Querying Flows and Mass Deleting Old Versions

A fewWarning housekeepingin itemsAdvance

TheVia permissionthe settooling objectapi, we're going to delete some historic flow versions, this is ansuper amalgamationuseful when you have reached the short limit of Permission50. SetsHowever, andyou Profiles.can lose useful history that past you might have wanted to save. 

Accessing the Tooling API

You can determineaccess ifthe atooling recordAPI via the Salesforce Inspector chome extension, there is a profilecheckbox by usingat the "IsOwnedByProfile"top field.which points you at the Tooling API: 

You can also query onaccess the permissionTooling setAPI permissionsvia tothe limitdeveloper results.console: 

SOAP API Developer Documentation

Field Level Security (FLS)

SOAPTooling API Developer Documentation

WhoWhat hasversions accesscould toI a field by a specific Profile?remove? 

SELECT Id, Field,VersionNumber,  PermissionsRead,Status, PermissionsEdit,Description, SobjectType,MasterLabel, Parent.Profile.NameCreatedDate
FROM FieldPermissionsFlow 
WHERE Parent.Profile.NameMasterLabel = 'SystemCase Administrator'Updates' AND FieldStatus != 'Account.Type'Active' ORDER BY CreatedDate ASC limit 19 

Who

Generally haslimit accessyourself to aone fieldflow by specific Permission Set?

SELECT Id, Field, PermissionsRead, PermissionsEdit, SobjectType, Parent.Profile.Name, Parent.Label
FROM FieldPermissions
WHERE Field = 'Account.Type'

Who has access toat a specific field?

The absence of records indicates that they have no access to that field.

SELECT Id, Field, PermissionsRead, PermissionsEdit, SobjectType, Parent.Profile.Name, Parent.Label
FROM FieldPermissions
WHERE Field = 'Account.Type'

Who does not have access to a field?

SELECT Id, Label, Profile.Name
FROM PermissionSet
WHERE ID NOT IN (SELECT ParentID
                 FROM FieldPermissions
                 WHERE Field = 'Account.Type')

Object Level Security

SOAP API Developer Documentation

Who has access to an object by a specific Profile?

SELECT Id, Field, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, PermissionsViewAllRecords, PermissionsModifyAllRecords, SobjectType, Parent.Profile.Name
FROM ObjectPermissions
WHERE Parent.Profile.Name = 'System Administrator' AND SobjectType = 'Account'

Who has access to an object by a specific Permission Set?

SELECT Id, Field, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, PermissionsViewAllRecords, PermissionsModifyAllRecords, SobjectType, Parent.Label
FROM ObjectPermissions
WHERE Parent.Label = 'Account Permission Set' AND SobjectType = 'Account'

Who has access to a specific object?

The absence of records indicates that they have no access to that object.

SELECT Id, Field, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, PermissionsViewAllRecords, PermissionsModifyAllRecords, SobjectType, Parent.Label, Parent.Profile.Name
FROM ObjectPermissions
WHERE SobjectType = 'Account'

Who does not have access to an object?

SELECT Id, Label, Profile.Name
FROM PermissionSet
WHERE ID NOT IN (SELECT ParentID
                 FROM ObjectPermissions
                 WHERE SobjectType = 'Account')

Setup Entity Access

This object istime, for queryingease manythis objectexample permissionslimits in Salesforce. Those are:

Type	Object API Name	Name Field
Apex Class	ApexClass	Name
Visualforce Page	ApexPage	Name
Custom Metadata Type	EntityDefinition	QualifiedAPIName
Custom Setting	EntityDefinition	QualifiedAPIName
Applications (Apps in app launcher)	AppMenuItem	Name
Connected Applications	ConnectedApplication	Name
Custom Permission	CustomPermission	MasterLabel

SOAP API Developer Documentation

The process isvia the sameMasterlabel, foras all ofper the above image, you can see that it returns both drafts and obselete versions. Beware, you do no want to remove your current draft with changes in it! 

Deleting versions

In Salesforce Inspector, you can simply copy the belowexcel examples. output Just replacefrom the objectquery APIand namepaste withthat into the oneupload for which you are looking to find permissions and the "Name" value in the where clause with the appropriate name field in the table above.  For Custom Settings, use "IsCustomSetting" to filter. For Custom Metadata types, add QualifiedApiName LIKE '%__mdt'  to the filter.

SELECT Parent.Label, Parent.Profile.Name
FROM SetupEntityAccess
WHERE SetupEntityID IN (SELECT Id 
						FROM ApexClass 
                        WHERE Name = 'MyGreatApexClass')

Custom Tab Settings

Pro-tip: You can update the settings from here with "Default On" or "Default Off".  Deleting the row will make it "Hidden".

Tooling API Documentation

Name is prepended with "standard-" for standard objects.  Name is the API namebox of a customdata object.import window: 

SELECT Parent.Name, Parent.Profile.Name, Visibility, Name
FROM PermissionSetTabSetting
WHERE Name = 'standard-Account'

Profile Page Layout Settings

TheNote belowthe areTooling API checkbox at the top, if using the toolingabove API.query, you will need to skip all the other column headers, as the delete operation expects a list of Id's. 

ToolingIt APIdoesn't Documentationappear that dev console can delete flows unfortunately. 

Standard Objects

SELECT Layout.Name, TableEnumOrId, Profile.Name, RecordType.Name
FROM ProfileLayout
WHERE TableEnumOrId = 'Account'

Custom Objects

First, retrieve the "Durable ID" of the object: 

SELECT DurableId 
FROM EntityDefinition 
WHERE QualifiedAPIName = 'Account_Retention_Rate__c'

Then, query the Page Layout Settings:

SELECT Layout.Name, TableEnumOrId, Profile.Name, RecordType.Name
FROM ProfileLayout
WHERE TableEnumOrId = '01Io0000001KyaB'