What is a Salesforce user access review?

A user access review examines which users have access to which Salesforce objects, records, and fields — and whether that access is appropriate, documented, and still needed. It typically covers profile permissions, permission set assignments, field-level security exposure, and system-level permissions like Modify All Data and View All Data.

How often should Salesforce user access be reviewed?

Access reviews are commonly triggered by personnel changes (employee offboarding, team restructures), compliance requirements, security incidents, consultant handoffs, or any significant org change project. For high-sensitivity orgs, periodic reviews are a governance best practice regardless of specific triggers.

What is the difference between a profile review and a permission set review?

Profiles define baseline object and field access for a group of users. Permission sets grant additional access on top of the profile — often for specific projects, integrations, or temporary needs that were never revoked. A complete user access review covers both layers, because effective permissions are the combination of profile plus all assigned permission sets.

Does KeelCadence surface user login history or activity data?

No. KeelCadence diagnostics are metadata-focused. The Permission & FLS Audit surfaces permission structure — what access exists in the org configuration — not user activity logs, login history, or usage events. Activity analysis requires separate tools or Salesforce event log review.

Does KeelCadence confirm whether access is compliant?

No. The workbook surfaces access signals — over-privileged profiles, permission set sprawl, FLS exposure by field, and user assignment counts. Confirming compliance requires formal access review with documented decisions and sign-off from appropriate stakeholders. KeelCadence provides the starting materials for that process.

Do I need to install a Salesforce package to run a user access review with KeelCadence?

No. KeelCadence does not require a package install, Connected App, or persistent OAuth token. The Permission & FLS Audit runs read-only for the session and does not export customer record data.

Tool Guide · User Access Review

WHAT A SALESFORCE USER ACCESS REVIEW COVERS BEFORE YOU CHANGE PERMISSIONS.

User access in Salesforce is the combination of a profile and every permission set assigned to that user. Reviewing one layer without the other gives you an incomplete picture. A structured access review workbook surfaces the full permission structure before any changes are made.

Read-only diagnostics · Review-ready workbooks · No package install · No Connected App

01 — The Additive Access Problem

EFFECTIVE ACCESS IS THE SUM OF PROFILE PLUS ALL PERMISSION SETS.

A user's actual Salesforce access is not just what their profile grants. It is their profile permissions plus every permission set they have been assigned — and in most orgs, permission sets accumulate over time without a corresponding cleanup process.

A user who was given a permission set for a project two years ago may still have that access. A user who changed roles may now have permission sets from their previous role still attached. A user may have Modify All Data access through a permission set that was created during a data migration and never deactivated.

A user access review that only checks the profile is checking a fraction of the actual access picture.

02 — What This Helps You Review

ACCESS REVIEW SIGNALS THE PERMISSION & FLS AUDIT SURFACES.

What this helps you review

Object permissions by profile and permission set — create, read, edit, delete, view all, modify all
Field-level security per field — which profiles and permission sets can read or edit each field
System permissions by profile — Modify All Data, View All Data, and similar elevated permissions
Permission set count and user assignment counts as sprawl reference signals
Over-privileged access patterns flagged as first-pass review candidates
FLS gaps — fields that may be more broadly readable or editable than intended

Relevant Workbook

Permission & FLS Audit

The Permission & FLS Audit workbook maps object permissions, field-level security, system permissions, and permission set assignment counts — formatted for structured access review before changing user permissions.

Learn more →Run diagnostic →View sample workbook →

03 — Access Review Triggers

WHEN TO RUN A USER ACCESS REVIEW.

Common access review triggers

Admin or consultant handoff — new owner needs to understand existing access structure
Employee offboarding or team restructure — ensure no residual access remains from old roles
Compliance or security review — document current access state for audit purposes
Permission cleanup project — identify and remove redundant or over-broad permission sets
Before any significant permission change — establish a baseline before modifying access

04 — What This Does Not Replace

METADATA ACCESS REVIEW VS. FULL COMPLIANCE REVIEW.

What this does not replace

User activity logs or login history — activity analysis is outside metadata scope
Formal compliance sign-off with documented rationale per user or role
Sharing rules and row-level security review — not covered by profile and permission set metadata
Business-context validation — understanding why access was granted and whether the reason still applies

05 — Related Resources

RELATED GUIDES.

Salesforce Permission Audit Checklist — practical checklist for reviewing permissions before changing access.
Permission Set Sprawl: How to Review Access Before It Becomes Risk — how sprawl accumulates and what to prioritize.
Salesforce Permission Audit Tool — what a permission audit tool should surface.
Diagnostic Tool Security Checklist — how to evaluate any tool's access model before granting org access.
All Resources

FAQ

FREQUENTLY ASKED QUESTIONS.

What is a Salesforce user access review?: A user access review examines which users have access to which Salesforce objects, records, and fields — and whether that access is appropriate, documented, and still needed. It typically covers profile permissions, permission set assignments, field-level security exposure, and system-level permissions like Modify All Data and View All Data.
How often should Salesforce user access be reviewed?: Access reviews are commonly triggered by personnel changes (employee offboarding, team restructures), compliance requirements, security incidents, consultant handoffs, or any significant org change project. For high-sensitivity orgs, periodic reviews are a governance best practice regardless of specific triggers.
What is the difference between a profile review and a permission set review?: Profiles define baseline object and field access for a group of users. Permission sets grant additional access on top of the profile — often for specific projects, integrations, or temporary needs that were never revoked. A complete user access review covers both layers, because effective permissions are the combination of profile plus all assigned permission sets.
Does KeelCadence surface user login history or activity data?: No. KeelCadence diagnostics are metadata-focused. The Permission & FLS Audit surfaces permission structure — what access exists in the org configuration — not user activity logs, login history, or usage events. Activity analysis requires separate tools or Salesforce event log review.
Does KeelCadence confirm whether access is compliant?: No. The workbook surfaces access signals — over-privileged profiles, permission set sprawl, FLS exposure by field, and user assignment counts. Confirming compliance requires formal access review with documented decisions and sign-off from appropriate stakeholders. KeelCadence provides the starting materials for that process.
Do I need to install a Salesforce package to run a user access review with KeelCadence?: No. KeelCadence does not require a package install, Connected App, or persistent OAuth token. The Permission & FLS Audit runs read-only for the session and does not export customer record data.

Before You Change Access

REVIEW WHO HAS ACCESS TO WHAT BEFORE MODIFYING PERMISSIONS.

KeelCadence Permission & FLS Audit surfaces object permissions, field-level security exposure, and permission set assignments — formatted as a structured XLSX workbook for access review before any permission change.

Run Permission & FLS Audit View sample workbook

See what Permission & FLS Audit covers →

Read-only · No package install · No Connected App setup · No Salesforce writes

KeelCadence uses session cookies and Google Analytics 4 for site usage insights. GA4 does not receive Salesforce credentials, Org IDs, Report IDs, or payment data. You can opt out for this browser.