Salesforce is introducing exciting new technology in the Spring 48.0 release that will revolutionize how Admins can organize the permissions in their Org. Permission Set Groups will allow Permission Sets to be grouped together and assigned to Users. If monolithic Profiles are the Papa Bear, and atomistic Permission Sets are the baby bear, then Permission Set Groups are the Mama Bear that Admins need to manage User permissions.

This blog covers some of the ways our Snapshot product can help you manage User permissions and transition to Permission Set Groups. First, we discuss why Permission Set Groups are such an important new technology. The next section discusses the tools that Snapshot has for viewing, editing, and comparing Profiles and Permission Sets. After that we examine the reports that Snapshot provides to document Profiles and Permission Sets for compliance and security. The last section covers new tools for rapidly editing User Permission Assignments and the capability to Merge Profiles.

The New Permission Architecture

Permission Set Groups will allow highly complex Profiles to be simplified back to a base set of standard permissions. Companies will be able to dramatically reduce the number of Profiles that they need. Permission Set Groups can provide an entire new level of additional detail that modify these base Profiles in unlimited ways. Permission Sets will be able to fulfill their original mission of providing individual Users with the extra permissions they need to cover special cases.

Consider the illustration below. Bob has been assigned the Marketing Profile. This profile only includes the basic permissions needed for any Marketing User. Other more specific permissions have been removed. Bob is a member of the Advertising Team, and so he has been assigned the Permission Set Group for Advertising. And by the way, Bob runs analytics for the Marketing department, so he has been assigned the Permission Set for Einstein Analytics to cover this special case.

What is really important about this diagram is that an Admin or Security Officer can look at the structure and see by inspection that Bob’s permissions are correct. The names and descriptions of the Profiles, Permission Set Groups, and Permission Sets are human readable. These names should flow from the corporate priorities for employee job descriptions and their top-down security design. The end result should be a permission architecture that emphasizes clarity, context, and meaning.

Viewing Profiles and Permission Sets

Snapshot provides matrix reports that show the Profiles or Permission Sets down the left-hand side and one of the child assets across the top. You can select any of the different views from the menu at right, including:

  • Apex Class Accesses
  • Apex Page Accesses
  • Application Visibility
  • Field Permissions
  • Layout Assignments
  • Object Permissions
  • Record Type Visibility
  • Tab Visibility
  • User Permissions
  • Custom Permissions

Deploying Profiles and Permission Sets

Snapshot can move the entire Profile or some of the individual permissions in the Profile. This is super useful for making targeted permission changes. For example, in the picture below, a single Object Permission has been added to the Create Job List.

When you deploy permissions, you will also have to be sure that all associated assets like Apex Classes and Custom Objects are available on the destination Org. You can include these assets along with the permissions in the Create Job List if necessary. Otherwise the deployment will fail. This is a common problem in Profile and Permission Set deployments.

The “Remove Bad References” checkbox on the “Deploy Metadata” tab will automatically remove missing references from Profiles and Permission Sets. In other words, if you are deploying a permission and the associated asset is not in the destination org or the current job list then this option will automatically remove that permission before deployment. If you want to catch these errors, then uncheck the “Remove Bad References” option.

Comparing Profiles and Permission Sets

If you right-click the deployment arrow you can also choose to Compare Profiles or Permission Sets. This will line up the source and destination permissions and present the differences. You can switch between “Side by Side” and “Single Table” views. The single table view is very useful for HTML, PDF, and CSV export, because all of the differences are in a single report. You can also use the “Trim Table” button to focus in on specific rows and columns for comparison.

Combined Security Report

Right-click any Snapshot item to see the Profile and Permission Set Reports. These reports can be configured and scheduled to run like other Snapshot reports. The Combined Security section shows the Profiles for a group of selected users and how this base permission was modified by all of the Permission Sets that were assigned to those users. In the table cells shown in green the base Profile was modified by the assigned Permission Sets. In the table cells shown in red the Permission Set assignments did not change the base Profile permissions. This report is very useful in documenting the true security permissions that users have been granted. Right-click the table and choose “Select Users” to change the group of users shown in the Combined Security reports.

Editing User Permission Assignments

Snapshot has a new editing and reporting interface called User Permission Assignments. This feature allows all of the User Assignments with Profiles, Permission Sets, and Permission Set Groups to be rapidly edited. You can also report on all of these relationships for backup, security, and compliance. The goal here is to reduce the reliance on Profiles and move some of that complexity out into Permission Sets and Permission Set Groups.

The next tab in the dialog allows related Permission Sets to be selected and automatically bundled up into a Permission Set Group. All the Users are reassigned so that there is no change in actual permissions. After that, there is a tab to Merge Profiles. You can select a set of related Profiles that you would like to merge, and then see the number of new permissions that will be required. Click the Merge Profiles button to generate a new base Profile, create new Permission Sets that make up the differences, and then reassign all of the Users.

Conclusion

There you have it. Our Snapshot product offers best of breed tools for managing Profiles and Permission Sets and for helping Salesforce Administrators visualize the complexity in their Org for compliance and security. These tools are designed to help Administrators clean up and manage complex Salesforce Orgs. Let us know if you have any trouble with your Org.

 

Bill Appleton

CTO Metazoa

Toll Free: 1-833-638-2962