Represents the enabled object permissions for the parent PermissionSet. To grant a user access to an object, associate an ObjectPermissions record with a PermissionSet that’s assigned to a user. ObjectPermissions records are only supported in PermissionSet, not in Profile. This object is available in API version 24.0 and later.
create(), delete(), describeSObjects(), query(), retrieve(), update(), upsert()
Some user permissions have dependencies on object permissions. For example, if a permission set has the “Transfer Leads” permission, it also has “Read” and “Create” on the leads object.
You can query from ObjectPermissions up to the parent PermissionSet object. For example:
SELECT Parent.Name, Parent.PermissionsTransferAnyLead, PermissionsRead, PermissionsCreate FROM ObjectPermissions WHERE SobjectType = 'Lead'
When using SOQL to query object permissions, be aware that some object permissions are enabled because a user permission requires them.
The exception to this rule is when “Modify All Data” is enabled. While it enables all object permissions, it doesn’t physically store any object permission records in the database. As a result, unlike object permissions that are required by a user permission—such as “View All Data” or “Import Leads”—the query still returns permission sets with “Modify All Data,” but the object permission record will contain an invalid ID that begins with “000”. This ID indicates that the object has full access due to “Modify All Data” and the object permission record can’t be updated or deleted. To remove full access from these objects, disable “Modify All Data” and then delete the resulting object permission record. This ensures that when using SOQL to find all the objects that have full access, it returns all objects that have this access regardless of whether it’s due to “Modify All Data” or because an administrator set full access.
For example, the following will return all permission sets that have “Read” on the Merchandise__c object, regardless of whether it’s explicitly defined on the object or implicitly defined through “Modify All Data.”
SELECT Id, Parent.label, SobjectType, PermissionsRead, Parent.PermissionsModifyAllData, ParentId FROM ObjectPermissions WHERE PermissionsRead = true and SobjectType = 'Merchandise__c'
SELECT Id,Name,PermissionsTransferAnyLead, (SELECT Id, PermissionsRead from ObjectPerms where SobjectType='Lead') FROM PermissionSet WHERE PermissionsTransferAnyLead = true
As a result, it’s possible to traverse the relationship between the PermissionSet and any child related objects (in this case, ObjectPermissions). You can do this from the PermissionSet object by using the child relationship (ObjectPerms, FieldPerms, and so on) or from the child object by referencing the PermissionSet with Parent.permission_set_attribute.
It’s important to consider when to use a conditional WHERE statement to restrict the result set. To query based on an attribute on the permission set object, nest the SOQL with the child relationship. However, to query based on an attribute on the child object, you must reference the permission set parent attribute in your query.
SELECT Id, Name, PermissionsModifyAllData, (SELECT Id, SobjectType, PermissionsRead from Objectperms) FROM PermissionSet WHERE PermissionsModifyAllData=true
SELECT Id, SObjectType, PermissionsRead, Parent.Id, Parent.Name, Parent.PermissionsModifyAllData FROM ObjectPermissions WHERE SObjectType='Merchandise__c'