROM FieldPermissions
3WHERE SobjectType = 'event' OR SobjectType ='task'

If you then update one of the records with another set of field permission values and run the query, the same permission values for both records are returned.

Nesting Field Permissions

You can nest FieldPermissions in a PermissionSet query. For example, the following returns any permission sets where “Edit Read Only Fields” is true. Also, the result set includes both the “Read” and “Edit” field permission on the Merchandise object. Get similar results by nesting the SOQL with a field permission query using the relationship name for field permissions: FieldPerms.

1SELECT PermissionsEditReadonlyFields,
2(SELECT SobjectType, Field, PermissionsRead, PermissionsEdit
3FROM FieldPerms
4WHERE SobjectType = 'Merchandise__c')
5FROM PermissionSet
6WHERE PermissionsEditReadonlyFields = true

As a result, it’s possible to traverse the relationship between the PermissionSet and any child-related objects (in this case, FieldPermissions). You can do this from the PermissionSet object by using the child relationship (ObjectPerms, FieldPerms, and so on) or from the child object by referencing the PermissionSet with Parent.permission_set_attribute.

It’s important to consider when to use a conditional WHERE statement to restrict the result set. To query based on an attribute on the permission set object, nest the SOQL with the child relationship. However, to query based on an attribute on the child object, you must reference the permission set parent attribute in your query.

The following two queries return the same columns with different results, based on whether you use the child relationship or parent notation.

1SELECT PermissionsEditReadonlyFields,
2(SELECT SobjectType, Field, PermissionsRead, PermissionsEdit
3FROM FieldPerms
4WHERE SobjectType = 'Merchandise__c')
5FROM PermissionSet
6WHERE PermissionsEditReadonlyFields = true

Versus:

1SELECT SobjectType, Field, PermissionsRead, PermissionsEdit, Parent.Name,
2   Parent.PermissionsEditReadonlyFields
3FROM FieldPermissions
4WHERE SObjectType='Merchandise__c'

Muting Permissions

Field permissions with a parent muting permission set act differently than those enabled in a regular permission set. For a regular permission set, if a FieldPermissions record grants full access to a field (for example, granting read and edit access), users have full access to that field.

With muting permission sets, a FieldPermissions record defines the muting of access. So if a muting permission set is set for read and edit, the read and edit access is muted.

For example, we have a permission set and a muting permission set that controls access to the Account object’s fields. Each permission set has settings for the Website field.

Regular Permission Set

Field	PermissionsRead	PermissionsEdit	Result
Account.Website	`true`	`false`	The Account.Website field is read only.
Account.Website	`true`	`true`	The Account.Website field has both read and edit permissions.

Muting Permission Set

Field	PermissionsRead	PermissionsEdit	Result
Account.Website	`false`	`true`	Edit permissions on the Account.Website fields are muted.
Account.Website	`true`	`true`	Read and edit permissions on the Account.Website field are muted.

Field permissions are aggregated by combining the permissions granted by the permission set and the permissions muted by the muting permission set. For example, if you have a permission set that grants read and edit permissions for a field, and a muting permission that mutes the same field’s edit permission, the result is that only the read permission is enabled.

Object Reference for the Salesforce Platform