Skip to main content

Sharing access to profile or permission set via API in Salesforce

 There are certain scenarios where we cannot or may be difficult to open up access (of object, Field, Pages or Classes) in profile or permission set directly via UI. In this article, we will see two such scenarios and check the alternate approach.

Use Case :

  • Sharing Class or Page access to profile or Permission Set via UI is not possible when your organization have a lot of classes already. The UI will throw an internal error because of heap size limit exception hit while loading all the classes from the organization. Hence We need an alternate way to share the class with profile
  • Sometimes you receive a request to move object permissions or Field level permissions of an object during a deployment window. You are in need of faster approach to move the permissions instead of manually copying the permissions.

To start with, Let’s first understand the profile data model. Each profile is linked to an underlying permission set which is the parent of the objects SetupEntityAccess, ObjectPermissions and FieldPermissions. As of Spring ’20 and later, only users with "View Setup and Configuration" permission can access these objects.

SetupEntityAccess

Represents the enabled setup entity access settings (such as for Apex classes) for the parent PermissionSet. This object is available in API version 25.0 and later. You can query, create and delete the records, but not update the records of this object.

Fields

  • ParentId : The id of the Permission Set
  • SetupEntityId : The ID of the entity for which access is enabled, such as an Apex class or Visualforce page.
  • SetupEntityType : The type of setup entity for which access is enabled. Valid values are:
    • ApexClass for Apex classes
    • ApexPage for Visualforce pages
    • In API version 28.0 and later, ConnectedApplication for OAuth connected apps
    • In API version 31.0 and later, CustomPermission for custom permissions
    • In API version 28.0 and later, ServiceProvider for service providers
    • In API version 28.0 and later, TabSet for apps
    • In API version 48.0 and later, CustomEntityDefinition for Custom Settings and Custom Metadata Types

Sample Query to retrieve entity access settings for the profile "Soloution Manager":

Select id, SetupEntityId, SetupEntityType from SetupEntityAccess where parent.profile.name='Solution Manager'

ObjectPermissions

Represents the enabled object permissions for the parent PermissionSet. This object is available in API version 24.0 and later.

Fields

  • ParentId : The id of the Permission Set
  • SobjectType : The object's API Name
  • PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, PermissionsViewAllRecords, PermissionsModifyAllRecords

Sample Query to retrieve object permissions for the profile "Soloution Manager":

Select id,SobjectType, PermissionsRead,PermissionsCreate, PermissionsEdit,PermissionsDelete,PermissionsViewAllRecords,PermissionsModifyAllRecords from ObjectPermissions where parent.profile.name ='Solution Manager'

FieldPermissions

Represents the enabled field permissions for the parent PermissionSet. This object is available in API version 24.0 and later.

Fields

  • ParentId : The id of the Permission Set
  • SobjectType : The object's API Name
  • Field : The field’s API name. This name must be prefixed with the SobjectType. For example, Account.Description__c
  • PermissionsRead, PermissionsCreate

Sample Query to retrieve field permissions for the profile "Soloution Manager":

Select id,SobjectType, Field,PermissionsRead, PermissionsEdit from FieldPermissions where parent.profile.name ='Solution Manager' order by SobjectType,Field ASC

These objects can be used either via API or via anonymous apex to make changes on Object Permissions, Field Permissions and Setup Entities in the permission set or permission set related to the profile. This could save a lot of manual time for the administrators.

Hope this article helps and thank you for your time in reading this.

Cheers :)

Comments