24 June 2013

Mass Assign Permission Sets and other cool things using the API

The Salesforce sObject API is an important part of permission sets, allowing you to perform tasks that you cannot perform through the permission set UIs.  Some administrators may already be comfortable with the salesforce.com sObject API, but for those who are not, it is possible to use the API without writing a bunch of source code by using the Workbench tool at http://workbench.developerforce.com/.  While Workbench has a great query builder interface, below are some example queries.

Users with a Permission like Modify All Data

Because a user’s effective permissions are determined by both their profile and all assigned permission sets, it actually requires two queries to determine which users have a particular permission.  The query asks the question what users are assigned to a profile or permission set that contains Modify All Data.

SELECT AssigneeId, Assignee.Name, PermissionSet.Label, PermissionSet.isOwnedByProfile
FROM PermissionSetAssignment
WHERE PermissionSet.PermissionsModifyAllData = true

Permission Sets Assigned to a User

SELECT PermissionSet.Id, PermissionSet.Name
FROM PermissionSetAssignment
WHERE Assignee.Username = 'admin@my.org' AND
PermissionSet.isOwnedByProfile = false

Permission Sets with a Particular Token

In a previous section, it was suggested that adding tokens to your permission set names or descriptions may be useful.  Here is a query that looks for a token within a permission set description:

SELECT Id, Name, Description
FROM PermissionSet
WHERE Description Like '%#salesrep#%'
Mass Assign Permission Sets to Users

Mass Assign Permission Sets to Users

It is possible to perform mass assignment of permission sets via the sObject API.  This is performed by inserting PermissionSetAssignment records (unassigning is nothing more than deleting the PermissionSetAssignment records).  To perform this operation with a spreadsheet and the Workbench, follow these instructions:

  1. Select “Insert” from the “Data” menu at the top of your browser window.
  2. Select PermissionSetAssignment from the ObjectType menu
  3. Select the “From File” radio button and choose your CSV-formatted spreadsheet.
  4. Click “Next”
  5. Map the columns from your spreadsheet as appropriate.
  6. Click “Map Fields”
  7. Choose whether you wish to process the request asynchronously
  8. Click “Confirm Insert”


  1. This is so useful! Is there a resource that lists the different permission names that can be queried this way?

    1. Hi Rhonda,

      I'm working on a post to help with this. The single best method I know is to use the describeSObject() method which you can use with the workbench tool by going to Info > Standard & Custom Objects and selecting either permission set or profile from the picklist. The reason why you have to do this is that on an org-by-org basis, permission values will change based on what was purchased, enabled, etc… Hope this helps!