turbot/salesforce
steampipe plugin install salesforce

Table: salesforce_permission_set - Query Salesforce Permission Sets using SQL

Salesforce Permission Sets are a flexible and granular means of assigning permissions and access settings within a Salesforce organization. They allow you to extend user's functional access without changing their roles or profiles. Permission Sets can be used to grant additional permissions and access settings to users, on top of what their profile provides.

Table Usage Guide

The salesforce_permission_set table provides insights into Salesforce Permission Sets within a Salesforce organization. As a Salesforce administrator, explore permission set-specific details through this table, including assigned permissions, access settings, and associated metadata. Utilize it to uncover information about permission sets, such as those with specific user access, the permissions associated with each set, and the verification of access settings.

Important Notes

  • If the naming_convention configuration argument is set to api_native, please see API Native Examples.
  • This table has one field for each permission with the pattern permissions_permission_name, e.g., permissions_edit_task. If true, users assigned to this permission set have the named permission. The number of fields varies depending on the permissions for the organization and license type.

Examples

Basic info

Explore which permissions are custom-made within your Salesforce environment. This can help you better manage user access and understand the creation timeline of these permissions.

select
id,
name,
label,
description,
is_custom,
created_date,
from
salesforce_permission_set
select
id,
name,
label,
description,
is_custom,
created_date
from
salesforce_permission_set

List non-custom permission sets

Explore which permission sets in your Salesforce environment are not custom-made. This helps to understand the default permissions given and aids in maintaining security standards.

select
id,
name,
label,
description,
is_custom,
created_date,
from
salesforce_permission_set
where
not is_custom;
select
id,
name,
label,
description,
is_custom,
created_date
from
salesforce_permission_set
where
not is_custom;

List permission sets that contain the "Modify All Data" permission

Explore which permission sets in Salesforce have been granted the capability to modify all data. This is useful to identify potential security risks and ensure only appropriate roles have such extensive permissions.

select
id,
name,
label,
description,
is_custom,
created_date,
permissions_modify_all_data
from
salesforce_permission_set
where
permissions_modify_all_data;
select
id,
name,
label,
description,
is_custom,
created_date,
permissions_modify_all_data
from
salesforce_permission_set
where
permissions_modify_all_data;

API Native Examples

If the naming_convention config argument is set to api_native, the table and column names will match Salesforce naming conventions.

Basic info (with API Native naming convention)

Explore the basic details of your permission sets to understand their custom status and creation date. This can help you manage and organize your permission sets effectively.

select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet";
select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet";

List non-custom permission sets (with API Native naming convention)

Discover the segments that consist of non-custom permission sets. This can be useful in understanding the default sets provided by the platform and to ensure they align with your organization's security guidelines.

select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet"
where
not "IsCustom";
select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet"
where
"IsCustom" = 0;

Show permission sets created in last 30 days

Discover the segments that have recently updated their access rights by focusing on those that have made changes within the past month. This is useful for maintaining security and ensuring that permissions are up-to-date.

select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet"
where
"CreatedDate" <= now() - interval '30' day;
select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet"
where
"CreatedDate" <= datetime('now', '-30 day');

List permission sets where activation required

Discover the segments that require activation within your permission sets. This can help you identify areas where additional steps may be needed before the permission set can be used, improving your system's security and compliance.

select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet"
where
"HasActivationRequired";
select
"ID",
"Name",
"Label",
"Description",
"IsCustom",
"CreatedDate"
from
"PermissionSet"
where
"HasActivationRequired" = 1;

Schema for salesforce_permission_set

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
created_by_idtextThe contact id of the user who created this permission set.
created_datetimestamp with time zoneThe Created Date.
descriptiontextThe description of the permission set.
has_activation_requiredbooleanIndicates whether the permission set requires an associated active session (true) or not (false).
idtextThe unique id of the permission set.
is_custombooleanIf true, the permission set is custom (created by an admin); if false, the permission set is standard and related to a specific permission set license.
is_owned_by_profilebooleanIf true, the permission set is owned by a profile.
labeltextThe permission set label, which corresponds to Label in the user interface.
last_modified_by_idtextThe Last Modified By ID.
last_modified_datetimestamp with time zoneThe Last Modified Date.
license_idtextThe ID of either the related PermissionSetLicense or UserLicense associated with this permission set.
nametextThe permission set unique name in the API.
namespace_prefixtextThe namespace prefix for a permission set that's been installed as part of a managed package. If the permission set isn't packaged or is part of an unmanaged package, this value is empty.
permission_set_group_idtextIf the permission set is owned by a permission set group, this field returns the ID of the permission set group.
profile_idtextIf the permission set is owned by a profile, this field contains the ID of the Profile.
sp_connection_nametextSteampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
system_modstamptimestamp with time zoneThe date and time when order record was last modified by a user or by an automated process.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- salesforce

You can pass the configuration to the command with the --config argument:

steampipe_export_salesforce --config '<your_config>' salesforce_permission_set