Salesforce Privileged Permissions

An interactive reference table of Salesforce user permissions and their privilege classification, maintained by PhantomLabs.

Live site: https://salesforce.btphantomlabs.com

About

Salesforce exposes hundreds of Permissions* flags that can be granted via Profiles and Permission Sets. A small subset of these grant privileged capabilities — the ability to modify metadata, access all data, impersonate users, bypass security controls, and so on.

This repo hosts a searchable, filterable table of every discoverable Permissions* field, with an explicit Privileged flag for the ones that matter most from a security perspective.

How the Data Was Sourced

The CSV is generated by combining three sources:

1. Salesforce public documentation — the Field Reference pages for UserPermissionAccess are scraped to enumerate permission API names and their labels.
2. Salesforce Describe API — authenticated JWT bearer flow against a Salesforce org retrieves the full set of Permissions* fields from the Profile sObject's metadata, filling in any permissions missing from the public docs.
3. Permission Set UI scraping — because the API does not expose permission descriptions, a headless browser session logs into Salesforce Setup, navigates to a Permission Set's System Permissions page, and extracts the user-facing description text for each permission.

The three datasets are merged by API name, deduplicated, and sorted. Each row is then manually classified as Privileged (TRUE/FALSE) by PhantomLabs based on the capability the permission grants.

Columns

Column	Description
Permission Name	The Salesforce API name of the permission (e.g., PermissionsModifyAllData)
Description	Human-readable description of what the permission grants
Privileged	TRUE if the permission grants elevated/security-sensitive capabilities, FALSE otherwise

License

Released under the MIT License.

Credits

Maintained by PhantomLabs.