Permissions & Access Review

SALESFORCE PERMISSION CHANGE IMPACT REVIEW.

Changing permissions is not just adding or removing access. Review object permissions, FLS, sensitive fields, user assignments, and permission set overlap before changing Salesforce permissions.

Read-only diagnostics · Review-ready workbooks · No package install · No Connected App

A Salesforce permission change impact review is the process of understanding who has access to what before making changes to profiles, permission sets, or field-level security — and what the change will affect when it goes in.

Permission changes are often treated as straightforward — add a permission, remove a permission. In practice, permission changes in complex orgs affect users in ways that are not obvious until the review uncovers the overlap, the sensitive field exposure, or the external user access that was not part of the intended scope.

Why Evidence Matters

WHY PERMISSION CHANGES NEED EVIDENCE.

Three common permission change surprises that review evidence can help prevent:

  • A permission set assigned to a broad user population is modified to tighten access — the modification removes a permission that a subset of those users still need for a business-critical process
  • FLS is tightened on a field to restrict edit access — but the field is also used by an integration that writes to it via API, which does not check FLS by default
  • A profile is cloned and modified for a new role — the clone carries sensitive field access from the source profile that was not reviewed before the new profile was assigned to users

The review does not prevent changes. It creates evidence that supports the right change.

Checklist

PERMISSION CHANGE CHECKLIST.

Object permissions

  • Identify all profiles and permission sets that have access to the affected objects
  • Review CRUD permissions — Create, Read, Edit, Delete, View All, Modify All — on affected objects
  • Note whether any profiles or permission sets have Modify All or View All that would override record-level security
  • Count user assignments per profile and permission set to understand how many users are affected

Field-level security

  • List all profiles and permission sets with Read or Edit access on fields in scope
  • Review FLS for sensitive or high-risk fields across both profiles and permission sets
  • Check for the most-permissive-grant rule — a permission set grant overrides a profile denial on FLS
  • Confirm whether any integration users or API profiles have FLS access that would be affected by the change

Sensitive field exposure and permission set overlap

  • Identify fields that may contain sensitive, regulated, financial, or personally identifiable data
  • Review which profiles and permission sets expose those fields — Read and Edit separately
  • Check for permission set overlap: users with multiple permission sets may have cumulative access that is not obvious from reviewing either set alone
  • Review external and community user access separately — exposure consequences may differ

User assignment review

  • List active users assigned to the profiles and permission sets being changed
  • Check for users who appear in multiple permission sets that interact with the same permissions
  • Identify business owners who need to sign off on the access change before it proceeds

Relevant Workbook

Permission & FLS Audit

Permission & FLS Audit maps profiles, permission sets, object permissions, FLS, user assignments, and access-risk signals into a review-ready XLSX workbook before permission changes are applied.

Learn more →Run diagnostic →View sample workbook →

Related resources

Salesforce Sensitive Field Exposure Review →Salesforce Permission Audit Checklist →Salesforce Permission Set Sprawl: Access Review →
FAQ

FREQUENTLY ASKED QUESTIONS.

What should be reviewed before changing Salesforce permissions?

Review object-level permissions on the affected profiles and permission sets, field-level security on fields in scope, sensitive field exposure for the users who will be affected, permission set overlap that may create unintended cumulative access, external user access if applicable, and user assignment counts to understand the scope of the change.

How do permission sets affect field-level security?

Salesforce grants the most permissive access when multiple permission grants apply to the same user. If a user has a profile that denies FLS on a field but also has a permission set that grants FLS on the same field, the permission set grant takes precedence. Reviewing FLS across both profiles and permission sets is necessary to understand actual access.

Why is permission set overlap risky?

Permission set overlap means a user has multiple permission sets that grant access to the same objects or fields. When changes are made to one permission set, the expected impact on a user's access may be masked if another permission set also grants the same access. Review active user assignments across all relevant permission sets before changing access.

Should external users be reviewed separately?

Yes. External users, community users, and guest users often have different access patterns than internal users. Sensitive field exposure, object access, and FLS for external users warrant a separate review — because the consequence of over-exposure may be higher and the user type may not appear in standard internal permission reviews.

How can KeelCadence help with permission change review?

Permission & FLS Audit maps profiles, permission sets, object permissions, FLS, user assignments, and access-risk signals for selected objects in a review-ready XLSX workbook. It supports the review conversation before permission changes are made — not after.

Review Before Change

CREATE A REVIEW-READY WORKBOOK BEFORE MAKING SALESFORCE CHANGES.

Run a read-only KeelCadence diagnostic to surface metadata, access, automation, field, and readiness signals before cleanup, UAT, imports, handoff, or change work.

Run Permission & FLS Audit →View Sample Workbook

Read-only · No package install · No Connected App setup · No Salesforce writes

Home/Resources/Salesforce Permission Change Impact Review

Trust & Security

KeelCadence uses session cookies and Google Analytics 4 for site usage insights. GA4 does not receive Salesforce credentials, Org IDs, Report IDs, or payment data. You can opt out for this browser.