In order to provide more granular and controlled access to flows, all our flows are enabled with access setting of "Override default behavior and restrict access to enabled profiles or permission sets" and access to the flows will be provisioned only using Permission Sets (Permission Set -> Flow Access settings).
We have a requirement to display the list of flows the user has access to based on the permission sets assigned to them. How can we achieve this using SOQL or Apex?
Best Answer
In short: I managed to do this in Apex by using apex-mdapi AFTER I updated the code to support flowAccesses. - here's the github commit with changes needed to support it. This is the only way I can see to do this through Apex as you need to hit the Metadata API.
Very Long Version
I didn't see anything within SOQL or Tooling API that can be used. It seems like it's only available with the Metadata API based on the simple fact that you can retrieve this information with the following package.xml
This returns the following
That leaves you with trying to use Apex and the Metadata API. This isn't a supported type for what Salesforce provides access to through Apex. Likewise, I don't see any mention of flow access in the Metadata API Developer Guide which puzzled me. However, they do list the other naming conventions for other "access" types:
So now I looked towards apex-mdapi which does allow you to interact with apex/Metadata API
You can see the code/github here and this is a helpful answer with links to many questions concerning it. I had to make edits to it since it hasn't been updated since
flowAccesses
was brought into play. I usedcustomMetadataTypeAccess
(which is also relatively new) as a test since that one is at least documented in the developer guide.You can see my changes in my forked repo and the latest commits contains all the changes needed for this in particular. Based on the naming convention in the developer guide (and testing that
PermissionSetCustomMetadataTypeAccess[]
worked first), I usedPermissionSetFlowAccess[]
and the example of the returned retrieve file to populate what the field names would be. You can see that the name of the flow is stored in<flow></flow>
So now, going off all that above...
Depending on when/where your code is executing, you'd probably first want to get a list of permission sets assigned to the user using SOQL. From this, you can see the following should do the trick
Once you have a list of permission set names, you can call the Metadata API through the
MetadataService
you modified above to simply get those permission sets returned and loop through them to get a list of the Flows they have access to.What I tested (using only 3 different flows):
See the debug log returned below:
Update: Just to show that the assumptions I made above for the naming convention at least are now corroborated by info in the Metadata API WSDL. You can see the naming for Profile and Permission Set.