Skip to main content
All CollectionsSolution guidesUnderstand how the systems workUser access configuration
Audit who has access to Salesforce objects, fields, and other sensitive metadata and why
Audit who has access to Salesforce objects, fields, and other sensitive metadata and why

List of users with access to sensitive objects, fields, record types, and other metadata. Who can access data and through which permissions

Updated over a year ago

Using Elements.cloud, you can understand which profiles, permission sets and permission set groups grant access to metadata in your Org and review which users have what level of access and why. This allows you to audit and correct user permissions when needed.

Prerequisites

  • Your space must be on Enterprise license or consulting license

  • Synced Org Model

  • View access to the Org Model within Elements app

  • Scheduled batch job in the managed package to get profile data

Supported metadata

A profile or a permission set can grant access to many types of metadata. We can show you access for all of them:

  • Application

  • Apex Class

  • Custom Tab

  • Custom Metadata

  • Field (standard, custom)

  • Flow

  • Object (standard, custom, big, external)

  • Page Layout

  • Platform Event

  • Record Type

  • Visualforce Page

Understand what profiles, permission sets and permission set groups grant access to metadata

For the metadata types listed above, you can open the 'Access' tab in the right panel which looks like a fingerprint icon. There will be three nested lists:

  • Profiles that grant access to the component

  • Permission sets that grant access to the component

  • Permission set groups that grant access to the component

When you open any nested list in the access tab, you will see all permission controllers that grant access alongside how many users are assigned to it and what type of access is being granted.

Analyze user access to metadata

When you click 'Analyze user access' text button at the top of the access tab, we will display a modal window with the paginated list of users who have access to the selected metadata component.

You can then:

  • use the fields at the top of the window to filter users by L

    • name,

    • level of access,

    • profile, permission set or permission set group assignment

  • click on the hyperlinked username to open the user's record in Salesforce

  • click on the row with user's access to open a second window and understand which combination of profile, permission sets and permission set groups grant the specific access to the user

  • click on the permission controllers assigned to the user and capture a story record if you want to change user's assignment or change permissions being granted by the profile, permission set or permission set group

Report on user access

You can report on user access to your metadata:

  • CSV export of all users and their permissions on a given metadata:

    1. Select the metadata you are interested in (e.g. object)

    2. Open the 'Access' tab in the right panel and click 'Analyze access

    3. Click on the 'Export to CSV' text button in the bottom right corner of the window

    4. Wait for the notification bell to show up. When you click on the notification, the CSV file with all users and their permissions on the metadata will be downloaded to your computer.


  • Run a report on field access.

    1. Select the object you want to run the report on. Make it a root node in the org model tree.

    2. Click on a report icon in the top right corner of the screen.

    3. Click to run a new report.

    4. Choose field access report from the dropdown.


Related Articles
Get Salesforce user access data
Custom views of metadata
Understand what permissions are being granted by a profile or permission set
Users with dangerous permission
MetaFields: set up custom fields on Salesforce metadata
Did this answer your question?