How to Review Field-Level Security in Salesforce Using Permission Sets

Every Salesforce professional has surely heard about field permissions or field-level security from day one of learning about Salesforce. As a core functionality that allows admins to grant users read or edit access on a field-by-field basis for most Salesforce objects, this is perhaps one of the most widely used features across all Salesforce implementations. But once these permissions are granted, how can you – or other admins – check which permission sets they’re part of, to avoid duplicating efforts?

In this post, we’ll cover a few ways to answer the questions above, ranging from long-standing mechanisms to the latest changes Salesforce has introduced to make this task much easier.

Permission Sets 101

When it comes to setting up user access in Salesforce, one profile is mandatory and should represent the minimum access needed. However, a single user can be assigned multiple combinations of object, user, and even system permissions, which are intended to extend their access for performing specific tasks within Salesforce. Each collection of permissions is called a permission set, which can then be further combined into permission set groups specific to various personas within your organization.

Since Salesforce announced a while back that permissions – including field-level security, among others – would move away from profiles to permission sets, this transition has started to become top of mind for Salesforce Admins. Even though an enforcement date is not yet established, innovations continue to be made in permission sets and permission set groups. Therefore, the sooner the transition is completed within your org, the better, with profiles remaining the baseline access.

Check Where Field Access Is Coming From

Whether it’s view-only or edit access, knowing where field permissions are located can answer the common question of who sees certain fields on records, list views, and reports, as well as why. Additionally, when using multiple permission sets, this knowledge can potentially eliminate the need to create new ones from scratch and simply allow you to assign the correct one.

Permission Set

If you’ve been working in Salesforce for quite some time, this is probably the first option that comes to mind: going to the Permission Sets page in Setup, finding the permission set, navigating to Object Settings, finding the object, and then finally editing or checking the object and field permissions. One fairly recent update to this page allows you to select all the fields with one click, either for read or edit access, but the latest one is the View All Fields option.

You could save a click and a Ctrl + F by searching for the object directly – however, this option is not available for orgs with more than 500 objects in total, as the object will simply not appear as a suggestion.

Set Field-Level Security

While navigating to the Object Settings within a permission set gets the job done and allows you to see what fields a certain permission set grants access to, what about the other way around? If you enabled Field-Level Security for Permission Sets during field creation within User Management Settings in Setup, then not only during creation but also if you click on the Set Field-Level Security button on an existing field in Object Manager, you’ll have a full view of the permission sets that grants access to that field.

Checking out this page doesn’t necessarily mean you have to make a change; it can also be a straightforward way for you to check which permission sets grant read or edit access. Additionally, you can filter by permission sets, which have access to objects or not, to paint a more complete picture.

View Summary

The latest innovation in terms of permission sets, which Salesforce made available as part of their effort to enhance Setup and facilitate user access management, is the View Summary button. This is available for permission set groups, public groups, and users as well, but we’ll focus specifically on the one from permission sets.

The summary page that opens after clicking the View Summary button from a Permission Set page includes much more than just field permissions: high-level details, object permissions, user permissions, custom permissions, and even the option to not only review permission set group assignments but also add or remove the permission set from one or more groups!

When it comes to field permissions specifically, you can easily select the object, spot read and edit access by the color-coded symbols, and search for the specific field you need to review. Using this option, in comparison to the Object Settings page, removes the need to navigate back and forth between the object list or open multiple tabs – one for each of the objects.

With the Summer ‘25 release, not only will tabs become an option to review on the Permission Set summary page, but you will also be able to edit both field and object permissions directly from this list! It is clear that the summary pages are on their way to becoming the one-stop shop we’ve been looking for.

SOQL Queries

The options available in the user interface can be useful for spot checks if you’re already in Setup or Object Manager, but perhaps the fastest option is an SOQL query to return the information you need in just a few moments. The FieldPermissions standard object is what you need to query in order to obtain, for example, a complete list of objects and fields to which a permission set grants at least read access. 

Select SObjectType, Field, PermissionsRead, PermissionsEdit
From FieldPermissions
Where Parent.Label = 'Permission Set Label OR Permission Set Group Label'

If you’re looking for the reverse – meaning finding out which permission sets include access to a certain field – you can filter by the field instead. Note that the parent is still the PermissionSet object; however, that object has an IsOwnedByProfile flag, which you can use to exclude any permissions owned by profiles for this example.  

Select PermissionsRead, PermissionsEdit, Parent.Label, Parent.Id
From FieldPermissions
Where Field = 'Account.SLA__c' AND Parent.IsOwnedByProfile = false

Ideally, admins would no longer be adding field permissions on profiles, but the reality is that cleaning up and finalizing the transition takes quite a bit of time, especially for larger enterprise orgs. Queries are a great option for checking the profiles as well, and once again, the FieldPermissions object will be used to get the information.

Select SObjectType, Field, PermissionsRead, PermissionsEdit, Parent.Profile.Name
From FieldPermissions
Where Parent.IsOwnedByProfile = true

Summary

Finally, knowing your way around reviewing and granting access to certain fields – especially in a world where there may be dozens of permission sets in one org – can save a significant amount of time and help you answer access-related questions in no time. Depending on the scenario at hand, any of the above options could work, but ultimately, it’s all about choosing the route that works best for you.

How are you checking field-level security in your day-to-day? Let us know in the comments below!