What I want to do:
I am trying to create a tool in Java, which query permission sets from Salesforce Org using REST(As we do in workbench).
After getting all the permission sets which field permissions, I want generate an excel workbook which will have all permission sets with all objects with fls.
Where I am:
I am able to query permissions sets with fls and able to generate excel workbook.
My apporach:
I have a permission set abc.
This permission set has below permission for Account object fields:
I run below SOQL to get field permission for the permission set:
SELECT Parent.Name,Field,PermissionsRead,PermissionsEdit
FROM FieldPermissions WHERE SObjectType IN ('Account') AND Parent.Name IN ('abc')
But I get results like below:
I am expecting result like below:
How can I get all field permissions using SOQL?
Best Answer
As mentioned by @benahm, SOQL on FieldPermissions retrieves only enabled field permissions for the permission set.
Furthermore, as per chapter "Special Properties for Field Permissions" in documentation here, fields that are always readable and/or writable, don’t return a FieldPermissions record.
Note that getDescribe methods can also be accessed via REST API, refer to this guide
For example you can do a GET call to this endpoint to retrieve list of fields for Asset object:
/services/data/v47.0/sobjects/Asset/describe/
From the response,
fields
list provides several attributes on each field, more info hereNote: The name of the attributes are different when getDescribe is called from API compared to via APEX, for e.g
isNillable()
becomesnillable
for API resultSo compare
fields
list attributes from getDescribe response with SOQL result on FieldPermissions.If a field has nillable = false and permissionable = false but does not appear in SOQL on FieldPermissions, it means that field cannot be empty but we cannot assign FLS to it, then the field is always readable (e.g Id field wont appear on FieldPermissions result but PermissionRead is true)
If a field has nillable = true and permissionable = true but does not appear in SOQL on FieldPermissions, then we can deduce that PermissionRead and PermissionEdit is false
If a field has nillable = true and permissionable = true and appears in SOQL on FieldPermissions, then retrieve PermissionRead and PermissionEdit from FieldPermissions SOQL
If a field has nillable = true and permissionable = false and does not appear in SOQL on FieldPermission, then consider PermissionRead is true because it can be another type of field which is always readable e.g. CurrencyISOCode which can always have default currency field
For missing field from SOQL on FieldPermissions, also check the field attribute updateable from getDescribe response, to determine if field can have true or false for PermissionEdit .