Snapshot Best Practices:
Profile and Permission Set Management

Introduction

Profiles and Permission Sets control what users can see and do in their Salesforce Org. Managing these permissions is an essential activity to ensure data security and keep the Org running smoothly. But as Orgs grow in size, the number of permissions can skyrocket, and management can become more and more difficult. Our Snapshot product offers best of breed tools for managing Profiles and Permission Sets and for helping Salesforce Administrators visualize the complexity in their Org for compliance and security.

This blog covers technical information about Profiles and Permission Sets as well as the best practices for managing these assets. The next section discusses the tools that Snapshot has for viewing, editing, and comparing Profiles and Permission Sets. After that we examine the reports that Snapshot provides to document Profiles and Permission Sets for compliance and security. The last section covers new tools for rapidly editing User Permission Assignments and the capability to Merge Profiles.

Viewing Profiles and Permission Sets

Right-click your Snapshot and select “View Profiles” or “View Permission Sets.” This will bring up an interface to view and edit these assets. Each table will show the Profiles or Permission Sets down the left-hand side and one of the child assets across the top. You can select any of the different views from the menu at right, including:

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Layout Assignments
  • Object Permissions
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions

The “Trim Table” button at top will allow you to select a subset of the table. This is useful if you want to focus on a particular group of Profiles or Permission Sets. Remember that you can right-click on the table and export the current view as a PDF, HTML, or CSV report. This interface also provides the ability to edit any of the cells. When you make edits, a “Changes” button will appear at the bottom of the screen. Click this button to review the Profiles and Permission Sets that were changed and save your edits to the Snapshot. You can then deploy these changes as needed. This is discussed in more detail below.

Deploying Profiles and Permission Sets

Profiles and Permission Sets can easily be moved between Orgs. Be sure the Orgs are connected by a deployment arrow on the Snapshot desktop. Right-click the arrow and select the “Deploy Metadata” option. You can either move the entire Profile or some of the individual permissions in the Profile. This is super useful for making targeted permission changes. For example, in the picture below, a single Object Permission has been added to the Create Job List.

If you have edited a Profile or Permission Set and want to deploy the changes back to the same Org then duplicate the Snapshot item and connect the two Snapshots with a deployment arrow. Take a fresh snapshot on the destination and you will see your edits in the Deploy Metadata dialog. Add your desired changes to the Create Job List for deployment.

When you deploy permissions you will also have to be sure that all associated assets like Apex Classes and Custom Objects are available on the destination Org. You can include these assets along with the permissions in the Create Job List if necessary. Otherwise the deployment will fail. This is a common problem in Profile and Permission Set deployments.

The “Remove Bad References” checkbox on the “Deploy Metadata” tab will automatically remove missing references from Profiles and Permission Sets. In other words, if you are deploying a permission and the associated asset is not in the destination org or the current job list then this option will automatically remove that permission before deployment. If you want to catch these errors then uncheck the “Remove Bad References” option.

By the way, the “Remove Bad References” option can come in handy if you are having trouble deploying User Permissions. User Permissions don’t have any associated asset that can be included in the deployment. There is no API that provides a comprehensive list of User Permissions either, so missing ones can’t be automatically removed. Click the “Manage” button next to the “Remove Bad References” checkbox and add the name of any problematic User Permissions so that they will be automatically removed before deployment.

Comparing Profiles and Permission Sets

If you right-click the deployment arrow you can also choose to Compare Profiles or Permission Sets. This will line up the source and destination permissions and present the differences. You can switch between “Side by Side” and “Single Table” views. The single table view is very useful for HTML, PDF, and CSV export, because all of the differences are in a single report. You can also use the “Trim Table” button to focus in on specific rows and columns for comparison.

Profile and Permission Set Reports

Right-click any Snapshot item to see the Profile and Permission Set Reports. These reports can be configured and scheduled to run like other Snapshot reports. Here is a list of all the reports:

Profiles

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Layout Assignments
  • Object Permissions
  • Record Type Layouts
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions
  • User Assignments

Permission Sets

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Object Permissions
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions

Combined Security

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Object Permissions
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions
  • User Preferences

Under Profiles, there is an extra view for Record Type Layouts. This shows Profiles down the left-hand side and Record Types across the top with Layouts in the table. The Profiles section also has the User Assignments report. This shows Profiles down the side and Permission Sets across the top. This report provides a birds-eye view of the number of Permission Set assignments for all users by Profile.

The Combined Security section shows the Profiles for a group of selected users and how this base permission was modified by all of the Permission Sets that were assigned to those users. In the table cells shown in green the base Profile was modified by the assigned Permission Sets. In the table cells shown in red the Permission Set assignments did not change the base Profile permissions. This report is very useful in documenting the true security permissions that users have been granted. Right-click the table and choose “Select Users” to change the group of users shown in the Combined Security reports.

Editing User Permission Assignments

Snapshot has a new editing and reporting interface called User Permission Assignments. This feature allows all of the User Assignments with Profiles, Permission Sets, and Permission Set Groups to be rapidly edited. You can also report on all of these relationships for backup, security, and compliance. The goal here is to reduce the reliance on Profiles and move some of that complexity out into Permission Sets and Permission Set Groups.

The next tab in the dialog allows related Permission Sets to be selected and automatically bundled up into a Permission Set Group. All the Users are reassigned so that there is no change in actual permissions. After that, there is a tab to Merge Profiles. You can select a set of related Profiles that you would like to merge, and then see the number of new permissions that will be required. Click the Merge Profiles button to generate a new base Profile, create new Permission Sets that make up the differences, and then reassign all of the Users.

Conclusion

There you have it. Snapshot provides very powerful tools for working with Profiles and Permission Sets. These tools are designed to help Administrators clean up and manage complex Salesforce Orgs. Let us know if you have any trouble with your Org.

Click the download button to get the PDF version of this report.

[email protected]

1 (833) METAZOA (638-2962)

https://www.metazoa.com

Twitter: @metazoa

Facebook: https://www.facebook.com/metazoa4sf

LinkedIn: https://www.linkedin.com/company/18493594/