turbot/salesforce
steampipe plugin install salesforce

Table: salesforce_object_permission - Query Salesforce Object Permissions using SQL

Salesforce Object Permissions is a feature within Salesforce that allows you to control the level of access that users have to Salesforce objects. It provides a way to set up and manage permissions for various Salesforce objects, including accounts, contacts, leads, and opportunities. Salesforce Object Permissions helps you maintain the security and integrity of your Salesforce data by ensuring that users only have the appropriate level of access to Salesforce objects.

Table Usage Guide

The salesforce_object_permission table provides insights into the permissions that users have on Salesforce objects. As a Salesforce administrator, explore permission-specific details through this table, including the Salesforce object that the permission applies to, the type of permission, and the user or profile that the permission is associated with. Utilize it to uncover information about permissions, such as those that allow users to view, create, edit, or delete Salesforce objects.

Important Notes

  • If the naming_convention configuration argument is set to api_native, please see API Native Examples.

Examples

Basic info

Explore which Salesforce object permissions allow for modification or viewing of all records. This is beneficial for assessing user access rights and ensuring appropriate security measures are in place.

select
id,
parent_id,
sobject_type,
permissions_modify_all_records,
permissions_view_all_records
from
salesforce_object_permission
order by
sobject_type;
select
id,
parent_id,
sobject_type,
permissions_modify_all_records,
permissions_view_all_records
from
salesforce_object_permission
order by
sobject_type;

List permission sets with "Transfer Leads" permission on "Lead" object

Determine the areas in which specific permissions are granted for transferring leads. This query is useful for assessing user permissions and ensuring appropriate access control within your Salesforce environment.

select
sop.id,
sop.parent_id,
sps.name,
sps.permissions_transfer_any_lead,
sop.sobject_type,
sop.permissions_read,
sop.permissions_create
from
salesforce_object_permission sop,
salesforce_permission_set sps
where
sobject_type = 'Lead'
and sps.id = sop.parent_id;
select
sop.id,
sop.parent_id,
sps.name,
sps.permissions_transfer_any_lead,
sop.sobject_type,
sop.permissions_read,
sop.permissions_create
from
salesforce_object_permission sop,
salesforce_permission_set sps
where
sobject_type = 'Lead'
and sps.id = sop.parent_id;

API Native Examples

If the naming_convention config argument is set to api_native, the table and column names will match Salesforce naming conventions.

Basic info (with API Native naming convention)

Determine areas in which users have comprehensive permissions, such as the ability to view or modify all records, to understand potential security risks and compliance issues in your system.

select
"ID",
"ParentID",
"SobjectType",
"PermissionsModifyAllRecords",
"PermissionsViewAllRecords"
from
"ObjectPermission"
order by
"SobjectType";
select
"ID",
"ParentID",
"SobjectType",
"PermissionsModifyAllRecords",
"PermissionsViewAllRecords"
from
"ObjectPermission"
order by
"SobjectType";

Show delete permissions

Determine the areas in which users have delete permissions to understand potential security risks or areas for access management improvements. This query is useful for administrators looking to optimize user roles and permissions.

select
"ID",
"ParentID",
"SobjectType",
"PermissionsModifyAllRecords",
"PermissionsViewAllRecords"
from
"ObjectPermission"
where
"PermissionsDelete";
select
"ID",
"ParentID",
"SobjectType",
"PermissionsModifyAllRecords",
"PermissionsViewAllRecords"
from
"ObjectPermission"
where
"PermissionsDelete";

Show read permissions

Explore which Salesforce objects a user has read permissions for, allowing you to understand and manage access rights effectively. This can be particularly useful for auditing user permissions or troubleshooting access issues.

select
"ID",
"ParentID",
"SobjectType",
"PermissionsModifyAllRecords",
"PermissionsViewAllRecords"
from
"ObjectPermission"
where
"PermissionsRead";
select
"ID",
"ParentID",
"SobjectType",
"PermissionsModifyAllRecords",
"PermissionsViewAllRecords"
from
"ObjectPermission"
where
"PermissionsRead";

Schema for salesforce_object_permission

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
idtextThe ObjectPermissions ID.
parent_idtextThe Id of this object's parent PermissionSet.
permissions_createbooleanIf true, users assigned to the parent PermissionSet can create records for this object. Requires PermissionsRead for the same object to be true.
permissions_deletebooleanIf true, users assigned to the parent PermissionSet can delete records for this object. Requires PermissionsRead and PermissionsEdit for the same object to be true.
permissions_editbooleanIf true, users assigned to the parent PermissionSet can edit records for this object. Requires PermissionsRead for the same object to be true.
permissions_modify_all_recordsbooleanIf true, users assigned to the parent PermissionSet can edit all records for this object, regardless of sharing settings. Requires PermissionsRead, PermissionsDelete, PermissionsEdit, and PermissionsViewAllRecords for the same object to be true.
permissions_readbooleanIf true, users assigned to the parent PermissionSet can view records for this object.
permissions_view_all_recordsbooleanIf true, users assigned to the parent PermissionSet can view all records for this object, regardless of sharing settings. Requires PermissionsRead for the same object to be true.
sobject_typetextThe object's API name. For example, Merchandise__c.
sp_connection_nametextSteampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- salesforce

You can pass the configuration to the command with the --config argument:

steampipe_export_salesforce --config '<your_config>' salesforce_object_permission