Permission Chain

Permission Chain answers the question every admin dreads: "why does this user have this access?" It traces a permission back through the entire dependency stack and shows you the exact grant responsible, so you can fix the source instead of guessing.

The full dependency stack

Effective permissions in Salesforce are the sum of several layers, and Permission Chain walks all of them with source tracking at each step:

  • the user's Profile
  • every assigned Permission Set
  • every Permission Set Group the user belongs to
  • any Muting Permission Set that subtracts permissions within a group

For any permission, you see not just whether the user has it, but which assignment confers it. "Granted via the Sales Ops permission set" is an answer you can act on; "they have it somehow" is not.

Muting permission sets are detected by key prefix (0QM), not by relationship name — so muted permissions are attributed correctly even where the standard relationship returns null.

Who Has Access

Run the question in reverse. Instead of starting with a user, start with a field or object and ask which users can access it. Permission Chain returns the list, with the grant path for each — ideal for "who can see Social Security Number?" style audits.

Compare Users

Put two users side by side and Permission Chain highlights exactly where their effective access differs — object by object, permission by permission. This is the fastest way to answer "make this new hire match that existing rep," or to explain why two people on the same team see different things.

Comparisons export to CSV, JSON, TSV, or the clipboard, so a permission difference becomes audit evidence you can attach to a ticket.

When to reach for it

  • A user can see something they should not — find the grant and remove it.
  • A user cannot do something they should — find the missing grant and add it.
  • Onboarding — clone an existing user's effective access deliberately.
  • Audit — prove who can reach sensitive fields, and why.

Related reading