Tutorial: Check field and system permissions in screen flows when using System Context using ExecuteSOQL
With the advent of System-context screen flows I can’t help but think of the famous phrase ‘With great power comes great responsibility’. When running screen flows in system context, you could inadvertently grant Read or Edit access to a critical system field to the wrong audience. Let’s say you wanted to do some cool stuff like in Jen Lee’s recent post about Community User Management, and you want to ensure the person running the flow has the ‘Manage External User’ permission. Her flow does this check using a custom permission, which is totally fine, this just checks the system permissions directly.
All of that is possible with some straightforward SOQL queries against the Permission Set Assignment object. You may or may not be aware, but the PermissionSet object actually contains Profile permissions as well so it’s a one-stop shop for getting Field and System permissions!
Run an action to check a field permission
The following example will run you through a VERY basic scenario where a Flow presents a screen to update a given field and the flow is running in System context – God mode.
- We let the user pick an Account Rating in a basic Flow screen with a picklist radio button
- We run the ExecuteSOQL action to check if the running user has ‘Edit’ permission for the Account Rating field.
- For older versions of ExecuteSOQL that return an ’empty’ collection we assign the count of the results to a number field
- We then do a decision to see if the number of permissions assigned to the user is > 0.
- We then either show a screen that says you cant edit it or we move on with updating the field.
Most of you can probably handle the beginning and end – so I’ll provide some more color on the middle part that does the permission checking.
- You’ll want to construct your query using a Plain Text text template variable:
SELECT AssigneeId,PermissionSetId,Permissionset.Name,Permissionset.Profile.Name
FROM PermissionSetAssignment
WHERE Assignee.Id= ‘{!formulaRunningUserID}’
AND PermissionSetId in (Select ParentId from FieldPermissions where SobjectType = ‘Account’ and Field = ‘Account.Rating’ and PermissionsEdit = true)
*WARNING* If you make any edits to the text template variable, a Flow bug will revert the template back to rich text and it will break the action! Make sure you revert it to Plain Text after every edit.
- Next up is to make the ExecuteSOQL action:
- Here’s an example result from the action above that returns the permission granted by the System Admin profile when run as myself.
- (For older versions of ExecuteSOQL only) You’ll then want to assign the results to a number since older versions of ExecuteSOQL return an empty collection if no results are found. Make sure you set the default value to 0 when making the variable.
- Use an ISNULL check if you’re using the latest and greatest.
- Create your decision and you’re done!
Checking multiple fields
You could of course extend this to multiple fields in one query by modifying the SOQL query, for example:
SELECT AssigneeId,PermissionSetId,Permissionset.Name,Permissionset.Profile.Name
FROM PermissionSetAssignment
WHERE Assignee.Id= ‘0051I000000UB4LQAW’
AND PermissionSetId in (Select ParentId from FieldPermissions where SobjectType = ‘Account’ and
Field in (‘Account.Rating’,’Account.Type’) and PermissionsEdit = true)
System permission checks
You can also check for specific system permissions! Let’s say you wanted a Flow embedded on the Case layout that manages the Contact’s community user record. The query below could be used to check if the user handling the case has permissions to manage the external user account:
SELECT AssigneeId,PermissionSetId,Permissionset.Name,Permissionset.Profile.Name
FROM PermissionSetAssignment
WHERE Assignee.Id= ‘{!formulaRunningUserId}’ AND PermissionSetId in (Select Id from PermissionSet where PermissionsManagePartners = true)
