-
Notifications
You must be signed in to change notification settings - Fork 1
Graph Schema
Weylon Solis edited this page Mar 18, 2026
·
1 revision
ForceHound outputs OpenGraph v1 JSON with the following node and edge kinds.
{
"metadata": {"source_kind": "Salesforce"},
"graph": {
"nodes": [
{"id": "005...", "kinds": ["SF_User", "User"], "properties": {"name": "Alice", "objectid": "005..."}}
],
"edges": [
{"start": {"value": "005...", "match_by": "id"}, "end": {"value": "00e...", "match_by": "id"}, "kind": "HasProfile"}
]
}
}| Kind | Secondary kind | Source | Description |
|---|---|---|---|
SF_User |
User |
API, Aura | Salesforce user |
SF_Profile |
SaaS_Container |
API, Aura | Profile (collection of permissions) |
SF_PermissionSet |
SaaS_Entitlement |
API, Aura | Permission Set or Permission Set Group |
SF_Role |
SaaS_Group |
API, Aura | User role (hierarchy node) |
SF_Group |
SaaS_Group |
API, Aura | Public group or queue |
SF_Organization |
Organization |
API, Aura | The org itself (singleton) |
SF_Object |
SaaS_Resource |
API | Salesforce standard/custom object |
SF_Field |
SaaS_Resource |
API | Object field (FLS target) |
SF_Record |
— | API | Individual record (from Share queries) |
SF_ConnectedApp |
SaaS_Application |
API | Connected Application (OAuth app) |
SF_NamespacedObject |
SaaS_Resource |
Aura | Namespaced managed package object |
SF_PublicGroup |
SaaS_Group |
API, Aura | Public group (subset of SF_Group) |
Note: OpenGraph v1 limits each node to 2 kinds. The third kind (e.g., SaaS_Identity for users) is truncated during output.
| Edge | From | To | Description |
|---|---|---|---|
HasProfile |
SF_User | SF_Profile | User's assigned profile |
HasPermissionSet |
SF_User | SF_PermissionSet | Direct PS assignment |
HasRole |
SF_User | SF_Role | User's role |
IncludedIn |
SF_PermissionSet | SF_PermissionSet | PS is member of PSG |
MemberOf |
SF_User/SF_Group | SF_Group | Group membership |
ManagedBy |
SF_User | SF_User | Manager hierarchy |
ReportsTo |
SF_Role | SF_Role | Role hierarchy |
| Edge | From | To | Description |
|---|---|---|---|
CanCreate |
SF_PermissionSet/SF_Profile | SF_Object | Can create records |
CanRead |
SF_PermissionSet/SF_Profile | SF_Object | Can read records |
CanEdit |
SF_PermissionSet/SF_Profile | SF_Object | Can edit records |
CanDelete |
SF_PermissionSet/SF_Profile | SF_Object | Can delete records |
CanViewAll |
SF_PermissionSet/SF_Profile | SF_Object | Can view all records (bypasses sharing) |
CanModifyAll |
SF_PermissionSet/SF_Profile | SF_Object | Can modify all records |
CanViewAllFields |
SF_PermissionSet/SF_Profile | SF_Object | Can view all fields |
| Edge | From | To | Description |
|---|---|---|---|
CanReadField |
SF_PermissionSet/SF_Profile | SF_Field | Can read this field |
CanEditField |
SF_PermissionSet/SF_Profile | SF_Field | Can edit this field |
FieldOf |
SF_Field | SF_Object | Field belongs to object |
| Edge | From | To | Description |
|---|---|---|---|
CrudCanCreate |
SF_User | SF_Object | Session user verified able to create |
CrudCanRead |
SF_User | SF_Object | Session user verified able to read |
CrudCanEdit |
SF_User | SF_Object | Session user verified able to edit |
CrudCanDelete |
SF_User | SF_Object | Session user verified able to delete |
| Edge | Description |
|---|---|
ModifyAllData |
Can modify all data in the org |
ViewAllData |
Can view all data |
AuthorApex |
Can write Apex code |
ManageUsers |
Can manage user accounts |
CustomizeApplication |
Can customize the application |
ManageProfilesPermissionsets |
Can manage profiles and permission sets |
AssignPermissionSets |
Can assign permission sets |
ManageRoles |
Can manage the role hierarchy |
ManageSharing |
Can manage sharing rules |
ManageInternalUsers |
Can manage internal users |
ResetPasswords |
Can reset passwords |
ApiEnabled |
Has API access |
ViewSetup |
Can view Setup |
ViewAllUsers |
Can view all users |
ManageDataIntegrations |
Can manage data integrations |
All capability edges go from SF_PermissionSet/SF_Profile → SF_Organization.
| Edge | From | To | Description |
|---|---|---|---|
CanAccessApp |
SF_PermissionSet/SF_Profile | SF_ConnectedApp | Can access the connected app |
CreatedBy |
SF_ConnectedApp | SF_User | App creator |
| Edge | From | To | Description |
|---|---|---|---|
Owns |
SF_User | SF_Record | Record owner |
ExplicitAccess |
SF_User/SF_Group | SF_Record | Manual sharing rule grant |
InheritsAccess |
SF_User/SF_Group | SF_Record | ControlledByParent access |
| Edge | From | To | Description |
|---|---|---|---|
CanOwnObjectType |
SF_Group (Queue) | SF_Object | Queue can own records of this type |