Pages

Sunday, November 4, 2018

Salesforce: easier way to see what is inside a Permission Set

When you enable a permission using permission set or profile, Salesforce will automatically enable other permissions needed to enable that permission. Salesforce will tell you what permissions will be enabled when you enable a permission, however, it will not tell you other permissions will be enabled by enabling the required permissions. Imagine this, to enable permission A, the system will tell you that it will enable permission B as well, however, to enable permission B, it needs to enable permission C and D, so you are not aware that C and D actually enabled by a Permission Set.

For this example, I create a permission set to enable a permission called "Activate Contracts".


From the above screenshot, you aware that, by enabling Activate Contracts, it will enable Edit Order and Edit Contract, and not more than that. But, let's check with Setup Audit Trail.


Let us see each line from the above audit trail screenshot:
5th - create the permission set
4th - enable read and edit for Contract object, this makes sense that to edit, the user needs to read
3rd - enable read for Account object, this is because Contract record accessibility depends on Account.
2nd - enable read and edit for Order object, this makes sense that to edit, the user needs to read
1st - enable the permission set

Because the permission set is just created, we can monitor it from the audit trail, but for the existing permission sets, you can't find the history after 6 months. So, you need to open each tab in the permission set - that's not ideal :(

Also for the scenario where you have many admins and the documentation practice is not strong, some admin adding permissions without other admin awareness, so you have no visibility of what is inside the permission set.


Is there an easy way to tell what is "inside" a permission set?
Yes, as Salesforce awesome admin, you are supposed to fill in the "Description", this will help yourself in the future, or your successor. However, Description only can have maximum 255 characters.


Check with Metadata
Because of all extra permissions in the permission set are written as metadata, you can download the permission set metadata and "see" all permissions enabled for the permission set with a simple text editor.

Salesforce inspector comes to help, it is pretty handy and nothing needs to be installed to your Salesforce org., just follow the step to download permission set metadata into a zip file.

Salesforce inspector panel

select permissionsets and click Download metadata

wait for a few seconds to download the metadata

Extract the zip file, each permission set will be stored as a file with the extension ".permissionset". Open the file with a text editor, such as Notepad++, now you have full visibility the content of that permission set, it will tell field permission, object permission, custom permission, apex class, tab setting, apex page, user permission. etc.

<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
    <fieldPermissions>
        <editable>true</editable>
        <field>Account.Acc_Percent__c</field>
        <readable>true</readable>
    </fieldPermissions>
    <fieldPermissions>
        <editable>false</editable>
        <field>Account.Active__c</field>
        <readable>true</readable>
    </fieldPermissions>
    <hasActivationRequired>false</hasActivationRequired>
    <label>Activate Contract 2</label>
    <objectPermissions>
        <allowCreate>false</allowCreate>
        <allowDelete>false</allowDelete>
        <allowEdit>false</allowEdit>
        <allowRead>true</allowRead>
        <modifyAllRecords>false</modifyAllRecords>
        <object>Account</object>
        <viewAllRecords>false</viewAllRecords>
    </objectPermissions>
    <objectPermissions>
        <allowCreate>false</allowCreate>
        <allowDelete>false</allowDelete>
        <allowEdit>true</allowEdit>
        <allowRead>true</allowRead>
        <modifyAllRecords>false</modifyAllRecords>
        <object>Contract</object>
        <viewAllRecords>false</viewAllRecords>
    </objectPermissions>
    <objectPermissions>
        <allowCreate>false</allowCreate>
        <allowDelete>false</allowDelete>
        <allowEdit>true</allowEdit>
        <allowRead>true</allowRead>
        <modifyAllRecords>false</modifyAllRecords>
        <object>Order</object>
        <viewAllRecords>false</viewAllRecords>
    </objectPermissions>
    <userPermissions>
        <enabled>true</enabled>
        <name>ActivateContract</name>
    </userPermissions>
</PermissionSet>


PermComparator
Another option is to use PermComparator, however you need to switch between User Permissions, Object Permissions, and Setup Entity Permissions to see all extra permissions added in the permission set.


However, from my experience, PermComparator does not list all permissions, probably it has not been updated for a while, example: Allow View Knowledge, Subscribe to Reports.