How to Audit Salesforce Permissions Across All Profiles at Once
If you've ever tried to audit permissions across all your Salesforce profiles, you already know the frustration. You open Setup, click into a profile, check the object settings, go back, open the next profile, repeat — and by the time you're done with profile number seven, you've lost track of what you saw in profile number two. There's no side-by-side view, no downloadable matrix, no way to compare at a glance. Just you, a browser, and a growing sense that something is probably misconfigured somewhere.
This is the reality for most Salesforce admins doing permission audits today. And it's not a minor inconvenience — it's a genuine security risk. The longer it takes to audit permissions, the longer misconfigurations go undetected. Users retain access they stopped needing months ago. Sensitive fields remain editable by profiles that should only be reading them. And when the compliance team asks for an evidence report, you have nothing to hand over except a stack of screenshots.
BOFC — Bulk Object Field Creator — is a Salesforce AppExchange tool that solves this problem in a way the native Setup interface simply doesn't. This post walks through exactly how to use it for a full permission audit, and what to do with what you find.
What BOFC Actually Does for Permission Audits
BOFC is primarily known as a bulk field management tool — a way to create dozens of custom fields across multiple objects without clicking through the UI hundreds of times. But buried inside it is one of the most useful permission audit interfaces available on AppExchange.
The core feature is a permissions matrix. Instead of opening profiles one by one, BOFC loads all your profiles as columns and all your objects and fields as rows, in a single spreadsheet-style view. You can see at a glance which profiles have Read access, which have Edit, which have Delete, and which have nothing — all on the same screen.
This sounds simple, but in practice it transforms the audit workflow entirely. What used to take a full day of clicking now takes about 20 minutes.
Start with installation. BOFC is available on the Salesforce AppExchange with a free trial. Install it into your org and make sure the admin doing the audit has the "Manage Profiles and Permission Sets" system permission. Without it, some views will be incomplete.
Open the Permissions Manager. Once you're inside the BOFC app, navigate to the Permissions Manager section. This is where the matrix lives. Select the objects you want to audit — you can choose specific ones or pull in everything for a full org-wide review. The matrix will load with all your profiles as columns across the top.
Understand what you're looking at. The matrix shows two layers of access: object-level CRUD permissions (Create, Update, Delete, View All, Modify All) and field-level security (FLS) for every field on that object. Both are visible without switching screens. This matters because a profile might have Read access to an Opportunity but shouldn't be able to read the Amount field — BOFC shows both in context.
Filter to what matters. You don't have to look at everything at once. BOFC's filter panel lets you isolate specific profiles, compare just your custom profiles, or focus on a subset of objects. If you're doing a targeted audit — say, investigating who can see your compensation-related fields — you can narrow the view to exactly that.
Export before you do anything else. Before making any changes, export the current state of your permissions to Excel or CSV. This export becomes your audit artifact. It's what you hand to your compliance team, your security reviewer, or your CISO when they ask for evidence. It's also your rollback reference if something goes wrong later. Don't skip this step.
Look for the anomalies. With the full matrix in front of you — either on screen or in the spreadsheet — start scanning for things that don't belong. Common findings include: profiles with Delete access on objects that should be read-only for most users; field-level Edit access on fields like salary, commission, or payment terms that only a handful of people should ever touch; profiles cloned from an admin profile years ago that still carry elevated permissions nobody remembers granting; and permission sets that grant access silently on top of a restrictive profile, creating effective access that isn't obvious from looking at either source alone.
Make corrections in bulk. Once you know what needs to change, BOFC lets you revoke or grant permissions across multiple profiles and objects at once — without opening a single individual profile page in Setup. Select the cells, choose your action, save. The changes deploy to your org immediately.
Keeping Permissions Clean After the Audit
Running the audit once is valuable. Running it regularly is what keeps your org secure over time.
The most practical approach is to export a clean, reviewed permissions matrix and treat it as your baseline. Every quarter — or after any significant org change like a new deployment, a profile modification, or a major permission set update — run another export and compare it to the baseline. Any differences are your review candidates.
The "after every major change" part is easy to forget, but it matters. When a developer deploys a new custom object, its field-level security defaults to whatever the profile's object access grants. If you don't audit after deployment, you may not notice that a profile you thought was read-only now has Edit access on a new sensitive field.
Also worth noting: as Salesforce continues pushing the ecosystem toward permission set groups and away from profiles, the same discipline applies. Permission set groups can grant access that overrides or extends profile settings in ways that aren't always obvious. Include them in your BOFC audits just as you would profiles.
If you haven't done a permission audit before, start with your highest-risk objects: Accounts, Contacts, Opportunities, and any objects containing financial, medical, or personally identifiable data. Run BOFC on those first. See what you find.
Then expand to your full object list. Take the export, sit down with it, and look for anything that surprises you. Chances are there's at least one profile with access it shouldn't have — and at least one field that's been wide open for longer than anyone realized.
The tool makes the audit fast. The judgment of what to do with what you find is still yours. But at least now you'll have the full picture in front of you.
BOFC is available on the Salesforce AppExchange. A free trial is available for orgs that want to evaluate the permissions audit capabilities before committing to a license.