You can use permission sets to grant access, but not to deny access.
create(), delete(), describeSObjects(), query(), retrieve(), search(), update(), upsert()
Use the PermissionSet object to query existing permission sets.
For example, to search for all permission sets that contain the “Modify All Data” permission:
SELECT Name, PermissionsModifyAllData FROM PermissionSet WHERE PermissionsModifyAllData=true
When combined with the PermissionSetAssignment object, you can create a nested query that returns all users assigned to a particular permission like “Modify All Data”:
SELECT Name, (SELECT AssigneeId FROM Assignments) FROM PermissionSet WHERE PermissionsModifyAllData=true
You can also create a permission set, or delete a permission set if it isn't assigned to a user.
The user license controls the permissions that are available in a permission set.
Every permission set can be associated with a user license or permission set license. If you plan to assign a permission set to multiple users with different user and permission set licenses, leave LicenseId empty. If only users with one type of license will use this permission set, set the LicenseId to that single user or permission set license. If you want a permission set associated with a permission set license, then set LicenseId to the permission set license. To get the LicenseId, run this query:
SELECT Id, Name FROM UserLicense
Alternatively, to query a user or profile for the LicenseId.
SELECT Id, Profile.UserLicenseId FROM User
When using the API, think of each permission set or related set of access controls as an empty container that you fill with permission records.
In these child objects, access is stored in a record, while the absence of a record indicates no access. To return a record in a SOQL query, a minimum permission or setting is required for each child object.
Because permissions are stored in related objects, it’s important to understand what questions to ask when using SOQL. For example, you might want to know which permission sets have “Delete” on an object or have the right to approve a return merchandise authorization (where the approval checkbox is controlled with field permissions). Asking the right questions when using SOQL with permission sets ensures that you get the information you need to make an informed decision, such as whether to migrate permissions or assign a permission set to a user.
For example, the following returns all permission sets where the “Read” permission is enabled for the Merchandise__c object.
SELECT SobjectType, ParentId, PermissionsRead FROM ObjectPermissions WHERE PermissionsRead = True AND SobjectType = 'Merchandise__c'
You can query for all permission sets that have “Read” on an object. However, you can’t query for permission sets that have no access on an object, because no records exist for that object. For example, the following returns no records because the object must have at least “Read” to return any records.
SELECT SobjectType, ParentId, PermissionsRead FROM ObjectPermissions WHERE PermissionsRead = False AND SobjectType = 'Merchandise__c'
If you have at least the “Read” permission on an object, you can create a conditional query on other permissions in the same object. For example, the following returns any records where the object has at least the “Read” permission but not the “Edit” permission.
SELECT ParentId, PermissionsRead, PermissionsEdit FROM ObjectPermissions WHERE PermissionsEdit = False AND SobjectType = 'Merchandise__c'
To set an object or field permission to no access, delete the record that contains the permission. For example, to disable all object permissions in the Merchandise__c object for a particular permission set, first query to retrieve the ID of the object permission record.
SELECT Id FROM ObjectPermissions WHERE SobjectType = 'Merchandise__c'
Then delete the IDs returned from the query.
If you try to update the object or field permissions by setting all permissions to false, the permission record is automatically deleted; any subsequent queries for the record ID won’t return results and you must add a new permission record to grant access.
You can build on the PermissionSet object using child relationships that show all of the permissions in a single permission set. For example, the following returns all permission sets and displays the “Transfer Leads” permission, as well as any “Read” permissions on any objects and fields.
SELECT Label, PermissionsTransferAnyLead, (SELECT SobjectType, PermissionsRead FROM ObjectPerms), (SELECT SobjectType, Field, PermissionsRead FROM FieldPerms) FROM PermissionSet
In API version 25.0 and later, every profile is associated with a permission set that stores the profile’s user, object, and field permissions, as well as setup entity access settings. You can query permission sets that are owned by profiles but not modify them.
The following example returns all permission sets, including those owned by a profile.
SELECT Id, Label, ProfileId, Profile.Name FROM PermissionSet
SELECT Id, Label, ProfileId, Profile.Name, IsOwnedByProfile FROM PermissionSet WHERE IsOwnedByProfile = FALSE
SELECT Id,ParentId, PermissionsRead, SobjectType, Parent.ProfileId FROM ObjectPermissions WHERE Parent.IsOwnedByProfile = TRUE
SELECT Assignee.Name, PermissionSet.Id, PermissionSet.isOwnedByProfile FROM PermissionSetAssignment WHERE PermissionSetId IN (SELECT ParentId FROM ObjectPermissions WHERE SObjectType = 'Merchandise__c' AND PermissionsRead = true)
For permission sets that are owned by profiles, don’t use any Name and Label values that are returned in a query, as they can change at any time.