Skip to main content

PeopleGlass Field Permission in Salesforce

An overview of PeopleGlass field permissions within Salesforce

Updated over a week ago

Field-level permissions are essential for accessing data in PeopleGlass and creating views. If a user lacks read access to a field, it won't appear in the object description or be selectable in the view configuration.

In Salesforce, field access is managed through Profiles and Permission Sets. A user's permissions are determined by combining all assigned profiles and permission sets.

Note: Some of the methods described below require SFDC System Admin privileges. PeopleGlass uses the SFDC API and respects all of Salesforce's security, validation rules, and permission sets. Typically, any field issues result from field or Permission Profiles in SFDC, not due to PeopleGlass.

Configuring Field Access

As mentioned, the resulting bundle of permissions is a mix of all the tools, and inspecting one may not give a complete picture. The following methods describe ways to verify that access to a field has been granted through a given profile or permission set.

Profile Level

The following methods apply only to profile configurations and won't reveal any access provided by Permission Sets.

The Field Accessibility tool can quickly reveal field-level access granted by profiles.

  1. Go to Setup

  2. In the Quick Find box, type “Field Accessibility”

  3. Select the object for the fields you would like to verify access to

  4. Either select View by Fields or View by Profiles

  5. Next, select either the profile or the fields you’d like to inspect

  6. Click on the value in the Field Access column to change the value

  7. Make appropriate changes to provide visibility and edit access

Alternatively, you can open the tool through the object manager for a single field

  1. Go to Setup.

  2. In the Quick Find box, type Object Manager and select the object containing the field.

  3. Click on the object name.

  4. Select Fields & Relationships.

  5. Find the field and click on it.

  6. Click Set Field-Level Security.

  7. Here, you can view which Profiles have access. To check Permission Sets, you must use Method 1 or SOQL.

Permission Set Level

To check granted permissions using a specific Permission Set:

  1. Go to Setup.

  2. In the Quick Find box, type Permission Sets and select it.

  3. Click on the specific Permission Set you want to check.

  4. Under Apps, click Object Settings.

  5. Select the Object that contains the field you're checking.

  6. Scroll down to Field Permissions and check the Read and Edit access.

If Permission Set Groups are used, their details show the aggregation of permissions from all included Permission Sets.

  1. Go to Setup.

  2. In the Quick Find box, type Permission Set Groups and select it.

  3. Click on the specific Permission Set Groups you want to check.

  4. Under Combined Permissions, click Object Settings.

  5. Select the Object that contains the field you're checking.

  6. Scroll down to Field Permissions and check the Read and Edit access.

Combined Profile/Permission Approach

A SOQL query can list entries related to all permission sets and profiles that grant access to a given field. The query can be executed from the Developer Console, Workbench, or any other tool. Unlike other tools, Developer Console cannot display the Profile Name.

  1. Open Developer Console (Click your profile icon > Developer Console).

  2. Go to Query Editor and run this SOQL:

    SELECT Field, PermissionsRead, PermissionsEdit, Parent.ProfileId, Parent.Profile.Name, Parent.Label 
    FROM FieldPermissions
    WHERE SObjectType = 'Account' AND Field = 'Account.AccountNumber

  3. Replace 'Account' with your object API name.

  4. Replace 'Account.AccountNumber with your sObject and field API name.

  5. The query will show which Profiles and Permission Sets have Read or Edit access.

Note: Field names are defined in SOBJECT.FIELD_NAME format.

User Field Access

If it is believed that users should have permission from a configuration perspective, but PeopleGlass still does not show the field after “Connection Refresh”, the following methods can be used to determine whether the user has granted permissions, regardless of which permission set or profile provides them.

Field in the record Page Layout

The administrator can place the field on the record page, and if it is displayed to the user, then the field is accessible.

Object Describe (Workbench)

Using tools such as Workbench, you can get a complete description of an object from the user's perspective. The results show all fields that are accessible to the user.

The user must execute this method, as the description API runs in the logged-in user's context. Users who have access to the Workbench Tool can execute the following steps:

  1. Login (to Production or Sandbox)

  2. Change the input field value to:

    • /services/data/v62.0/sobjects/SOBJECT_NAME/describe

  3. Provide sObject API name

    • i.e.,: /services/data/v62.0/sobjects/opportunity/describe

  4. Click the Execute button

  5. Expand the fields row

    • If the field you are looking for is not present, you don't have access to it. Otherwise, you can read the field. Check createable and updateable properties to determine whether they are editable.

Object Describe (Developer console APEX)

If an admin or user can access the developer console and execute a block of APEX code, the following code can be used to access a specific field.

System.debug('Has access: ' + Schema.sObjectType.Account.fields.AccountNumber.isAccessible());

Tooling API Query (Developer console APEX)

This method allows Administrators to verify field access for any user in question.

Note: ‘DeveloperName’ for Custom fields must be specified without namespace prefix and __c affix.

// 1. Retrieve Field Durable Id

SELECT DurableId, DeveloperName, NamespacePrefix FROM FieldDefinition where EntityDefinitionId = 'Account' AND DeveloperName = 'Name'

// 2. Query User Fied Access using above Field Durable ID and User ID in question

SELECT Id, IsAccessible, IsUpdatable FROM UserFieldAccess where DurableId = '<DURABLE_ID>.<USER_ID>'

Troubleshooting

The techniques below only work for profiles and do not surface permissions provided by Permission Sets or Groups.

Using "Field Accessibility" is an easy way to check this. You select the object and then by field or profile, allowing you to quickly check an entire profile for this access.

SOQL (Developer Console)

You can check field permissions using SOQL:

  1. Open Developer Console (Click your profile icon > Developer Console).

  2. Go to Query Editor and run this SOQL:

    SELECT Field, PermissionsRead, PermissionsEdit, Parent.Profile.Name, Parent.Label 

    FROM FieldPermissions

    WHERE SObjectType = 'Account' AND Field = 'Account.AccountNumber'
  3. Replace 'Account' with your object API name.

  4. Replace 'Account.AccountNumber with your sObject and field API name.

    • Note: Field names are defined in SOBJECT.FIELD_NAME format

  5. The query will show which Profiles and Permission Sets have Read or Edit access.

Describe API

Unlike the above methods, describe runs in the user's context. Thus, the user can determine whether he has access to a specific field.

This method returns aggregate results for all permission sets, groups, and profiles. Users who have access to the Workbench Tool can execute the following steps:

  1. Login (to Production or Sandbox)

  2. Change the URL text to

    • /services/data/v62.0/sobjects/SOBJECT_NAME/describe

  3. Change the sobject as needed

    • Ie: /services/data/v62.0/sobjects/opportunity/describe

  4. Click the Execute button

  5. Expand the fields row

    • If the field you are looking for is not present, you don't have access to it. Otherwise, you can read the field. Check createable and updateable properties to determine whether they are editable.

Did this answer your question?