Table: salesforce_object_permission - Query Salesforce Object Permissions using SQL
Salesforce Object Permissions is a feature within Salesforce that allows you to control the level of access that users have to Salesforce objects. It provides a way to set up and manage permissions for various Salesforce objects, including accounts, contacts, leads, and opportunities. Salesforce Object Permissions helps you maintain the security and integrity of your Salesforce data by ensuring that users only have the appropriate level of access to Salesforce objects.
Table Usage Guide
The salesforce_object_permission
table provides insights into the permissions that users have on Salesforce objects. As a Salesforce administrator, explore permission-specific details through this table, including the Salesforce object that the permission applies to, the type of permission, and the user or profile that the permission is associated with. Utilize it to uncover information about permissions, such as those that allow users to view, create, edit, or delete Salesforce objects.
Important Notes
- If the
naming_convention
configuration argument is set toapi_native
, please see API Native Examples.
Examples
Basic info
Explore which Salesforce object permissions allow for modification or viewing of all records. This is beneficial for assessing user access rights and ensuring appropriate security measures are in place.
select id, parent_id, sobject_type, permissions_modify_all_records, permissions_view_all_recordsfrom salesforce_object_permissionorder by sobject_type;
select id, parent_id, sobject_type, permissions_modify_all_records, permissions_view_all_recordsfrom salesforce_object_permissionorder by sobject_type;
List permission sets with "Transfer Leads" permission on "Lead" object
Determine the areas in which specific permissions are granted for transferring leads. This query is useful for assessing user permissions and ensuring appropriate access control within your Salesforce environment.
select sop.id, sop.parent_id, sps.name, sps.permissions_transfer_any_lead, sop.sobject_type, sop.permissions_read, sop.permissions_createfrom salesforce_object_permission sop, salesforce_permission_set spswhere sobject_type = 'Lead' and sps.id = sop.parent_id;
select sop.id, sop.parent_id, sps.name, sps.permissions_transfer_any_lead, sop.sobject_type, sop.permissions_read, sop.permissions_createfrom salesforce_object_permission sop, salesforce_permission_set spswhere sobject_type = 'Lead' and sps.id = sop.parent_id;
API Native Examples
If the naming_convention
config argument is set to api_native
, the table and column names will match Salesforce naming conventions.
Basic info (with API Native naming convention)
Determine areas in which users have comprehensive permissions, such as the ability to view or modify all records, to understand potential security risks and compliance issues in your system.
select "ID", "ParentID", "SobjectType", "PermissionsModifyAllRecords", "PermissionsViewAllRecords"from "ObjectPermission"order by "SobjectType";
select "ID", "ParentID", "SobjectType", "PermissionsModifyAllRecords", "PermissionsViewAllRecords"from "ObjectPermission"order by "SobjectType";
Show delete permissions
Determine the areas in which users have delete permissions to understand potential security risks or areas for access management improvements. This query is useful for administrators looking to optimize user roles and permissions.
select "ID", "ParentID", "SobjectType", "PermissionsModifyAllRecords", "PermissionsViewAllRecords"from "ObjectPermission"where "PermissionsDelete";
select "ID", "ParentID", "SobjectType", "PermissionsModifyAllRecords", "PermissionsViewAllRecords"from "ObjectPermission"where "PermissionsDelete";
Show read permissions
Explore which Salesforce objects a user has read permissions for, allowing you to understand and manage access rights effectively. This can be particularly useful for auditing user permissions or troubleshooting access issues.
select "ID", "ParentID", "SobjectType", "PermissionsModifyAllRecords", "PermissionsViewAllRecords"from "ObjectPermission"where "PermissionsRead";
select "ID", "ParentID", "SobjectType", "PermissionsModifyAllRecords", "PermissionsViewAllRecords"from "ObjectPermission"where "PermissionsRead";
Schema for salesforce_object_permission
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
id | text | The ObjectPermissions ID. | |
parent_id | text | The Id of this object's parent PermissionSet. | |
permissions_create | boolean | If true, users assigned to the parent PermissionSet can create records for this object. Requires PermissionsRead for the same object to be true. | |
permissions_delete | boolean | If true, users assigned to the parent PermissionSet can delete records for this object. Requires PermissionsRead and PermissionsEdit for the same object to be true. | |
permissions_edit | boolean | If true, users assigned to the parent PermissionSet can edit records for this object. Requires PermissionsRead for the same object to be true. | |
permissions_modify_all_records | boolean | If true, users assigned to the parent PermissionSet can edit all records for this object, regardless of sharing settings. Requires PermissionsRead, PermissionsDelete, PermissionsEdit, and PermissionsViewAllRecords for the same object to be true. | |
permissions_read | boolean | If true, users assigned to the parent PermissionSet can view records for this object. | |
permissions_view_all_records | boolean | If true, users assigned to the parent PermissionSet can view all records for this object, regardless of sharing settings. Requires PermissionsRead for the same object to be true. | |
sobject_type | text | The object's API name. For example, Merchandise__c. | |
sp_connection_name | text | Steampipe connection name. | |
sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- salesforce
You can pass the configuration to the command with the --config
argument:
steampipe_export_salesforce --config '<your_config>' salesforce_object_permission