[SalesForce] Get all field level permission from SOQL for an permission set

What I want to do:

I am trying to create a tool in Java, which query permission sets from Salesforce Org using REST(As we do in workbench).

After getting all the permission sets which field permissions, I want generate an excel workbook which will have all permission sets with all objects with fls.

Where I am:
I am able to query permissions sets with fls and able to generate excel workbook.

My apporach:
I have a permission set abc.

This permission set has below permission for Account object fields:

enter image description here

I run below SOQL to get field permission for the permission set:

SELECT Parent.Name,Field,PermissionsRead,PermissionsEdit 

FROM FieldPermissions WHERE SObjectType IN ('Account') AND Parent.Name IN ('abc')

But I get results like below:

enter image description here

I am expecting result like below:

enter image description here

How can I get all field permissions using SOQL?

Best Answer

As mentioned by @benahm, SOQL on FieldPermissions retrieves only enabled field permissions for the permission set.

Furthermore, as per chapter "Special Properties for Field Permissions" in documentation here, fields that are always readable and/or writable, don’t return a FieldPermissions record.

Note that getDescribe methods can also be accessed via REST API, refer to this guide

For example you can do a GET call to this endpoint to retrieve list of fields for Asset object: /services/data/v47.0/sobjects/Asset/describe/

From the response, fields list provides several attributes on each field, more info here

Note: The name of the attributes are different when getDescribe is called from API compared to via APEX, for e.g isNillable() becomes nillable for API result

So compare fields list attributes from getDescribe response with SOQL result on FieldPermissions.

If a field has nillable = false and permissionable = false but does not appear in SOQL on FieldPermissions, it means that field cannot be empty but we cannot assign FLS to it, then the field is always readable (e.g Id field wont appear on FieldPermissions result but PermissionRead is true)

If a field has nillable = true and permissionable = true but does not appear in SOQL on FieldPermissions, then we can deduce that PermissionRead and PermissionEdit is false

If a field has nillable = true and permissionable = true and appears in SOQL on FieldPermissions, then retrieve PermissionRead and PermissionEdit from FieldPermissions SOQL

If a field has nillable = true and permissionable = false and does not appear in SOQL on FieldPermission, then consider PermissionRead is true because it can be another type of field which is always readable e.g. CurrencyISOCode which can always have default currency field

For missing field from SOQL on FieldPermissions, also check the field attribute updateable from getDescribe response, to determine if field can have true or false for PermissionEdit .

Related Topic