Print this page

Query results show permissions that start with the character 'X' that do not exist

Knowledge Article Number 000230980
Description If you run the following query via Data Loader: 
SELECT Id, PermissionSetId, AssigneeId, SystemModstamp, Assignee.Name,PermissionSet.Name, Assignee.IsActive
FROM PermissionSetAssignment 

You will receive results IDs under permission set name column: 

X00e20000003Fk9OAAS, etc.

However, permissions that start with the character 'X' do not exist.  You may ask where this permissions are coming from.
Resolution In Salesforce, all permission sets that start with the letter 'X' represent a Profile ID.  Therefore. querying the permission set assignments would return rows representing profile assignments. This behavior is working as designed since every profile is represented by a permission set.  By default, all users have at least one permission set assignment to their profile. 

As per Salesforce documentation, in API version 25.0 or later, every profile is associated with a permission set that stores the user profile, object, and field permissions, as well as setup entity access settings.  Permission sets that are owned by profiles can be queried but cannot be modified.

The following example Query returns all permission sets, including those owned by a profile:
SELECT Id, Label, ProfileId, Profile.Name FROM PermissionSet 

The following returns all permission sets except those owned by profiles. 
SELECT Id, Label, ProfileId, Profile.Name, IsOwnedByProfile FROM PermissionSet 
WHERE IsOwnedByProfile = FALSE 

That being said, if you would like to query only permission set assignments, without including the profiles, you should modify this query like the following example query: 
SELECT Id, PermissionSetId, AssigneeId, SystemModstamp, Assignee.Name,PermissionSet.Name, Assignee.IsActive 
FROM PermissionSetAssignment 
WHERE permissionSet.IsOwnedByProfile = FALSE 

This should allow you to fetch only the permission set assignments without profiles. 

The following are links to documentation on this matter: 
• Using SOQL to Determine Your User’s Permissions
• SOAP API Developer's Guide

promote demote