A Salesforce permission audit reviews profiles, permission sets, object permissions, field-level security, external user access, assigned users, unused permission sets, and over-privileged access — before cleanup, governance, or security work begins.
Read-only diagnostics · Review-ready workbooks · No package install · No Connected App
A Salesforce permission audit should review profiles, permission sets and permission set groups, object permissions, field-level security, external and community user access, assigned users, inactive or unassigned permission sets, and over-privileged access patterns.
The point of the audit is visibility before change. You are not removing access on sight — you are surfacing review candidates so the right access can be validated with stakeholders before cleanup, governance review, or security work begins.
Most orgs do not have an access problem because someone designed them badly. They develop one over time, as new projects add exception access, users change roles, and permission sets stack on top of profiles. Eventually it becomes hard to answer a simple question: who actually has access to what?
Work through these steps by category, in order. Each one surfaces review candidates rather than conclusions — validate findings with owners before changing anything.
Establish what every user starts with before any add-on access is layered on.
Permission sets and groups stack on top of profiles — this is where most invisible elevation happens.
Broad object and administrative permissions deserve a separate, explicit pass.
Field-level security can expose data that a page layout hides — review it directly.
The audit produces review candidates, not conclusions — record them and assign owners.
Field-level security matters most on the fields that carry risk. A field can be hidden from a page layout while still being readable through FLS, so review these field types specifically across profiles and permission sets.
Sensitivity depends on your business context. Define what counts as sensitive in your org, then review FLS on those fields specifically.
Most incomplete audits fail in the same predictable ways. Avoiding these keeps the review honest.
You can run this checklist entirely by hand. The difference a read-only diagnostic makes is coverage and repeatability — it surfaces the same candidates every cycle so you spend your time deciding, not gathering.
| What to compare | Manual review | With Permission & FLS Audit |
|---|---|---|
| Coverage | Easy to stop at profiles and miss stacked permission sets | Maps profiles, permission sets, and groups together in one pass |
| Field-level security | FLS is reviewed field-by-field, profile-by-profile | Surfaces sensitive-field exposure across profiles and sets at once |
| Permission stacking | Hard to see cumulative access from multiple assignments | Highlights over-privileged users from layered assignments |
| Repeatability | Re-done by hand each cycle; results vary by reviewer | Same read-only export each time, easy to compare run-over-run |
| Output | Notes and ad-hoc spreadsheets | Structured, review-ready XLSX workbook |
| Decision-making | Reviewer decides as they go | Surfaces candidates only — admins and owners still decide |
Either way, the audit surfaces review candidates — it does not decide whether access is appropriate. That validation stays with the admins and stakeholders who know each role.
KeelCadence Permission & FLS Audit is a read-only diagnostic that maps profiles, permission sets, object permissions, field-level security exposure, user-assignment patterns, over-privileged access, and review candidates into a downloadable XLSX workbook.
It surfaces the patterns this checklist looks for so you can review and prioritize them — it does not decide whether access is appropriate. That validation stays with the admins and stakeholders who know each role and business process.
Relevant Workbook
Permission & FLS Audit maps profiles, permission sets, object permissions, field-level security exposure, user assignments, and over-privileged access into a review-ready workbook.
A permission audit checklist is a focused access diagnostic, not a complete Salesforce security review. It will not decide whether access is appropriate for every role, department, or business process.
The goal is to surface review candidates — broad object access, sensitive field exposure, stacked permissions, unused permission sets, and external exposure — so they can be validated before you change or remove anything.
Once you know what to review, run the read-only Permission & FLS Audit to map profiles, permission sets, FLS exposure, and over-privileged access into one review-ready workbook. See the free on-screen summary before purchase.
Opens permissions.keelcadence.com. Best run from desktop, since the diagnostic uses your active Salesforce browser session. On mobile, view the sample workbook or save this page for later.
Read-only · No package install · No Connected App setup · No Salesforce writes
KeelCadence uses session cookies and Google Analytics 4 for site usage insights. GA4 does not receive Salesforce credentials, Org IDs, Report IDs, or payment data. You can opt out for this browser.