Getting Salesforce Profiles Under Control

As a consultant, I’m often engaged in cleanup projects. One of the biggest areas of confusion seems to be around system security, especially when org wide defaults are not the default public read/write permissions. So how does one begin to clean up Salesforce profiles and get them under control? Here are some of the techniques I use to tackle this issue.

First lets cover a couple basics that I consider best practices:

• I do not use the out of the box profiles, except for the System Administrator profile. I recommend always creating and using custom profiles only. Maybe it’s just a simplicity thing for me but I like to open the profile page and quickly be able to identify what is mine verses what SF created. If it’s a Custom profile, I know its something I intentionally created.
• I also prefer a consistent naming convention; so find what makes sense for your org and stick with it. If you have existing profiles, you can edit their names to give you this consistency. Often what I use is the company’s name – position (or job role) the profile is typically used for. For example: “ABC Company – Sales” or “ABC Company – Marketing”. This allows for easy identification. In larger orgs, you might swap out the company name for a division or departmental name.
• Limit the number of profiles by leveraging Permission Sets. If I have a user that needs just a little extra permission from their peers, then extend their ability with a Permission Set and not a brand new Profile that is basically a copy of another.

So let look at some cleanup methods:

• One of my favorite tools is PermComparator. This tool is web-based and allows you to compare up to four profiles at a time. You’ll be able to see what settings are the same, which are unique and which are different between the select profiles. This tool also allows you to compare users and permission sets.
• If you’re a Force.com IDE user, you can compare profiles using this tool. The first step would be do download the Metadata Components for Profiles. Select two profiles you want to compare; you don’t need to open them, simply select them from the Project Explorer pane of the IDE. Right-click on one of the highlighted files and select Compare With | Each Other. This will open a side-by-side window that will highlight the differences.
  • You can also download a free tool called DiffMerge and use that to compare IDE metadata. I will use this tool a lot to find differences between two orgs, as well.
• The last recommendation I have for you is to create List Views on the Profile page. Within Salesforce, navigate to Setup | Manage Users | Profiles and press the Create New View link. Give the view a name and specify the Filter Criteria for the specific rights you’re looking for. Add the Columns to Display in the list view and save the view. When you run that view, you will see which profiles have the rights identified.
  • Even cooler, is I can select the checkboxes under the Action column, do an inline edit and modified that permission on all the checked profiles.
• You can also use your favorite SOQL query tool but honestly, unless you really like queries, the above options work pretty darn well.

There are a couple paid apps on AppExchange but I find that using one of more of the above provide pretty good insight into my profiles without a lot of expense. Hope this is helpful, and if you have any questions, comment below and I’ll be glad to help.