Snapshot Best Practices:
Profile and Permission Set Management

Introduction

Profiles and Permission Sets control what users can see and do in their Salesforce Org. Managing these permissions is an essential activity to ensure data security and keep the Org running smoothly. But as Orgs grow in size, the number of permissions can skyrocket, and management can become more and more difficult. Our Snapshot product offers best of breed tools for managing Profiles and Permission Sets and for helping Salesforce Administrators visualize the complexity in their Org for compliance and security.

This blog covers technical information about Profiles and Permission Sets as well as the best practices for managing these assets. The next section discusses how to capture complete Profile and Permission Set information in large Salesforce Orgs. After that, we present the tools that Snapshot has for viewing, editing, and comparing Profiles and Permission Sets. The last section covers the reports that Snapshot provides to document Profiles and Permission Sets for compliance and security.

Capturing Profile Information

There are over 200 different Metadata Types that can be captured in a Snapshot of a Salesforce Org. For example, you might download Apex Classes, Custom Objects, Page Layouts, or Reports and Dashboards. These assets are retrieved by the Salesforce Metadata API when you take a Snapshot. However, Profiles are handled somewhat differently than other assets. The information you get when a Profile is captured depends on the other assets that you download along with the Profile. Profiles are “entangled” with these other assets:

  • Apex Classes
  • Apex Pages
  • Custom Applications
  • Custom Tabs
  • Custom Objects
  • Custom Permissions
  • Page Layouts
  • External Data Sources

Administrators of large and complex Salesforce Orgs may have difficulty downloading all of these assets in order to capture complete Profile information. For example, an Org might have 500 Profiles and 1000 Custom Objects with an average of 500 fields for each object. In this case, roughly 250 million Field Permissions will be downloaded. Each Field Permission is an XML snippet that takes up about 250 bytes. That means that the total size of the downloaded data will be over 50 GB.

Objects and Field Permissions are the worst case, but large numbers of Apex Classes and Page layouts can also cause gigantic Profile downloads in complex Orgs. This problem is compounded by the fact that the Salesforce Metadata API can only download 10,000 assets at once, and the size of the download is limited to about 400 MB of decompressed data. In large Orgs there might be over 10,000 Apex Scripts alone, and so the Metadata API limits can prevent download of comprehensive Profile information.

If your Org is not very big then you don’t need to worry about this issue. Just download all of your Metadata when you take a Snapshot. You also may not need ALL of your Profile information. For example, you might want to work with a subset of Profiles or Custom Objects. The Take Snapshot interface makes it easy to select just the assets you want to work with. But if you want all of your Profile information then you will need to take advantage of the tools that Snapshot provides to circumvent the limitations in the Metadata API.

In the Take Snapshot dialog, there is an interface at the bottom of the Take Snapshot tab that will divide the Snapshot into multiple transactions and then stitch all of the pieces together after the assets have been downloaded. In the picture below, the Admin has created 8 asset groups in order to download the Profiles, Apex Classes, Apex Pages, and Custom Objects in separate transactions.

The rule here is pretty simple: If you have lots of assets, then add some groups. For example, if there are 10,000 Apex Classes in your Org, then add a few groups there. We do not recommend adding multiple groups of Profiles. When you do this the other entangled assets must be downloaded once for each Profile group. Just add groups of the entangled assets. That way all of the assets are downloaded only once.

The Take Snapshot dialog has some other tools that will help you understand where the problems might be when you want to download all of your Profile data. The “Asset Number Report” button shown below will scan the Org and tell you the total number of assets in each Metadata Type. On the first tab, you can also click the “Display Number of Selected Assets” checkbox to display the number of assets throughout the interface. If you right-click the table at left, there is an option to “Auto Calculate” the number of Asset Groups. This will provide a good starting point for grabbing all of your Profile information.

Once you have selected your Asset Groups, this information will be automatically remembered in the Take Snapshot interface and reused each time you take a Snapshot. If the Metadata API is taking too long to capture this information then you can also schedule a Snapshot on the last tab. Some Administrators set up a Virtual Machine and run Snapshot there so that they can run this process at night if necessary. Once you have captured the information that you need you can move on to the next steps outlined below.

Viewing Profiles and Permission Sets

Right-click your Snapshot and select “View Profiles” or “View Permission Sets.” This will bring up an interface to view and edit these assets. Each table will show the Profiles or Permission Sets down the left-hand side and one of the child assets across the top. You can select any of the different views from the menu at right, including:

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Layout Assignments
  • Object Permissions
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions

The “Trim Table” button at top will allow you to select a subset of the table. This is useful if you want to focus on a particular group of Profiles or Permission Sets. Remember that you can right-click on the table and export the current view as a PDF, HTML, or CSV report. This interface also provides the ability to edit any of the cells. When you make edits, a “Changes” button will appear at the bottom of the screen. Click this button to review the Profiles and Permission Sets that were changed and save your edits to the Snapshot. You can then deploy these changes as needed. This is discussed in more detail below.

Deploying Profiles and Permission Sets

Profiles and Permission Sets can easily be moved between Orgs. Be sure the Orgs are connected by a deployment arrow on the Snapshot desktop. Right-click the arrow and select the “Deploy Metadata” option. You can either move the entire Profile or some of the individual permissions in the Profile. This is super useful for making targeted permission changes. For example, in the picture below, a single Object Permission has been added to the Create Job List.

If you have edited a Profile or Permission Set and want to deploy the changes back to the same Org then duplicate the Snapshot item and connect the two Snapshots with a deployment arrow. Take a fresh snapshot on the destination and you will see your edits in the Deploy Metadata dialog. Add your desired changes to the Create Job List for deployment.

When you deploy permissions you will also have to be sure that all associated assets like Apex Classes and Custom Objects are available on the destination Org. You can include these assets along with the permissions in the Create Job List if necessary. Otherwise the deployment will fail. This is a common problem in Profile and Permission Set deployments.

The “Remove Bad References” checkbox on the “Deploy Metadata” tab will automatically remove missing references from Profiles and Permission Sets. In other words, if you are deploying a permission and the associated asset is not in the destination org or the current job list then this option will automatically remove that permission before deployment. If you want to catch these errors then uncheck the “Remove Bad References” option.

By the way, the “Remove Bad References” option can come in handy if you are having trouble deploying User Permissions. User Permissions don’t have any associated asset that can be included in the deployment. There is no API that provides a comprehensive list of User Permissions either, so missing ones can’t be automatically removed. Click the “Manage” button next to the “Remove Bad References” checkbox and add the name of any problematic User Permissions so that they will be automatically removed before deployment.

Comparing Profiles and Permission Sets

If you right-click the deployment arrow you can also choose to Compare Profiles or Permission Sets. This will line up the source and destination permissions and present the differences. You can switch between “Side by Side” and “Single Table” views. The single table view is very useful for HTML, PDF, and CSV export, because all of the differences are in a single report. You can also use the “Trim Table” button to focus in on specific rows and columns for comparison.

Profile and Permission Set Reports

Right-click any Snapshot item to see the Profile and Permission Set Reports. These reports can be configured and scheduled to run like other Snapshot reports. Here is a list of all the reports:

Profiles

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Layout Assignments
  • Object Permissions
  • Record Type Layouts
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions
  • User Assignments

Permission Sets

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Object Permissions
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions

Combined Security

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Object Permissions
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions
  • User Preferences

Under Profiles, there is an extra view for Record Type Layouts. This shows Profiles down the left-hand side and Record Types across the top with Layouts in the table. The Profiles section also has the User Assignments report. This shows Profiles down the side and Permission Sets across the top. This report provides a birds-eye view of the number of Permission Set assignments for all users by Profile.

The Combined Security section shows the Profiles for a group of selected users and how this base permission was modified by all of the Permission Sets that were assigned to those users. In the table cells shown in green the base Profile was modified by the assigned Permission Sets. In the table cells shown in red the Permission Set assignments did not change the base Profile permissions. This report is very useful in documenting the true security permissions that users have been granted. Right-click the table and choose “Select Users” to change the group of users shown in the Combined Security reports.

Conclusion

There you have it. Snapshot provides very powerful tools for working with Profiles and Permission Sets. These tools are designed to help Administrators clean up and manage complex Salesforce Orgs. Let us know if you have any trouble with your Org.

Click the download button to get the pdf version of this report.

[email protected]

1 (833) METAZOA (638-2962)

https://www.metazoa.com

Twitter: @metazoa

Facebook: https://www.facebook.com/metazoa4sf

LinkedIn: https://www.linkedin.com/company/18493594/