In support of migrating to Permission Sets, Salesforce Administrators are commonly asked to "remove Custom Permissions from Profiles" as an initial step. Luckily, with some SOQL and DML, we can achieve this en masse.
SetupEntityAccess
To fully grasp this operation, you'll need a fundamental understanding of the sObject in scope: SetupEntityAccess. This object manages access settings for non-object entities like Apex Classes, Custom Permissions, Flows, etc. within Permission Sets. Imagine it as an access key for granting or restricting users' ability to interact with specific setup components. Holistically, this allows granular control over sensitive configurations.
How To Handle
To isolate direct Profile assignments (of Custom Permissions), we need to query this object and isolate Parent.IsOwnedByProfile = true in the WHERE clause. Our example is leveraging the "Convert Leads" Custom Permission.
- Open Developer Console or Salesforce Inspector reloaded (or your tool of choice)
- Copy & paste the following SOQL query into the Query Editor; ensure that you replace "Convert_Leads" with your Custom Permission's Developer Name:
SELECT Id, ParentId, SetupEntityType, Parent.Name, Parent.Profile.Name, Parent.IsOwnedByProfile
FROM SetupEntityAccess
WHERE SetupEntityId IN (SELECT Id FROM CustomPermission WHERE DeveloperName = 'Convert_Leads') and Parent.IsOwnedByProfile = true
ORDER BY Parent.Profile.Name
- Delete the output rows
