In short: I managed to do this in Apex by using apex-mdapi AFTER I updated the code to support flowAccesses. - here's the github commit with changes needed to support it. This is the only way I can see to do this through Apex as you need to hit the Metadata API.
Very Long Version
I didn't see anything within SOQL or Tooling API that can be used. It seems like it's only available with the Metadata API based on the simple fact that you can retrieve this information with the following package.xml
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
<types>
<members>test</members>
<name>PermissionSet</name>
</types>
<version>47.0</version>
</Package>
This returns the following
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
<flowAccesses>
<enabled>true</enabled>
<flow>Test_Flow_Name</flow>
</flowAccesses>
<hasActivationRequired>false</hasActivationRequired>
<label>test</label>
<license>Salesforce</license>
</PermissionSet>
That leaves you with trying to use Apex and the Metadata API. This isn't a supported type for what Salesforce provides access to through Apex. Likewise, I don't see any mention of flow access in the Metadata API Developer Guide which puzzled me. However, they do list the other naming conventions for other "access" types:
PermissionSetApplicationVisibility[]
PermissionSetApexClassAccess[]
PermissionSetCustomMetadtaTypeAccess[]
etc.
So now I looked towards apex-mdapi which does allow you to interact with apex/Metadata API
You can see the code/github here and this is a helpful answer with links to many questions concerning it. I had to make edits to it since it hasn't been updated since flowAccesses
was brought into play. I used customMetadataTypeAccess
(which is also relatively new) as a test since that one is at least documented in the developer guide.
You can see my changes in my forked repo and the latest commits contains all the changes needed for this in particular. Based on the naming convention in the developer guide (and testing that PermissionSetCustomMetadataTypeAccess[]
worked first), I used PermissionSetFlowAccess[]
and the example of the returned retrieve file to populate what the field names would be. You can see that the name of the flow is stored in <flow></flow>
So now, going off all that above...
Depending on when/where your code is executing, you'd probably first want to get a list of permission sets assigned to the user using SOQL. From this, you can see the following should do the trick
SELECT PermissionSet.Name FROM PermissionSetAssignment WHERE AssigneeId = 'User Name here'
Once you have a list of permission set names, you can call the Metadata API through the MetadataService
you modified above to simply get those permission sets returned and loop through them to get a list of the Flows they have access to.
public class testmetadata {
public static MetadataService.MetadataPort createService()
{
MetadataService.MetadataPort service = new MetadataService.MetadataPort();
service.SessionHeader = new MetadataService.SessionHeader_element();
service.SessionHeader.sessionId = UserInfo.getSessionId();
return service;
}
public static void testPerm()
{
//presumably you'd pass this list based on the SOQL query
String[] permissionSetNames = new String[] {'test', 'test2', 'test3'};
String message = '';
MetadataService.MetadataPort service = createService();
List<MetadataService.PermissionSet> perm = (List<MetadataService.PermissionSet>) service.readMetadata('PermissionSet', permissionSetNames).getRecords();
//loop through returned permission sets based on the names assigned to user
for(MetadataService.PermissionSet permSet : perm){
message = permSet.fullName + ' with access to the following flow(s): ';
//loop through flows that are enabled for access in each perm set to display name
for(MetadataService.PermissionSetFlowAccess singleFlow : permSet.flowAccesses){
message += singleFlow.flow + ', ';
}
System.debug(message);
}
}
}
What I tested (using only 3 different flows):
- Created 3 permission sets - test1, test2, test3
- Gave test1 access to one flow
- Gave test2 access to 2 flows
- Gave test3 access to 3 flows
See the debug log returned below:
Update: Just to show that the assumptions I made above for the naming convention at least are now corroborated by info in the Metadata API WSDL. You can see the naming for Profile and Permission Set.
Record triggered flows always run in system mode without sharing, so it is not configurable on the flow itself. The same applies to the Scheduled flow and Process Builder
Recommend reviewing doc
I will reach out to the Salesforce team that owns this feature to have this information added to our documentation too and will update this thread as I have more inputs.
UPDATE: The documentation has been updated to reflect Record-triggered : System, without sharing
Best Answer
Run Flows
&Manage Flows
permissions enables a user to be able to run flow or create/ edit flow respectively, in general.Run Flows
should be sufficient for a user to be able to run the flow, unless you want to override this default behavior and have the flow run by users with specific profiles or permissions sets.Check out this help article, specifically how to edit access for individual flow. make it available in the flow access section for a specific profile.
I think the problem you are having is due to record, object or field level access (not due to lack of access to run flow). So, refer to this article to understand under which user context your flow is running. As mentioned here, Org-wide default settings, role hierarchies, sharing rules, manual sharing, teams, and territories also impact what data is accessible to flows that run in user context. You might have to enable record level access or go to
Object Settings
in the profile to enable relevant object level & field level access.