function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
William MillsWilliam Mills 

Data Security->Controlling Access to Fields->Create a Profile and Permission Set to properly handle field access

Hi all, I'm getting this error message from the checker "Challenge not yet complete... here's what's wrong: 
The 'Basic Account User' profile did not have the appropriate object and field-level security for the Account object"
I think I've tried every possible way to set up the Basic Account User and Pofiles. I have tried allowing the filed in the profile but not in the permission set, and vice versa as well as a mix of the two. How am I supposed to set up the Basic Account User?? I have been editing the Account settings under the Standard Object Permissions section of the profile, but if there is something else I am supposed to be editing, please let me know. Thanks!
William MillsWilliam Mills
Hi Amit,

Unfortunately, that did not work. Here is my Basic Account User profile settings for Accounts
User-added image

and my Account Rating permission set settings:
User-added image
William MillsWilliam Mills
It didn't work in my new org either :(
Did you also have to create the Marketing Coordinator and Account Manager Roles and assign those to users? When I try to do that, I can't apply the "Salesforce" user licence to more than one, whihc means they can't both have the Basic Account User porfile (my plan was to give them the same profile, then only give the Account Manager the Permission Set).
Regardless, the error still says "the 'Basic Account User' profile did not have the appropriate object and field-level security for the Account object."
Rahul Rao 3Rahul Rao 3

Hi William Mills,

In the profile that you have created "Basic Account User"  you need to check the FLS  on Accounts and uncheck the access for rating field. This will resolve the issue 
User-added image

Rahul Rao K

Vincent BoucherVincent Boucher
That was the trick, unchecked ONLY rating fields and keep the rest as is (clone from read only) 
I deactivated all objects BUT accounts and all fields (to keep only Rating in the Permission set) and it always failed.
I had to only unchecked rating in the profile, and check it back in the permission set, that's it. Nothing else to do after cloning it from the read only profile.
hope it will help other, I spent couple of hours on it ... 
Dave NelsonDave Nelson
Drove me nuts, too.  It seemed as though the instructions did not jive with the solution.  Maybe it's just me.  Thank you for posting!
Travis PageTravis Page
Thank you SO much Vincent! This helped me so much.
Dannielle GivensDannielle Givens

This one was a tough one. Vincent your solution did help. I had to do the follow:

1. Clone the "READ ONLY" Profile
2. Go to Object settings
3. Uncheck "Rating"

Permission Set
1. Set the "Rating" field to Read and Edit

Very tricky wording, but I appreciate the help!
Ryan William SchorrRyan William Schorr
To complete this challenge, you must first create a profile called "Basic Account User".
  1. In Setup, choose Manage Users > Profiles
  2. Click the New Profile button at the top
  3. You will need to clone an existing profile; from the Existing Profile drop-down, select a profile that uses the Salesforce user license ("Standard User" is one of these)
  4. Name the profile "Basic Account User" and click Save
Now set the permission for the new profile so that it only has Read access to the "Accounts" object.
  1. From the Profiles list, click the Edit button next to Basic Account User
  2. Scroll down to the Standard Object Permissions section and uncheck every box for all objects; now check only the boxes in the Read and Edit columns for the Accounts object
  3. Scroll to the top or bottom and click Save
You now have the correct user profile to complete the challenge: A profile that can only view and update Accounts. It is now possible for two users to have these permissions. You now need to create a permission set that will grant extra permissions to any users it is applied to; in this case, the permission set will allow its assigned user to see and edit the Rating field in the Account object.
  1. In Setup, choose Manage Users > Permission Sets
  2. Click the New button near the top
  3. Give the new permission set the Name "Account Rating" and hit the Tab key; ensure that the API Name is "Account_Rating"
  4. From the Permission Sets list, click your new "Account Rating" permission set
  5. In the Apps section, click Object Settings
  6. Click Accounts
  7. Click the Edit button near the top
  8. Scroll down to Rating and check both boxes to allow this permission set to grant the user Read and Edit permissions to the Rating field
  9. Scroll to the top and click Save
You've now solved the two main parts of the challenge: Creating a profile that can only view and update Accounts and creating a permission set that grants specific users the additional permission of being able to see and edit the Rating field.

This was the last piece of the puzzle that allowed me to finally solve this challenge: I needed to set the field-level security on the Rating field of the Accounts object to be hidden from all users. Here's how I did it. 
  1. In Setup, choose Customize > Accounts > Fields
  2. In the Account Standard Fields box, click Rating in the Field Label column
  3. Click the Set Field-Level Security button at the top
  4. In the Basic Account User row, uncheck all boxes
This ensures that all users with the "Basic Account User" profile do not see the Rating field. Hopefully this last section is the only part you struggled with; it's not very straight-forward. Good luck!
Daniel AdlerDaniel Adler
Thanks Ryan, that last paragraph you had (hiding the Rating fields on accounts) is what finally did it for me.
Peter KarpPeter Karp
Ryan, I've followed your steps exactly and I'm still not getting it. Is it possible I messed it up too much before hand? I tried deleteing the profile, but the delete button seems disabled...
Ryan William SchorrRyan William Schorr
Peter, are you saying that the Delete button on the "Basic Account User" profile you created is disabled? If so, you may be best off attempting this challenge again with a new dev org. You can sign up for a new org here (
Ryan William SchorrRyan William Schorr
My students ran into this error again this week, so here's a more simple explanation of how to solve this. All you need to do to pass this challenge is to create one profile and one permission set; you do not need to actually apply either to a user.
  1. Create the profile. Create a new profile called "Basic Account User" by cloning an existing profile that uses the "Salesforce" user license type. In the profile's Field-Level Security section, click View next to "Account" and then the Edit button. Uncheck both the Visible and Read-Only boxes next to the "Rating" field. You now have a profile which has read/write access to the Account object but cannot see the Rating field. This is the default access level that all basic account users will have, and you still need to create a permission set that can be used to give a specific user access to the "Rating" field.
  2. Create the permission set. Create a new permission set called "Account Rating" using the "Salesforce" user license. In the permission set's Apps section, click Object Settings, then Accounts, then the Edit button. Check both the Read and Edit boxes next to the "Rating" field. You now have a permission set that can be applied to a basic account user to grant permission to see the "Rating" field.
Remember that you do not actually need to apply the new profile and permission set to any users; the challenge was simply to make these available so that the described scenario could be solved.
Imtiyaz Ali 16Imtiyaz Ali 16
Ryan William Schorr: i have found an error Challenge Not yet complete... here's what's wrong: 
The 'Basic Account User' profile did not have the appropriate object and field-level security for the Account object
I follow the instruction that u mention above.
Imtiyaz Ali 16Imtiyaz Ali 16
User-added image
Imtiyaz Ali 16Imtiyaz Ali 16
User-added image
Ryan William SchorrRyan William Schorr
Imtiyaz Ali 16: It looks like the Account object and its Rating field are configured correctly. The only thing I'm seeing that appears different from what everyone else has done (and this shouldn't affect it, but the way Trailhead checks your challenges can sometimes be affected by weird things) is that you're using the Enhanced Profile User Interface. I'm curious to see if disabling this passes the challenge. Can you please do the following and report back on whether this allows you to pass the challenge?
  1. From Setup, enter User Interface in the Quick Search and click User Interface
  2. In the Setup section at the bottom, uncheck the box next to Enable Enhanced Profile User Interface
  3. Click Save
Then try checking the challenge to see if it passes. Please let me know what happens!
Imtiyaz Ali 16Imtiyaz Ali 16
Mr. Ryan William schorr: I do the same as per your instruction but i found the sam problem 
Challenge Not yet complete... here's what's wrong: 
The 'Basic Account User' profile did not have the appropriate object and field-level security for the Account object
Ryan William SchorrRyan William Schorr
I didn't think that would be the solution, but it was worth checking to see if that affected Trailhead's evaluation of the challenge. In this case I would suggest creating a new dev org and linking it to your Trailhead account just for this one challenge:

You shouldn't need to go back and complete any other challenges as a prerequisite to this one, and you should be able to go back to using your regular dev org after this challenge. Just do the challenge one more time doing exactly what you're already doing. Please post again to let us know if it passes or if you are still encountering an error.

Imtiyaz Ali 16Imtiyaz Ali 16
Thank You Mr. Ryan William Schorr. I done it.
Mark Korf 6Mark Korf 6
Ryan, your step by step instructions are the bomb! Others trying to help should emulate your detailed instructions! Perhaps then some of these threads wouldn't be so long (and aggravating!) Thanks a million!
Natalie Tan 15Natalie Tan 15
Thank you, Ryan. Challenge finally complete.
Kshma SinghKshma Singh
Thanks Ryan it hep me a lot....
Marco Pollastri 1Marco Pollastri 1
Thanks Ryan for the steps and the clear explaination!!!!
Kevin ThorntonKevin Thornton
I have attempted to try all of these solutions and I am still getting the same "The 'Rating' permission set does not have the appropriate field-level security for the Account Rating field". Anyone else recently tackle this issue? I appreciate the help. 
Adriano CruzAdriano Cruz
Hi. I could not solve this. Any help please?!
Akriti@04 GuptaAkriti@04 Gupta
Hi Ryan William Schorr,

Unable to perform the action at Field level as there is no Rating filed on the account object. I am working on Salesforce lightning.
->> Field Permissions: Rating on the Account object (remove Read Access and Edit Access)
Getting below error 
The 'Sales' profile does not have the appropriate field-level security for the account Rating field. 

Could you please look into it.