Troubleshoot user access with SOQL

How to Troubleshoot User Access with SOQL (Beginner Friendly)

By

Awesome Admins, we know that troubleshooting user access is a common task. You’re frequently asked questions like “Why can Jane access this field, but John can’t?” or “Why can John view this record when he shouldn’t be able to?” In Summer ’24, we introduced helpful summary views for users, public groups, permission sets, and permission set groups, which make answering user access questions much easier. If you want to level up your troubleshooting skills even more, you can use SOQL queries along with these summary views. By querying, you get even more information, including why a user has access, and even export data if needed.

Let’s explore a few examples of questions you can answer.

Which permission sets give Jane the Read permission for Cases?

Let’s say you’ve used the user access summary to determine that Jane has the Read permission for Cases, but now you want to quickly know which permission sets are granting this access. Use this query on the PermissionSetAssignment object to return all the permission sets assigned to Jane that grant this permission.

SELECT AssigneeId,Id,IsActive,PermissionSetId,
PermissionSet.Name FROM PermissionSetAssignment
    WHERE PermissionSetId IN 
        (SELECT ParentId
        FROM ObjectPermissions WHERE SobjectType = 'Case' 
        AND PermissionsRead = true)
    AND AssigneeId = '005XXXXXXXXXXXXIAS' ## Jane's user ID

Note: The query returned a list of permission sets. However, access can be granted by a permission set group or profile. Did you know that each permission set group or profile has an associated permission set? When you query the PermissionSet object, you can get the ProfileId, Profile.Name, and PermissionSetGroupId that the permission set is associated with.

Select Id, name, PermissionSetGroupId, Profile.Name, ProfileId
    FROM PermissionSet 
    WHERE Id IN ('0PSXXXXXXXXXXXXWAM', '0PSXXXXXXXXXXXXWAY', '0PSXXXXXXXXXXXXWAZ') ## [list of permission set IDs]

Which permission sets give Jane the Edit permission for the Description field on opportunities?

This query is similar to the first, except this time we’re looking for which permission sets grant Jane a certain field permission. As you surely inferred, you can modify any of these queries depending on the type of permission (object, field, or user) you’re looking into.

SELECT AssigneeId,ExpirationDate,Id,IsActive,
PermissionSetGroupId,PermissionSetId,
PermissionSet.Name FROM PermissionSetAssignment 
    WHERE PermissionSetId in 
        (SELECT ParentId 
        FROM FieldPermissions
        WHERE Field='Account.CustomerPriority__c' 
        AND PermissionsEdit = true ) 
    AND AssigneeId = '005XXXXXXXXXXXXIAS' ## Jane's user ID

Which records can Jane edit?

In addition to troubleshooting permissions, you likely get questions about your users’ access to specific records. You can query the UserRecordAccess object to return up to 200 record IDs. Here we’re returning the set of records that Jane can edit out of a list of records, but you can also check for different access levels or return what access the user has for each record.

SELECT RecordId
     FROM UserRecordAccess
     WHERE UserId = '005XXXXXXXXXXXXIAS' ## Jane's user ID
     AND RecordId IN [list of IDs]
     AND HasEditAccess = true

Concluding tips

We’re only scratching the surface on queries here. But, hopefully, these ready-made examples can jump-start your own exploration with troubleshooting user access using SOQL.

As a reference, here are quick links to API objects and in-app features that are useful for access troubleshooting.

Area

API

In-App

I want info on a user's object, field, or user permissions.

I want to know a user's access for a record. I want to know why the user has that access.

UserRecordAccess (doesn't explain reason for access)

I want to know whether a user can access a specific flow, Apex class, or other access setting.

I want to know the relationship between permission sets and permission set groups.

I want to understand public group or queue membership.

For many more examples of querying permissions, records, and access settings, see Example Queries for Troubleshooting Access Issues in Salesforce Help. If you prefer troubleshooting within the app itself, check out Troubleshooting User Access Issues and Insufficient Privileges Errors for walkthroughs on resolving issues.

Thank you to Dana Holloway (Lead Technical Writer) and Nikhil Gupta (Lead Engineer) for their collaboration on this article.

Resources

User management enhancements Winter '25

User Management Enhancements | Winter ’25 Be Release Ready

Winter ’25 is almost here! Learn more about user management and check out Be Release Ready to discover more resources to help you prepare for Winter ’25. We’re continuing to innovate in Setup starting with user access and user management. We have several exciting enhancements in store for Winter ’25–many thanks to your feedback and […]

READ MORE