PermissionSetEvent

Tracks changes to permission sets and permission set groups. This event initiates when a permission is added to, or removed from a permission set. This event also initiates when a permission set containing a critical permission is assigned or unassigned. This object is available in API version 52.0 and later.

Supported Calls

describeSObjects()

Special Access Rules

Accessing this object requires either the Salesforce Shield or Event Monitoring add-on subscription and the View Real-Time Event Monitoring Data user permission.

Supported Subscribers

Subscriber Supported?
Apex Triggers
Flows
Processes
Pub/Sub API Yes
Streaming API (CometD) Yes

Event Delivery Allocation Enforced

No

Fields

Field Details
EvaluationTime
Type
double
Properties
Nillable
Description
The amount of time it took to evaluate the policy in milliseconds.
EventDate
Type
dateTime
Properties
Nillable
Description
The time when the anomaly was reported. For example, 2020-01-20T19:12:26.965Z. Milliseconds is the most granular setting.
EventIdentifier
Type
string
Properties
Nillable
Description
The unique ID of the event, which is shared with the corresponding storage object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate the event with its storage object.
EventSource
Type
picklist
Properties
Nillable, Restricted picklist
Description
The source of the event. Possible values are:
  • API—The user made changes to a permission set or permission set group from an API call.
  • Classic—The user made changes to a permission set or permission set group from a page in the Salesforce Classic UI.
  • Lightning—The user made changes to a permission set or permission set group from a page in the Lightning Experience UI.
EventUuid
Type
string
Properties
Nillable
Description
A universally unique identifier (UUID) that identifies a platform event message.
HasExternalUsers
Type
boolean
Properties
Nillable
Description
When true, external users are impacted by the operation that triggered a permission change. The default value is false.
ImpactedUserIds
Type
json
Properties
Nillable
Description
A comma-separated list of IDs of the users affected by the event. A maximum of 1,000 user IDs are included.
For example, if a permission set assigned to two users is updated, the users’ IDs are recorded in this field.
LoginHistoryId
Type
reference
Properties
Nillable
Description
Tracks a user session so you can correlate user activity with a particular series of permission set events. This field is also available in the LoginEvent, AuthSession, and LoginHistory objects, making it easier to trace events back to a user’s original authentication. For example, 0YaB000002knVQLKA2.
This is a relationship field.
Relationship Name
LoginHistory
Relationship Type
Lookup
Refers To
LoginHistory
LoginKey
Type
string
Properties
Nillable
Description
The string that ties together all events in a given user’s login session. The session starts with a login event and ends with either a logout event or the user session expiring. For example, lUqjLPQTWRdvRG4.
Operation
Type
picklist
Properties
Nillable, Restricted picklist
Description
The type of operation that triggers a permission change.
Possible values are:
  • AssignedToUsers—A permission set or permission set group is assigned to one or more users.
  • CriticalPerms—This deprecated value indicates the critical permissions are enabled.
  • PermsDisabled—Permissions are disabled.
  • PermsEnabled—Permissions are enabled.
  • UnassignedFromUsers—A permission set or permission set group is unassigned from one or more users.
ParentIdList
Type
json
Properties
Nillable
Description
The IDs of the affected permission sets or permission set groups.
ParentNameList
Type
json
Properties
Nillable
Description
The names of the affected permission sets or permission set groups.
PermissionExpirationList
Type
json
Properties
Nillable
Description
A comma separated list of timestamps from the PermissionSetAssignment.ExpirationDate field that specifies when added permissions will be revoked. This value is null when no expiration timestamp is specified or permissions are removed for the impacted users.
PermissionList
Type
json
Properties
Nillable
Description
The list of permissions that are enabled or disabled in the event. These permissions can include:
  • AssignPermissionSets (Assign Permission Sets)
  • AuthorApex (Author Apex)
  • CustomizeApplication (Customize Application)
  • ForceTwoFactor (Multi-Factor Authentication for User Interface Logins)
  • FreezeUsers (Freeze Users)
  • ManageEncryptionKeys (Manage Encryption Keys)
  • ManageInternalUsers (Manage Internal Users)
  • ManagePasswordPolicies (Manage Password Policies)
  • ManageProfilesPermissionsets (Manage Profiles and Permission Sets)
  • ManageRoles (Manage Roles)
  • ManageSharing (Manage Sharing)
  • ManageUsers (Manage Users)
  • ModifyAllData (Modify All Data)
  • MonitorLoginHistory (Monitor Login History)
  • PasswordNeverExpires (Password Never Expires)
  • ResetPasswords (Reset User Passwords and Unlock Users)
  • ViewAllData (View All Data)

When using this event in a transaction security policy, use the permission's API name, not its label, and use the Contains operator, rather than Equals.

PermissionType
Type
string
Properties
Nillable
Description
The type of permission that is updated in the event. Possible values are:
  • ObjectPermission
  • UserPermission
PolicyId
Type
reference
Properties
Nillable
Description
The ID of the transaction security policy associated with this event. For example, 0NIB000000000KOOAY.
This is a relationship field.
Relationship Name
Policy
Relationship Type
Lookup
Refers To
TransactionSecurityPolicy
PolicyOutcome
Type
picklist
Properties
Nillable, Restricted picklist
Description
The result of the transaction policy.
Possible values are:
  • Block—The user was blocked from performing the operation that triggered the policy.
  • EndSession—The user’s session is terminated.
  • Error—The policy caused an undefined error when it executed.
  • ExemptNoAction—The user is exempt from transaction security policies, so the policy didn’t trigger.
  • FailedInvalidPassword—The user entered an invalid password.
  • FailedPasswordLockout—The user entered an invalid password too many times.
  • MeteringBlock—The policy took longer than 3 seconds to process, so the user was blocked from performing the operation.
  • MeteringNoAction—The policy took longer than 3 seconds to process, but the user isn't blocked from performing the operation.
  • NoAction—The policy didn't trigger.
  • Notified—A notification was sent to the recipient.
  • TwoFAAutomatedSuccess—Salesforce Authenticator approved the request for access because the request came from a trusted location. After users enable location services in Salesforce Authenticator, they can designate trusted locations. When a user trusts a location for a particular activity, such as logging in from a recognized device, that activity is approved from the trusted location for as long as the location is trusted.
  • TwoFADenied—The user denied the approval request in the authenticator app, such as Salesforce Authenticator.
  • TwoFAFailedGeneralError—An error caused by something other than an invalid verification code, too many verification attempts, or authenticator app connectivity.
  • TwoFAFailedInvalidCode—The user provided an invalid verification code.
  • TwoFAFailedTooManyAttempts—The user attempted to verify identity too many times. For example, the user entered an invalid verification code repeatedly.
  • TwoFAInProgress—Salesforce challenged the user to verify identity and is waiting for the user to respond or for Salesforce Authenticator to send an automated response.
  • TwoFAInitiated—Salesforce initiated identity verification but hasn’t yet challenged the user.
  • TwoFANoAction—The policy specifies multi-factor authentication (formerly called two-factor authentication) as an action, but the user is already in a high-assurance session.
  • TwoFARecoverableError—Salesforce can’t reach the authenticator app to verify identity, but will retry.
  • TwoFAReportedDenied—The user denied the approval request in the authenticator app, such as Salesforce Authenticator, and also flagged the approval request to report to an administrator.
  • TwoFASucceeded—The user’s identity was verified.
RelatedEventIdentifier
Type
string
Properties
Nillable
Description
Represents the EventIdentifier of the related event. For example, bd76f3e7-9ee5-4400-9e7f-54de57ecd79c.

This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.

ReplayId
Type
string
Properties
Nillable
Description
Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
SessionKey
Type
string
Properties
Nillable
Description
The user’s unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example, vMASKIU6AxEr+Op5.
SessionLevel
Type
picklist
Properties
Nillable, Restricted picklist
Description
Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are:
  • HIGH_ASSURANCE—A high assurance session was used for resource access. For example, when the user tries to access a resource such as a connected app, report, or dashboard that requires a high-assurance session level.
  • LOW—The user’s security level for the current session meets the lowest requirements.

    This low level isn’t available or used in the Salesforce UI. User sessions through the UI are either standard or high assurance. You can set this level using the API, but users assigned this level experience unpredictable and reduced functionality in their Salesforce org.

    Note

  • STANDARD—The user’s security level for the current session meets the Standard requirements set in the org’s Session Security Levels.
SourceIp
Type
string
Properties
Nillable
Description
The source IP address of the client that logged in. For example, 126.7.4.2.
UserCount
Type
string
Properties
Nillable
Description
The number of users affected by the event. This field has a maximum value of 1,000. If the user appears more than 1,000 times, the value remains at 1,000.
UserId
Type
reference
Properties
Nillable
Description
The user’s unique ID. For example, 005000000000123.
This is a polymorphic relationship field.
Relationship Name
User
Relationship Type
Lookup
Refers To
User
Username
Type
string
Properties
Nillable
Description
The username in the format of user@company.com at the time the event was created.