PermissionSetEvent

• API—The user made changes to a permission set or permission set group from an API call.
• Classic—The user made changes to a permission set or permission set group from a page in the Salesforce Classic UI.
• Lightning—The user made changes to a permission set or permission set group from a page in the Lightning Experience UI.

• AssignedToUsers—A permission set or permission set group is assigned to one or more users.
• CriticalPerms—This deprecated value indicates the critical permissions are enabled.
• PermsDisabled—Permissions are disabled.
• PermsEnabled—Permissions are enabled.
• UnassignedFromUsers—A permission set or permission set group is unassigned from one or more users.

• AssignPermissionSets (Assign Permission Sets)
• AuthorApex (Author Apex)
• CustomizeApplication (Customize Application)
• ForceTwoFactor (Multi-Factor Authentication for User Interface Logins)
• FreezeUsers (Freeze Users)
• ManageEncryptionKeys (Manage Encryption Keys)
• ManageInternalUsers (Manage Internal Users)
• ManagePasswordPolicies (Manage Password Policies)
• ManageProfilesPermissionsets (Manage Profiles and Permission Sets)
• ManageRoles (Manage Roles)
• ManageSharing (Manage Sharing)
• ManageUsers (Manage Users)
• ModifyAllData (Modify All Data)
• MonitorLoginHistory (Monitor Login History)
• PasswordNeverExpires (Password Never Expires)
• ResetPasswords (Reset User Passwords and Unlock Users)
• ViewAllData (View All Data)

When using this event in a transaction security policy, use the permission's API name, not its label, and use the Contains operator, rather than Equals.

• ObjectPermission
• UserPermission

• Block—The user was blocked from performing the operation that triggered the policy.
• EndSession—The user’s session is terminated.
• Error—The policy caused an undefined error when it executed.
• ExemptNoAction—The user is exempt from transaction security policies, so the policy didn’t trigger.
• FailedInvalidPassword—The user entered an invalid password.
• FailedPasswordLockout—The user entered an invalid password too many times.
• MeteringBlock—The policy took longer than 3 seconds to process, so the user was blocked from performing the operation.
• MeteringNoAction—The policy took longer than 3 seconds to process, but the user isn't blocked from performing the operation.
• NoAction—The policy didn't trigger.
• Notified—A notification was sent to the recipient.
• TwoFAAutomatedSuccess—Salesforce Authenticator approved the request for access because the request came from a trusted location. After users enable location services in Salesforce Authenticator, they can designate trusted locations. When a user trusts a location for a particular activity, such as logging in from a recognized device, that activity is approved from the trusted location for as long as the location is trusted.
• TwoFADenied—The user denied the approval request in the authenticator app, such as Salesforce Authenticator.
• TwoFAFailedGeneralError—An error caused by something other than an invalid verification code, too many verification attempts, or authenticator app connectivity.
• TwoFAFailedInvalidCode—The user provided an invalid verification code.
• TwoFAFailedTooManyAttempts—The user attempted to verify identity too many times. For example, the user entered an invalid verification code repeatedly.
• TwoFAInProgress—Salesforce challenged the user to verify identity and is waiting for the user to respond or for Salesforce Authenticator to send an automated response.
• TwoFAInitiated—Salesforce initiated identity verification but hasn’t yet challenged the user.
• TwoFANoAction—The policy specifies multi-factor authentication (formerly called two-factor authentication) as an action, but the user is already in a high-assurance session.
• TwoFARecoverableError—Salesforce can’t reach the authenticator app to verify identity, but will retry.
• TwoFAReportedDenied—The user denied the approval request in the authenticator app, such as Salesforce Authenticator, and also flagged the approval request to report to an administrator.
• TwoFASucceeded—The user’s identity was verified.

This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.

• HIGH_ASSURANCE—A high assurance session was used for resource access. For example, when the user tries to access a resource such as a connected app, report, or dashboard that requires a high-assurance session level.
• LOW—The user’s security level for the current session meets the lowest requirements.

  This low level isn’t available or used in the Salesforce UI. User sessions through the UI are either standard or high assurance. You can set this level using the API, but users assigned this level experience unpredictable and reduced functionality in their Salesforce org.

  Note

• STANDARD—The user’s security level for the current session meets the Standard requirements set in the org’s Session Security Levels.