Salesforce Permissions Report

Once a week, for every full backup, the permissions report uses the Field-Level-Security (FLS) feature to analyze the field level permissions in your Salesforce Org. This report lists the fields that the authenticated user does not have permission for in their Salesforce Org. FLS allows a layer of permission complexity to exclude the reading of specific fields, even for users who have object permissions. By default, specific fields are excluded by certain objects for the System Admin.

If there are any fields that need excluding, an error appears on the report page. You can choose to exclude certain fields if you do not want the authenticated user to have permission for them, or they are not deemed critical by the business.

We aim to provide clients with a Full & Complete backup of all the Data, Metadata, Attachments, Content Documents and Knowledgebase Articles. To ensure this, we automatically analyze the field-level-security on completion of every Full Backup.
If unreadable fields are detected due to changes made to profiles and/or permissions, a warning is shown on the service's Permissions Report page that the data has been excluded.

To immediately see the changes reflected and not wait until the next Full Backup, manually run an "Analyze Profile Permissions" job directly, by clicking the Analyze Permissions button.

An actionable remediation tool is also provided. An option exists to export the Field Level Security Report as a ZIP package for updating the permission set of the integration user. Click the Download Package, to export the Field Level Security Report. The permissions report only shows fields the integration user cannot access. It does not show what object permissions are missing.

This enables admins to update the permission set to any user with missing field permissions, using Force.com IDE and other similar tools. See the steps below on how to deploy the Package as a permission set in Workbench.
To fix these gaps within Salesforce, first ensure that the authenticated user complies with these settings.

Deploy Missing FLS via Workbench

By downloading the Salesforce compatible package, you can easily update a permission set that applies to the authenticated user.

NOTE: Security assignments, permission sets, and profile management are the sole responsibility of the user.

NOTE: We use IntegrationUserMissingFields as the default name for the permission set. If you prefer a different name for the permission set, follow the instructions in Part 4 (below).

Part 1: Review Report and Download Package

View the permission report in the application to see the field list and download the data as a Salesforce-compatible Package.

NOTE: If the package download has failed, click on Analyse Permissions. Once the job has been completed, try again to download the package.

The downloaded package may include fields that are marked as excluded. You can remove these fields from the package by opening the package and removing them manually from the permissionset file.

NOTE: Read and Write permission will be assigned to all fields (for Backup and Restore).

Part 2: Deploy with WorkBench

Via Workbench, create a new Permission Set called "IntegrationUserMissingFields" with the permission Read and Edit on all the missing fields.

Login to your target organization.
Click Migration menu
Select "Deploy".
Choose the package zip file and select the following options:
1. Allow Missing Files
2. Single Package
Click Next and then Deploy.

If deploying to production Rollback On Error must be selected. And the test level should be ‘Run Specified test’
A test class that will run successfully must be used in order for the permission set to deploy to production.
Further reading on adding a test class in Salesforce in this article.

If the package has successfully deployed, a success message will appear under the Results.

Part 3: Assign the Permission Set to the Authenticated User

In Salesforce, assign the permission set to the authenticated user.

Log in to Salesforce.
Select Setup > Permission Set >
Click the permission ‘IntegrationUserMissingFields’ and then Manage Assignments button.
Add the authenticated user to this permission set.
After assigning the permission, validate the permissions worked by re-running the analyze permission job via Backup Services → Options → Analyze Profile Permissions.

Part 4: Using Non-default Permission Set Name

Part 4.1: When merging to an existing permission set is not required

Download the SFDC Compatible Package from the permission report for the affected backup.
Use a text editor to open the package.xml file within the downloads package.
Replace the name: IntegrationUserMissingFields with the name you prefer for the permission set.
In the permissionsets folder, rename the file IntegrationUserMissingFields.permissionset to the name that you prefer.
Open the .permissionset file and replace the name IntegrationUserMissingFields with the permission set name that you prefer (within the 2 tags <label>...</label>).

Part 4.2: When merging to an existing permission set is required

Perform the steps in Part 4.1 (above).
Select the Metadata backup for the specific service you wish to update.
Access the most recent backup, then download the XML for permission sets by selecting the highlighted number next to permission sets.

Open the downloaded zip file, and navigate to the permission sets folder.

Open the .permissionset with the name you set in Part 4.1 (above)
Copy all <fieldPermissions> … </fieldPermissions> tags

Paste it to the the .permissionset from Part 4.1 (above) at the end of the file, before <hasActivationRequired>false</hasActivationRequired> <label>IntegrationUserMissingFields</label>

Part 4.3

Compress the updated package.
To deploy via Workbench, continue with the procedure as described in Part 2 and Part 3 (above).