To grant a user access to a field, associate a FieldPermissions record with a PermissionSet that’s assigned to a user. FieldPermissions records are only supported in PermissionSet, not in Profile.
create(), delete(), describeSObjects(), query(), retrieve(), update(), upsert()
Field Name | Details |
---|---|
Field |
|
ParentId |
|
PermissionsEdit |
|
PermissionsRead |
|
SobjectType |
|
FieldPermissions work similarly to ObjectPermissions. However, FieldPermissions includes a Field attribute to return the name of the field.
For example, the following query returns all FieldPermissions records that have at least the “Read” permission. The results include the field, object, and permission set names.
SELECT SobjectType, Field, PermissionsRead, Parent.Name FROM FieldPermissions WHERE PermissionsRead = True
Include the field’s parent object when querying FieldPermissions. For example, to find all rows that match the Account object’s Type field, create the following query:
SELECT Id, SobjectType, Field FROM FieldPermissions WHERE Field = 'Account.Type' AND SobjectType = 'Account'
To find which permission sets are backed by profiles with the Account object, you can use a query similar to this:
SELECT Id, ParentId, SobjectType, Field, PermissionsEdit, PermissionsRead, Parent.Name FROM FieldPermissions WHERE SobjectType = 'Account' and Parent.IsOwnedByProfile = true ORDER BY SObjectType, Field
Both SobjectType and Field must be included in the SELECT line of the query. You must also provide the full API name of the field in the form of SobjectType.Field when querying for a field.
When using the FieldPermission object to download records, depending on the SOQL query you use, you might not receive all expected records. Results might also appear incomplete. However, all records do download; fields that don't support field security and rows for entities not visible to the org are hidden.
The auto-number and formula fields have special rules for how field permissions work. Both have FieldPermissions records, but inserting and updating is limited to PermissionsRead. PermissionsEdit isn’t allowed for either field type, since these fields must be read-only for users.
The following field types don’t return a FieldPermissions record because they are assumed to always be readable.
The following field types don’t return a FieldPermissions record because they are assumed to always be readable and writable.
As a result, the following query returns no records, even though users do have some access to some of the fields.
SELECT Field, SobjectType, PermissionsRead FROM FieldPermissions WHERE Field='Id'
To determine if a field can return a FieldPermissions record, you can call a describeSObject() on the field. For example, describeSObject('Merchandise__c'), returns all the properties of the Merchandise custom object, including field properties. If you’re using a field whose permissionable property is false (such as any of the field types listed in this section), you can’t query, insert, update, or delete any field permissions records, because none exist.
While tasks and events are considered separate objects, they share a common set of activity custom fields. As a result, when a custom task field is created, a custom event field is also created, and vice versa. You can display the custom field on the event layout, task layout, or both event and task layouts.
Although custom activity fields are shared between tasks and events, you’ll see separate FieldPermissions records for the task and event. However, changes made to one field permission record are automatically made to the other. For example, if you create a custom activity field, assign field permissions to it in a permission set, and run the following query, the query will return two records with the same permission value.
SELECT Field, Id, ParentId, PermissionsEdit, PermissionsRead, SobjectType FROM FieldPermissions WHERE SobjectType = 'event' OR SobjectType ='task'
If you then update one of the records with a different set of field permission values and run the query again, the same permission values for both records are returned.
SELECT PermissionsEditReadonlyFields, (SELECT SobjectType, Field, PermissionsRead, PermissionsEdit FROM FieldPerms WHERE SobjectType = 'Merchandise__c') FROM PermissionSet WHERE PermissionsEditReadonlyFields = true
As a result, it’s possible to traverse the relationship between the PermissionSet and any child related objects (in this case, FieldPermissions). You can do this from the PermissionSet object by using the child relationship (ObjectPerms, FieldPerms, and so on) or from the child object by referencing the PermissionSet with Parent.permission_set_attribute.
It’s important to consider when to use a conditional WHERE statement to restrict the result set. To query based on an attribute on the permission set object, nest the SOQL with the child relationship. However, to query based on an attribute on the child object, you must reference the permission set parent attribute in your query.
SELECT PermissionsEditReadonlyFields, (SELECT SobjectType, Field, PermissionsRead, PermissionsEdit FROM FieldPerms WHERE SobjectType = 'Merchandise__c') FROM PermissionSet WHERE PermissionsEditReadonlyFields = true
SELECT SobjectType, Field, PermissionsRead, PermissionsEdit, Parent.Name, Parent.PermissionsEditReadonlyFields FROM FieldPermissions WHERE SObjectType='Merchandise__c'