FieldPermissions

Represents the enabled field permissions for the parent PermissionSet. This object is available in API version 24.0 and later.

To grant a user access to a field, associate a FieldPermissions record with a PermissionSet that’s assigned to a user. FieldPermissions records are only supported in PermissionSet, not in Profile.

Supported Calls

create()delete()describeSObjects()query()retrieve()update()upsert()

Fields

Field Name Details
Field
Type
picklist
Properties
Create, Filter, Group, Restricted picklist, Sort
Description
The field’s API name. This name must be prefixed with the SobjectType. For example, Merchandise__c.Description__c
ParentId
Type
reference
Properties
Create, Filter, Group, Sort
Description
The Id of the field’s parent PermissionSet.
PermissionsEdit
Type
boolean
Properties
Create, Defaulted on create, Filter, Group, Sort, Update
Description
If true, users assigned to the parent PermissionSet can edit this field. Requires PermissionsRead for the same field to be true.
PermissionsRead
Type
boolean
Properties
Create, Defaulted on create, Filter, Group, Sort, Update
Description
If true, users assigned to the parent PermissionSet can view this field. A FieldPermissions record must have at minimum PermissionsRead set to true, or it will be deleted.
SobjectType
Type
picklist
Properties
Create, Filter, Group, Restricted picklist, Sort
Description
The object’s API name. For example, Merchandise__c.

Usage

FieldPermissions work similarly to ObjectPermissions. However, FieldPermissions includes a Field attribute to return the name of the field.

For example, the following query returns all FieldPermissions records that have at least the “Read” permission. The results include the field, object, and permission set names.

SELECT SobjectType, Field, PermissionsRead, Parent.Name
FROM FieldPermissions
WHERE PermissionsRead = True

Include the field’s parent object when querying FieldPermissions. For example, to find all rows that match the Account object’s Type field, create the following query:

SELECT Id, SobjectType, Field
FROM FieldPermissions
WHERE Field = 'Account.Type' AND SobjectType = 'Account'

To find which permission sets are backed by profiles with the Account object, you can use a query similar to this:

SELECT Id, ParentId, SobjectType, Field, PermissionsEdit, PermissionsRead, Parent.Name
FROM FieldPermissions
WHERE SobjectType = 'Account' and Parent.IsOwnedByProfile = true
ORDER BY SObjectType, Field

Both SobjectType and Field must be included in the SELECT line of the query. You must also provide the full API name of the field in the form of SobjectType.Field when querying for a field.

Note

Note

When using the FieldPermission object to download records, depending on the SOQL query you use, you might not receive all expected records. Results might also appear incomplete. However, all records do download; fields that don't support field security and rows for entities not visible to the org are hidden.

Special Properties for Field Permissions

The auto-number and formula fields have special rules for how field permissions work. Both have FieldPermissions records, but inserting and updating is limited to PermissionsRead. PermissionsEdit isn’t allowed for either field type, since these fields must be read-only for users.

The following field types don’t return a FieldPermissions record because they are assumed to always be readable.

The following field types don’t return a FieldPermissions record because they are assumed to always be readable and writable.

As a result, the following query returns no records, even though users do have some access to some of the fields.

SELECT Field, SobjectType, PermissionsRead
FROM FieldPermissions
WHERE Field='Id'

To determine if a field can return a FieldPermissions record, you can call a describeSObject() on the field. For example, describeSObject('Merchandise__c'), returns all the properties of the Merchandise custom object, including field properties. If you’re using a field whose permissionable property is false (such as any of the field types listed in this section), you can’t query, insert, update, or delete any field permissions records, because none exist.

Working with Custom Activity Fields

While tasks and events are considered separate objects, they share a common set of activity custom fields. As a result, when a custom task field is created, a custom event field is also created, and vice versa. You can display the custom field on the event layout, task layout, or both event and task layouts.

Although custom activity fields are shared between tasks and events, you’ll see separate FieldPermissions records for the task and event. However, changes made to one field permission record are automatically made to the other. For example, if you create a custom activity field, assign field permissions to it in a permission set, and run the following query, the query will return two records with the same permission value.

SELECT Field, Id, ParentId, PermissionsEdit, PermissionsRead, SobjectType
FROM FieldPermissions
WHERE SobjectType = 'event' OR SobjectType ='task'

If you then update one of the records with a different set of field permission values and run the query again, the same permission values for both records are returned.

Nesting Field Permissions

You can nest FieldPermissions in a PermissionSet query. For example, the following returns any permission sets where “Edit Read Only Fields” is true. Additionally, the result set will include both the “Read” and “Edit” field permission on the Merchandise object. This is done by nesting the SOQL with a field permission query using the relationship name for field permissions: FieldPerms.
SELECT PermissionsEditReadonlyFields,
(SELECT SobjectType, Field, PermissionsRead, PermissionsEdit
FROM FieldPerms
WHERE SobjectType = 'Merchandise__c')
FROM PermissionSet
WHERE PermissionsEditReadonlyFields = true

As a result, it’s possible to traverse the relationship between the PermissionSet and any child related objects (in this case, FieldPermissions). You can do this from the PermissionSet object by using the child relationship (ObjectPerms, FieldPerms, and so on) or from the child object by referencing the PermissionSet with Parent.permission_set_attribute.

It’s important to consider when to use a conditional WHERE statement to restrict the result set. To query based on an attribute on the permission set object, nest the SOQL with the child relationship. However, to query based on an attribute on the child object, you must reference the permission set parent attribute in your query.

The following two queries return the same columns with different results, based on whether you use the child relationship or parent notation.
SELECT PermissionsEditReadonlyFields,
(SELECT SobjectType, Field, PermissionsRead, PermissionsEdit
FROM FieldPerms
WHERE SobjectType = 'Merchandise__c')
FROM PermissionSet
WHERE PermissionsEditReadonlyFields = true
versus:
SELECT SobjectType, Field, PermissionsRead, PermissionsEdit, Parent.Name,
   Parent.PermissionsEditReadonlyFields
FROM FieldPermissions
WHERE SObjectType='Merchandise__c'

See Also