Which profiles have create and delete permissions on custom objects in Salesforce

Finding which profiles have both create and delete permissions on your custom objects requires metadata analysis that Salesforce’s standard reports simply cannot provide. You need to query ObjectPermissions data directly to get this critical security information.

Here’s how to identify high-risk permission combinations on your custom objects and set up automated monitoring for these sensitive permissions.

Identify risky custom object permissions using Coefficient

SalesforceCoefficientSalesforceWhilestandard reports can’t analyze metadata permissions,can query ObjectPermissions directly if your org allows metadata access. You can filter for custom objects and specific permission combinations to identify security risks on your most sensitivedata.

How to make it work

Step 1. Query ObjectPermissions for custom objects only.

SELECT Parent.Profile.Name, SobjectType FROM ObjectPermissions WHERE PermissionsCreate = true AND PermissionsDelete = true AND SobjectType LIKE ‘%__c’ Write a custom SOQL query:. This filters for profiles with both create and delete access on custom objects only.

Step 2. Map profiles to readable names and types.

Join with the Profile object to get readable profile names and distinguish between admin profiles (expected to have these permissions) and user profiles (potential security risks). Add Profile.UserType to identify different license types.

Step 3. Filter for specific custom objects of concern.

Use dynamic filters to focus on your most sensitive custom objects like financial data, employee records, or proprietary business information. You can filter by object name patterns or specific namespace prefixes.

Step 4. Set up automated permission change monitoring.

Schedule refreshes to track when create/delete permissions are granted or removed on custom objects. This creates an audit trail showing exactly when high-risk permissions changed and who modified them.

Step 5. Create exception reports for non-admin profiles.

Filter results to highlight non-administrative profiles with create/delete permissions on custom objects. Use conditional formatting to flag these as potential security review items for your governance team.

Step 6. Import Setup Audit Trail for permission change history.

As an alternative approach, import SetupAuditTrail data to track recent permission modifications on custom objects. While this doesn’t show current state, it reveals permission change patterns and compliance audit trails.

Secure your custom object permissions

Get startedAutomated custom object permission monitoring helps you identify and track high-risk permission combinations that could compromise your sensitive business data.with comprehensive permission security analysis.