Pages

Friday, October 3, 2014

Salesforce: Custom Permission for Validation Rule

Custom Permission has been introduce on Summer '14 release as Developer Preview (only in Developer Edition organizations). Custom permissions let developer define access checks that can be assigned to users via permission sets or profiles, similar to how you assign user permissions and other access settings. For example, you can define access checks in Apex that make a button on a Visualforce page available only if a user has the appropriate custom permission.

You can query custom permissions to determine which users have access to a specific custom permission, use Salesforce Object Query Language (SOQL) with the SetupEntityAccess and CustomPermission sObjects.

On Winter '15 release, Custom Permission become Generally Available, and even better it is accessible via Validation Rule and Formula Field, admin should take most advantage of this enhancement.

Use Case:
Only a few people allowed to change Account Name when Type = Customer. This few people have different Profile or Role. Account OWD sharing setting is Public Read Only.

Solution: Create Validation Rule

1. Hardcode UserId or UserName
 AND(   
 $Profile.Name <> 'System Administrator',   
 $User.Id <> '00550000000rlrX',   
 $User.Username <> 'myname@mydomain.com',   
 OR(   
 ISPICKVAL(Type, "Customer"),   
 ISPICKVAL(PRIORVALUE(Type), "Customer")   
 ),   
 ISCHANGED(Name)   
 )  
** UserId = 15 characters, not 18 characters

Cons: Difficult to maintain, admin need to update each validation rules (if many) affected for maintenance.


2. Custom Setting
Create a new Text or Text Area custom field to store UserId separated by comma
 AND(  
 $Profile.Name <> 'System Administrator',  
 NOT CONTAINS($Setup.Special_User__c.UserId__c,$User.Id),  
 OR(  
 ISPICKVAL(Type, "Customer"),  
 ISPICKVAL(PRIORVALUE(Type), "Customer")  
 ),  
 ISCHANGED(Name)  
 )  
** UserId = 15 or 18 characters is fine, because we are using CONTAINS()


Setup | Develop | Custom Settings

Click Manage link | Edit button

Pros:
  • One place to store all UserIds
  • Can be used in multiple validation rules
  • Custom setting can be implement by User or Profile
Cons:
  • Admin need to keep updating User IDs in Custom Setting
  • Max length of Text or Text Area in Custom Setting is only 255 characters, so this can cover up to 16
  • IDs only.

3. Public Group
Ability to use Public Groups in Validation Rule would be ideal, but this is not exist yet. Here an idea in IdeaExchange Allow use of Public Groups from Validation Rules with 980 points right now.


4. Custom Permission
Compare to option 1 and 2, using Custom Permission would be better option. Here step-by-step to create Custom Permission and to implement it for Validation Rule.

i. Create Custom Permission
  • Setup | Develop | Custom Permissions
  • Click New button
  • Enter Label, Name and Description

ii. Create Permission Set
  • Setup | Manage Users | Permission Sets
  • Click New button
  • Enter Label, API Name, and Description
  • Click Save button
  • Click Custom Permissions link
  • Add Custom Permissions created from Step 1
  • Click Save button
  • Click Manage Assignments button
  • Click Add Assignments button, to add users
  • Select users as required
  • Click Assign button and Done

iii. Create Validation Rule
 AND(  
 $Profile.Name <> 'System Administrator',  
 NOT($Permission.Special_User),  
 OR(  
 ISPICKVAL(Type, "Customer"),  
 ISPICKVAL(PRIORVALUE(Type), "Customer")  
 ),  
 ISCHANGED(Name)  
 )  
Pros:
  • User management is control in Permission Set
  • No limitation on number of users


Reference: Custom Permissions Overview