Salesforce Permission Sets
A permission set is a collection of settings and permissions that give users access to various tools and functions. Permission sets extend users’ functional access without changing their profiles.
Reference: Salesforce
We need to remember what a Salesforce Profile is and always keep in mind this: extends users' functional access without changing their profiles.
That is key: I need these types of users to do something else, then I might create a new Permission Set for that function (like for instance, including a permission set to force Multi-Factor Authentication or to "make" a user a Knowledge Base Reader).
... then use permission sets to grant more permissions as needed ...
In the Salesforce Profile article, I proposed a solution based on the Minimum Access - Salesforce profile for the Hiring Application introduced in the Data Security Trailhead Module. These were the Permission Sets proposed:
- Position - CREx
- Position - xRxx (No min/max pay)
- Candidate - CREx
- Candidate - xRxx (No SSN)
- Job Application - CREx
- Job Application - xREx (No Lookups)
- Job Application - xRxx
- Review - CREx
In the following table, I show how those Permission Sets can be used for each level in the Role Hierarchy.
| Role | Profile | Permission Set |
|---|---|---|
| VP Human Resources | Department VP - MA | -- |
| Recruiting Manager | Department Director - MA | Position - CREx Candidate - xRxx (No SSN) Job Application - xREx (No Lookups) Review - CREx |
| Recruiter | Department Level 1 - MA |
Position - CREx
Candidate - CREx Job Application - CREx Review - CREx |
| VP Development | Department VP - MA | --- |
| Director Product Management | Department Director - MA | --- |
| Product Manager | Department Level 1 - MA | --- |
| SW Dev Manager | Department Director - MA | --- |
| SW Engineer | Department Level 1 - MA |
Position - xRxx (No min/max pay)
Candidate - xRxx (No SSN) Job Application - xRxx Review - CREx |
| Director QA | Department Director - MA | Position - xRxx (No min/max pay) |
| QA Engineer | Department Level 1 - MA |
Position - xRxx (No min/max pay) |
We can see that a user in the Recruiting Manager or Recruiter role has enough permissions to fulfill their functions. That the SW Engineer user can work as an Interviewer, and a user in the Director QA or QA Engineer roles can work as a Standard Employee when they use the Hiring Application.
Then, no need to change or modify their profiles, and they still can do what they need to do. Our Permission Sets are functional-oriented and very easy to manage.
But you may wonder that with this approach you will end up with a lot of Permission Sets! And I agree 😏. For sure it is not easy to decide when a new Permission Set or Profile should be created. And for the Hiring Application, probably we need to create Permission Sets that set permissions on the four objects at once (like the Trailhead Module does): Position, Candidate, Job Application, and Review. Then, we might use Permission Set Groups and the Muting Permission Set to remove some settings, depending on the function the user will do.
Permission Set Properties
A Permission Set has several properties, and each property has different settings. The properties and settings are part of the Permission Set metadata as a class. Hence, to automatically list Permission Sets properties (not using the Salesforce interface), we need to understand and deal with the Permission Set metadata.
If we can automatically read the Permission Set metadata, then we will be able to list it in a report or compare it against other Permission Sets.
I know it is not a simple task, and that's why I developed Toolsforce. Here is the list of Permission Set properties that currently Toolsforce deal with:
| Property | Attributes / Description |
|---|---|
| Permission Set Name | The API name |
| Description | The description |
| Has Activation Required? | TRUE = becomes enabled only with an activated session |
| License | The type of license used |
| Application Visibilities |
Application Visible |
| Class Access |
Apex Class Enabled |
| Custom MetadataType Access |
Name Enabled |
| Custom Permissions |
Name Enabled |
| Custom Setting Access |
Name Enabled |
| External DataSource Access |
External DataSource Enabled |
| Field Permissions |
Field Editable Readable |
| Flow Access |
Flow Enabled |
| Object Permissions |
Object Create Read Edit Delete View All Records Modify All Records |
| Page Access |
Apex Page Enabled |
| Record Type Visibilities |
Record Type Visible |
| Tab Visibility |
Tab Visibility |
| User Permissions |
Name Enabled |
When you use the button Permission Set in Toolsforce, you will be able to create a report like the one below in a new Excel worksheet.
Don't wait, download and install the tool, it's free! 😊
Comments
Post a Comment