Field-level permissions are essential for accessing data in PeopleGlass and creating views. If a user lacks read access to a field, it won't appear in the object description or be selectable in the view configuration.
In Salesforce, field access is managed through Profiles and Permission Sets. A user's permissions are determined by combining all assigned profiles and permission sets.
Note: Some of the methods described below require SFDC System Admin privileges. PeopleGlass uses the SFDC API and respects all of Salesforce's security, validation rules, and permission sets. Typically, any field issues result from field or Permission Profiles in SFDC, not due to PeopleGlass.
Configuring Field Access
As mentioned, the resulting bundle of permissions is a mix of all the tools, and inspecting one may not give a complete picture. The following methods describe ways to verify that access to a field has been granted through a given profile or permission set.
Profile Level
The following methods apply only to profile configurations and won't reveal any access provided by Permission Sets.
The Field Accessibility tool can quickly reveal field-level access granted by profiles.
Go to Setup
In the Quick Find box, type “Field Accessibility”
Select the object for the fields you would like to verify access to
Either select View by Fields or View by Profiles
Next, select either the profile or the fields you’d like to inspect
Click on the value in the Field Access column to change the value
Make appropriate changes to provide visibility and edit access
Alternatively, you can open the tool through the object manager for a single field
Go to Setup.
In the Quick Find box, type Object Manager and select the object containing the field.
Click on the object name.
Select Fields & Relationships.
Find the field and click on it.
Click Set Field-Level Security.
Here, you can view which Profiles have access. To check Permission Sets, you must use Method 1 or SOQL.
Permission Set Level
To check granted permissions using a specific Permission Set:
Go to Setup.
In the Quick Find box, type Permission Sets and select it.
Click on the specific Permission Set you want to check.
Under Apps, click Object Settings.
Select the Object that contains the field you're checking.
Scroll down to Field Permissions and check the Read and Edit access.
If Permission Set Groups are used, their details show the aggregation of permissions from all included Permission Sets.
Go to Setup.
In the Quick Find box, type Permission Set Groups and select it.
Click on the specific Permission Set Groups you want to check.
Under Combined Permissions, click Object Settings.
Select the Object that contains the field you're checking.
Scroll down to Field Permissions and check the Read and Edit access.
Combined Profile/Permission Approach
A SOQL query can list entries related to all permission sets and profiles that grant access to a given field. The query can be executed from the Developer Console, Workbench, or any other tool. Unlike other tools, Developer Console cannot display the Profile Name.
Open Developer Console (Click your profile icon > Developer Console).
Go to Query Editor and run this SOQL:
SELECT Field, PermissionsRead, PermissionsEdit, Parent.ProfileId, Parent.Profile.Name, Parent.Label
FROM FieldPermissions
WHERE SObjectType = 'Account' AND Field = 'Account.AccountNumberReplace 'Account' with your object API name.
Replace 'Account.AccountNumber with your sObject and field API name.
The query will show which Profiles and Permission Sets have Read or Edit access.
Note: Field names are defined in SOBJECT.FIELD_NAME format.
User Field Access
If it is believed that users should have permission from a configuration perspective, but PeopleGlass still does not show the field after “Connection Refresh”, the following methods can be used to determine whether the user has granted permissions, regardless of which permission set or profile provides them.
Field in the record Page Layout
The administrator can place the field on the record page, and if it is displayed to the user, then the field is accessible.
Object Describe (Workbench)
Using tools such as Workbench, you can get a complete description of an object from the user's perspective. The results show all fields that are accessible to the user.
The user must execute this method, as the description API runs in the logged-in user's context. Users who have access to the Workbench Tool can execute the following steps:
Login (to Production or Sandbox)
Change the input field value to:
/services/data/v62.0/sobjects/SOBJECT_NAME/describe
Provide sObject API name
i.e.,: /services/data/v62.0/sobjects/opportunity/describe
Click the Execute button
Expand the fields row
If the field you are looking for is not present, you don't have access to it. Otherwise, you can read the field. Check createable and updateable properties to determine whether they are editable.
Object Describe (Developer console APEX)
If an admin or user can access the developer console and execute a block of APEX code, the following code can be used to access a specific field.
System.debug('Has access: ' + Schema.sObjectType.Account.fields.AccountNumber.isAccessible());
Tooling API Query (Developer console APEX)
This method allows Administrators to verify field access for any user in question.
Note: ‘DeveloperName’ for Custom fields must be specified without namespace prefix and __c affix.
// 1. Retrieve Field Durable Id
SELECT DurableId, DeveloperName, NamespacePrefix FROM FieldDefinition where EntityDefinitionId = 'Account' AND DeveloperName = 'Name'
// 2. Query User Fied Access using above Field Durable ID and User ID in question
SELECT Id, IsAccessible, IsUpdatable FROM UserFieldAccess where DurableId = '<DURABLE_ID>.<USER_ID>'
Troubleshooting
The techniques below only work for profiles and do not surface permissions provided by Permission Sets or Groups.
Using "Field Accessibility" is an easy way to check this. You select the object and then by field or profile, allowing you to quickly check an entire profile for this access.
SOQL (Developer Console)
You can check field permissions using SOQL:
Open Developer Console (Click your profile icon > Developer Console).
Go to Query Editor and run this SOQL:
SELECT Field, PermissionsRead, PermissionsEdit, Parent.Profile.Name, Parent.Label
FROM FieldPermissions
WHERE SObjectType = 'Account' AND Field = 'Account.AccountNumber'Replace 'Account' with your object API name.
Replace 'Account.AccountNumber with your sObject and field API name.
Note: Field names are defined in SOBJECT.FIELD_NAME format
The query will show which Profiles and Permission Sets have Read or Edit access.
Describe API
Unlike the above methods, describe runs in the user's context. Thus, the user can determine whether he has access to a specific field.
This method returns aggregate results for all permission sets, groups, and profiles. Users who have access to the Workbench Tool can execute the following steps:
Login (to Production or Sandbox)
Change the URL text to
/services/data/v62.0/sobjects/SOBJECT_NAME/describe
Change the sobject as needed
Ie: /services/data/v62.0/sobjects/opportunity/describe
Click the Execute button
Expand the fields row
If the field you are looking for is not present, you don't have access to it. Otherwise, you can read the field. Check createable and updateable properties to determine whether they are editable.