PERMISSION & FLS AUDIT — HOW TO USE

Read Me

End-to-end guide for running a Permission & FLS Audit on a Salesforce org.

What this tool does

Permission & FLS Audit scans your Salesforce org's entire permission model and produces a downloadable Excel workbook showing who can read, create, edit, and delete each object, which profiles and permission sets grant access to sensitive fields, where over-privilege exists, and where cleanup is possible.

The report covers:

No managed package required. No Connected App setup required. No Salesforce configuration changes needed. The tool authenticates using your existing Salesforce browser session -- the same session you are already using in Salesforce. It is a read-only diagnostic.

When to use this tool

Supported Salesforce editions

Supported:

Not supported:

Before you start

Step-by-step: how to run the audit

Step 1 -- Open the app

Go to permissions.keelcadence.com in your browser. The landing page explains the tool and shows the bookmarklet button.

Step 2 -- Save the bookmarklet

Drag the Connect to Permission & FLS Audit button from the landing page to your browser's bookmarks bar. This bookmarklet is the connection method -- no package, no Connected App, and no Salesforce configuration is needed.

Step 3 -- Connect to Salesforce

Open a Salesforce page in the same browser -- any Salesforce page while you are logged in. Click the bookmarklet from your bookmarks bar. The bookmarklet reads your active Salesforce browser session and sends it securely to the audit app.

If a new tab opens showing a Salesforce API list instead of the audit app, click the bookmarklet one more time in that new tab.

The Salesforce Session ID is held only in a signed server-side session cookie for the duration of your active session. It is never stored in the database, logs, or report files.

Step 4 -- Review the connection screen

After connecting, the app shows a confirmation screen with your connected username, display name, Org ID, and instance URL. Review these to confirm you are connected to the correct org.

Step 5 -- Select objects (optional)

The Select Objects screen shows all SObjects available in your org, grouped into Custom Objects and Standard Objects. You can:

Before running, tick the checkbox to confirm you have read and agree to the Terms of Use and Privacy Policy. Then click Run Audit →.

Step 6 -- Wait for the audit to complete

The app redirects to a progress screen. A progress bar updates automatically every two seconds -- do not close this tab. Larger orgs with many objects and permission sets will take longer. If the audit fails partway through (for example, due to a session expiry), an error message will appear with a link to return and try again.

Step 7 -- Review on-screen results

When the audit completes, the app shows an on-screen results summary including:

These findings are free. The full XLSX workbook requires a one-time purchase.

Step 8 -- Purchase the full workbook

Click Download Full XLSX Workbook. The app redirects to Stripe Checkout, which handles the payment securely. KeelCadence does not store card numbers, CVV codes, or full card details -- those are handled entirely by Stripe.

After payment, Stripe redirects back to the results page with the Download XLSX Workbook button unlocked. The purchase is linked to your specific audit run.

Step 9 -- Download the XLSX workbook

Click Download XLSX Workbook. The file downloads as an .xlsx workbook named KeelCadence_PermissionsFLS_[OrgID]_[Date].xlsx. The workbook contains 13 tabs covering the full permission and FLS audit.

Step 10 -- Save and share the report

Step 11 -- Disconnect or request deletion

Click Disconnect in the top navigation bar to clear your application session. This removes the Salesforce session from the app's server-side cookie.

There is no self-serve delete button for audit report data. To request deletion of a report before the 90-day automated purge, email support@keelcadence.com with your Report ID. Reports are automatically deleted by a daily purge job after 90 days.

What data is read

The tool reads metadata only -- it does not read business record values:

The tool does not export individual Salesforce business record values. The report focuses on metadata, configuration, permissions, and aggregate counts.

What is not read or stored

Session duration

Your Salesforce session is controlled by your Salesforce org's session settings. Salesforce sessions commonly last around 2 hours by default, but your org may use a different timeout. If you start an audit near the end of your Salesforce session, the audit may fail partway through. If that happens, reconnect to Salesforce and run the audit again.

How to interpret the report tabs

The downloaded workbook contains 13 tabs.

Cover -- Visual dashboard with scorecard tiles showing key counts (profiles, permission sets, users, objects, fields), severity tiles for critical and high findings, an overall Permission Health Score, and a bar chart of findings by category. Start here for an executive summary.

Summary -- Org info, run date, total counts, and a row-by-row breakdown of key audit metrics. Use this tab to share high-level numbers with stakeholders who do not need the full detail.

Profile Permissions -- One row per Profile and Object combination. CRUD columns show Yes/No. Rows highlighted in red have View All or Modify All on a sensitive object. Use this tab to see which profiles have the broadest access to each object.

Perm Set Permissions -- Same structure as Profile Permissions but for Permission Sets, excluding profile-linked system sets. Amber rows are unassigned; red rows are over-privileged. Use this tab alongside Profile Permissions to see the full CRUD picture.

FLS Matrix -- Fields as rows, profiles and permission sets as columns. Each cell shows Read and/or Edit access. Sensitive fields are highlighted. Use this tab to see which roles can access which fields -- useful for FLS-specific reviews or when preparing for a data privacy assessment.

Over-Privileged -- Every profile or permission set that has View All Records or Modify All Records on a sensitive object (User, Account, Contact, Opportunity, and others). These are critical findings -- any compromise or misuse of these roles can expose all records in the affected objects.

Unassigned Perm Sets -- Permission sets with zero active user assignments. These are cleanup candidates that add schema noise and increase audit surface without providing access to anyone. Review and archive or delete them.

Admin-Only Fields -- Fields where only the System Administrator profile has FLS access (Read or Edit). These may be intentionally restricted or legacy fields that no longer serve a purpose. Review whether each restriction is still intentional.

User Risk Score -- A risk score per active user, color-coded by relative risk level. Users are ranked by a score based on access breadth, sensitive access patterns, and administrative review signals. Sort descending to identify your highest-risk users first.

Object Gaps -- Profiles or permission sets with mismatched object permissions: Edit without Create, or Create without Delete. These mismatches are often unintentional and can cause data quality problems for users in those roles.

Sensitive Exposure -- Sensitive fields (SSN, salary, tax ID, health data, and similar) that are readable by profiles or permission sets other than System Administrator. Each row includes a recommended action and a risk note. If this tab is empty, no sensitive field exposure was detected.

Recommendations -- A prioritized remediation plan generated from all audit findings. Sort by Priority (P1 first) and work top-down. Each row includes the finding, a recommended action, estimated effort, and the risk of taking that action. Mark rows green and delete them as items are resolved.

Permission Health Score -- An overall health score (0-100) and letter grade (A-F) for the org's permission model, broken down by category. Use this tab to track improvement across audits over time and communicate permission model health to leadership.

Common findings and how to use them

Over-privileged profiles -- A profile with View All or Modify All on Account, Contact, Opportunity, or User means every user on that profile can see or change every record in that object, regardless of ownership or sharing rules. Restrict these grants to the minimum required.

Permission sets with View All or Modify All -- Same risk as over-privileged profiles, but delivered via a permission set. Check the Unassigned Perm Sets tab -- if these sets are not assigned to anyone, they are lower urgency but still create audit surface.

Sensitive fields readable outside System Administrator -- Fields like SSN, salary grade, tax ID, or health data should typically be restricted to administrators or specific roles. The Sensitive Exposure tab identifies each field and who can read it.

Unassigned permission sets -- Permission sets with no active users are governance noise. They complicate audits and should be archived or deleted unless they are intentionally held in reserve.

Admin-only fields -- Fields readable or editable only by System Administrator may be intentionally restricted. Verify whether each restriction reflects a conscious design decision or is a legacy artefact from a previous implementation.

Object gaps (Edit without Create) -- A user who can edit records but not create them is an unusual pattern. It may reflect a deliberate workflow constraint or an accidental misconfiguration. Either way, document the reason.

High user risk scores -- Users with many layered permission sets, especially when combined with View All or Modify All and sensitive field access, present the most concentrated access risk. These users should be reviewed first if a security incident occurs.

Required Salesforce permissions

The connected Salesforce user must have:

System Administrator profiles satisfy all of these by default and are recommended for the most complete audit results.

Users with limited access may still be able to run the audit, but results may be incomplete if Salesforce restricts access to specific profiles, permission sets, field permissions, object permissions, or user metadata.

Troubleshooting

Salesforce session expired -- Go back to Salesforce in the same browser, confirm you are still logged in, then click the bookmarklet again to reconnect.

Not enough permissions to run a full audit -- Reconnect using a Salesforce user with System Administrator or equivalent access. Limited users may produce incomplete results.

API access disabled -- API Enabled must be on for the connected user's profile. Enable it in Salesforce Setup under Profile settings, or ask your Salesforce admin.

Unsupported edition -- Essentials Edition does not include Salesforce API access and cannot be audited with this tool.

Audit takes longer than expected -- Orgs with many objects, profiles, and permission sets take longer. Keep the browser tab open and wait for the progress bar to complete.

Audit fails partway through -- The most common cause is a Salesforce session timeout. Reconnect and run again. If the problem repeats, try a shorter audit by selecting a subset of objects.

Bookmarklet opens a Salesforce API page instead of the audit app -- This is expected on Lightning and Setup pages: Salesforce first opens an API page so the bookmarklet can read a session that is valid for the audit. Click the bookmarklet once more in the new tab that opened to finish connecting.

Browser cookie or privacy tool blocking the connection -- Some browser extensions block the session cookie that the bookmarklet reads. Temporarily disable the extension or try a standard browser profile without extensions.

Payment completed but download button is not available -- Wait a few seconds and refresh the results page. If the issue persists, email support@keelcadence.com with your Report ID and a note that payment was completed.

Download link does not work or file is missing -- Reports are retained for 90 days. If the link has expired, the file has been automatically deleted. Email support@keelcadence.com with your Report ID if you need to discuss options.

Results look incomplete -- The connected user may not have access to all profiles, permission sets, or field metadata. Try reconnecting as a System Administrator for a full audit.

Need to delete your data -- Email support@keelcadence.com with your Report ID. Data is automatically purged after 90 days if no earlier deletion is requested.

Privacy and security notes

Policy and legal

For full details, use the canonical KeelCadence pages:

Contact and support

For questions about a report, include your Report ID and email support@keelcadence.com.

← Return to KeelCadence