The Fall of the Profile Empire
Salesforce is on the path to removing or reducing the need for Profiles. They are almost there ...
-
Since 1999 the Profile has been the king when settings and permissions are needed.
-
In 2011, the Permission Set was introduced with strong recommendations as a good practice and in the hope that it would help reduce the huge number of profiles per org.
-
In 2019, Permission Set Groups were introduced, not only to group Permission Sets but to relate to functional roles (what was a proposed idea with Permission Sets, is now a point & click configuration).
In 2020, the Minimum Access - Salesforce profile was introduced (Summer'20), and in less than a year later, the Read-Only profile was deprecated (Spring'21). There were strong recommendations to use the Minimum Access profile, and add more permissions via permission sets.
... and the key lies in the Permission Set
We should remember the key differences between Profiles and Permission Sets.
Since they were introduced, in every new version of the API, the Permission Set object has more capabilities and it's more like a Profile.
It is not only the evolution of the Permission Set itself, new objects like MutingPermissionSet and PermissionSetGroup will allow us to get rid of the Profiles, or maybe have only a few "read-only" Profiles to use.
We can find a very good introduction to Permission Set Groups here and here.
To ease this path, Salesforce Labs has also developed Permission Helper, a tool that can convert a Profile to a Permission Set.
The task to identify which Profiles should be removed in your org and if you need to modify or create new Permission Sets will need you to be able to analyze and compare the current Profiles and Permission Sets. We know this task is not easy (see here), and that's why I developed the Toolsforce Excel Add-in.
Compare with Toolsforce
With Toolsforce, when you use the button Compare in the Profiles & Permission Sets group of the toolbar, you can compare Profile vs Profile, Permission Set vs Permission Set, and Profile vs Permission Set.
This table shows the properties that are compared.
| Property | Profile | Permission Set |
|---|---|---|
| Application Visibilities |
Application Visible Default |
Application Visible --- |
| Category Group Visibilities |
Data Category Group Data Categories Visibility |
--- |
| Class Access |
Apex Class Enabled |
Apex Class Enabled |
| Custom MetadataType Access |
Name Enabled |
Name Enabled |
| Custom Permissions |
Name Enabled |
Name Enabled |
| Custom Setting Access |
Name Enabled |
Name Enabled |
| External DataSource Access |
External DataSource Enabled |
External DataSource Enabled |
| Field Permissions |
Field Editable Readable |
Field Editable Readable |
| Flow Access |
Flow Enabled |
Flow Enabled |
| Layout Assignments |
Layout RecordType |
--- |
| Login Flows |
Flow Flow Type Friendly Name UI Login Flow Type Use Lightning Runtime VF Flow Page VF Flow Page Title |
--- |
| Login Hours |
Sunday Monday Tuesday Wednesday Thursday Friday Saturday |
--- |
| Login IP Ranges |
Description Start Address End Address |
--- |
| Object Permissions |
Object Create Read Edit Delete View All Records Modify All Records |
Object Create Read Edit Delete View All Records Modify All Records |
| Page Access |
Apex Page Enabled |
Apex Page Enabled |
| Profile Actions Override |
Action Name Content Form Factor Page Or SObject Type Record Type Type |
--- |
| Record Type Visibilities |
Record Type Visible Default PersonAccount Default |
Record Type Visible --- --- |
| Tab Visibility |
Tab Visibility |
Tab Visibility |
| User Permissions |
Name Enabled |
Name Enabled |
The comparison report will look like the image below. When there are differences, they are clearly shown in yellow.
Profile and Permission Set History (an excerpt)
| Property | Profile | Permission Set | ||
|---|---|---|---|---|
| Winter'22 (API 53) | Spring'13 (API 27) | Spring'17 (API 39) | Winter'22 (API 53) | |
| Application Visibilities | ✅ | ✅ | ✅ | |
| Category Group Visibilities | ✅ | |||
| Class Access | ✅ | ✅ | ✅ | ✅ |
| Custom MetadataType Access | ✅ | ✅ | ||
| Custom Permissions | ✅ | ✅ | ✅ | |
| Custom Setting Access | ✅ | ✅ | ||
| External DataSource Access | ✅ | ✅ | ✅ | |
| Field Permissions | ✅ | ✅ | ✅ | ✅ |
| Flow Access | ✅ | ✅ | ||
| Layout Assignments | ✅ | |||
| Login Flows | ✅ | |||
| Login Hours | ✅ | |||
| Login IP Ranges | ✅ | |||
| Object Permissions | ✅ | ✅ | ✅ | ✅ |
| Page Access | ✅ | ✅ | ✅ | |
| Profile Actions Override | ✅ | |||
| Record Type Visibilities | ✅ | ✅ | ✅ | |
| Tab Visibility | ✅ | ✅ | ✅ | |
| User Permissions | ✅ | ✅ | ✅ | |
Comments
Post a Comment