Using Elements.cloud, you can understand which profiles, permission sets and permission set groups grant access to metadata in your Org and review which users have what level of access and why. This allows you to audit and correct user permissions when needed.
Prerequisites
Your space must be on Enterprise license or consulting license
Synced Org Model
View access to the Org Model within Elements app
Scheduled batch job in the managed package to get profile data
Supported metadata
A profile or a permission set can grant access to many types of metadata. We can show you access for all of them:
Application
Apex Class
Custom Tab
Custom Metadata
Field (standard, custom)
Flow
Object (standard, custom, big, external)
Page Layout
Platform Event
Record Type
Visualforce Page
Understand what profiles, permission sets and permission set groups grant access to metadata
For the metadata types listed above, you can open the 'Access' tab in the right panel which looks like a fingerprint icon. There will be three nested lists:
Profiles that grant access to the component
Permission sets that grant access to the component
Permission set groups that grant access to the component
When you open any nested list in the access tab, you will see all permission controllers that grant access alongside how many users are assigned to it and what type of access is being granted.
Analyze user access to metadata
When you click 'Analyze user access' text button at the top of the access tab, we will display a modal window with the paginated list of users who have access to the selected metadata component.
You can then:
use the fields at the top of the window to filter users by L
name,
level of access,
profile, permission set or permission set group assignment
click on the hyperlinked username to open the user's record in Salesforce
click on the row with user's access to open a second window and understand which combination of profile, permission sets and permission set groups grant the specific access to the user
click on the permission controllers assigned to the user and capture a story record if you want to change user's assignment or change permissions being granted by the profile, permission set or permission set group
Report on user access
You can report on user access to your metadata:
CSV export of all users and their permissions on a given metadata:
Select the metadata you are interested in (e.g. object)
Open the 'Access' tab in the right panel and click 'Analyze access
Click on the 'Export to CSV' text button in the bottom right corner of the window
Wait for the notification bell to show up. When you click on the notification, the CSV file with all users and their permissions on the metadata will be downloaded to your computer.
Run a report on field access.
Select the object you want to run the report on. Make it a root node in the org model tree.
Click on a report icon in the top right corner of the screen.
Click to run a new report.
Choose field access report from the dropdown.