What should a Salesforce permission audit tool surface?

A useful permission audit tool should surface object permissions by profile and permission set, field-level security coverage, over-privileged access patterns, permission set assignment counts, and system-level permissions like Modify All Data and View All Data. A single profile view is not enough — you need cross-profile and cross-permission-set visibility to identify access risk.

What is FLS and why does it matter in a permission audit?

FLS stands for field-level security. It controls which users can see or edit specific fields, separate from object-level access. An admin can have read access to an object but be blocked from seeing certain fields through FLS. Reviewing FLS during a permission audit helps identify fields that are more — or less — exposed than intended.

What is permission set sprawl and how does it complicate access review?

Permission set sprawl happens when multiple overlapping permission sets are created over time to handle edge cases, project requirements, or temporary access that was never cleaned up. It makes access review harder because effective permissions for a user come from their profile plus every permission set assigned to them — and those combinations are rarely documented.

Does KeelCadence's Permission & FLS Audit confirm that access is compliant?

No. The workbook surfaces access signals — over-privileged profiles, permission sets with Modify All Data, FLS exposure across fields, and user assignment counts — as review candidates. Confirming compliance requires a formal access review with documented decisions and sign-off from appropriate stakeholders.

Do I need a Salesforce package to run a permission audit with KeelCadence?

No. KeelCadence does not require a package install, Connected App, or persistent OAuth token. The Permission & FLS Audit runs read-only for the session and does not export customer record data or store your Salesforce login.

Tool Guide · Permissions & Access

WHAT A SALESFORCE PERMISSION AUDIT TOOL SHOULD SURFACE BEFORE YOU CHANGE ACCESS.

Object permissions are only one layer. A useful Salesforce permission audit surfaces FLS exposure, permission set sprawl, over-privileged access patterns, and cross-profile visibility — so access changes are based on structured review, not guesswork.

Read-only diagnostics · Review-ready workbooks · No package install · No Connected App

01 — The Access Review Problem

ACCESS REVIEW IS MORE THAN CHECKING WHO HAS MODIFY ALL.

Most Salesforce permission reviews start and end with a single question: does anyone have too much access? That is a reasonable starting point. It is not a complete review.

Effective permissions in Salesforce are additive. A user's actual access is their profile permissions combined with every permission set they have been assigned. In orgs that have grown through multiple projects, migrations, or admin transitions, those combinations are rarely documented and rarely audited together.

Permission set sprawl compounds the problem. It is common to find dozens of permission sets that partially overlap, handle edge cases from past projects, or grant temporary access that was never revoked. Reviewing the profile in isolation misses the full picture.

02 — What This Helps You Review

REVIEW SIGNALS THE PERMISSION & FLS AUDIT SURFACES.

What this helps you review

Object permissions across profiles and permission sets for selected objects
Field-level security exposure by field — which profiles and permission sets can read or edit each field
System permissions including Modify All Data and View All Data by profile
Permission set count and assignment count as sprawl reference signals
Over-privileged access patterns as first-pass review candidates
FLS gaps — fields that may be more exposed than intended

Relevant Workbook

Permission & FLS Audit

The Permission & FLS Audit workbook maps object permissions, field-level security, system permissions, and permission set assignment counts across your org — formatted for structured access review.

Learn more →Run diagnostic →View sample workbook →

03 — What This Does Not Replace

WHAT A PERMISSION AUDIT WORKBOOK DOES NOT REPLACE.

What this does not replace

A formal compliance or security access review with documented sign-off
Business-context validation — understanding why access was granted and whether the reason still applies
User activity logs or login history analysis (not available in metadata)
Sharing rules, manual shares, and row-level security review
A consultant or security specialist for regulated access environments

04 — Related Resources

RELATED GUIDES.

Salesforce Permission Audit Checklist — practical checklist for permission and FLS review before changing access.
Permission Set Sprawl: How to Review Access Before It Becomes Risk — how sprawl accumulates and what to review first.
Salesforce User Access Review Tool — user-centric access review guide.
Diagnostic Tool Security Checklist — how to evaluate any Salesforce diagnostic tool's trust posture.
All Resources

FAQ

FREQUENTLY ASKED QUESTIONS.

What should a Salesforce permission audit tool surface?: A useful permission audit tool should surface object permissions by profile and permission set, field-level security coverage, over-privileged access patterns, permission set assignment counts, and system-level permissions like Modify All Data and View All Data. A single profile view is not enough — you need cross-profile and cross-permission-set visibility to identify access risk.
What is FLS and why does it matter in a permission audit?: FLS stands for field-level security. It controls which users can see or edit specific fields, separate from object-level access. An admin can have read access to an object but be blocked from seeing certain fields through FLS. Reviewing FLS during a permission audit helps identify fields that are more — or less — exposed than intended.
What is permission set sprawl and how does it complicate access review?: Permission set sprawl happens when multiple overlapping permission sets are created over time to handle edge cases, project requirements, or temporary access that was never cleaned up. It makes access review harder because effective permissions for a user come from their profile plus every permission set assigned to them — and those combinations are rarely documented.
Does KeelCadence's Permission & FLS Audit confirm that access is compliant?: No. The workbook surfaces access signals — over-privileged profiles, permission sets with Modify All Data, FLS exposure across fields, and user assignment counts — as review candidates. Confirming compliance requires a formal access review with documented decisions and sign-off from appropriate stakeholders.
Do I need a Salesforce package to run a permission audit with KeelCadence?: No. KeelCadence does not require a package install, Connected App, or persistent OAuth token. The Permission & FLS Audit runs read-only for the session and does not export customer record data or store your Salesforce login.

Next Step

Turn this access review into a workbook.

Run the read-only Permission & FLS Audit to capture object permissions, field-level security exposure, permission set sprawl, and over-privileged access across your org — formatted for structured review.

Run Permission & FLS Audit View Sample Workbook

Read-only security model →Permission audit checklist →

Read-only · No package install · No Connected App setup · No Salesforce writes

KeelCadence uses session cookies and Google Analytics 4 for site usage insights. GA4 does not receive Salesforce credentials, Org IDs, Report IDs, or payment data. You can opt out for this browser.