How many times have you had a requirement that applied to all people of a particular profile except maybe one or two? For example, you have a sales team profile which most people fit into but you have one power user who may need access to a power user only field. Prior to permission sets, you'd need to keep two different profiles tied to two different page layouts to hide one field. With permission sets, you can make the special field available to individual users and keep one layout, one profile.
Here's how you'd build this:
1. Create your new custom field
2. Do not give any profile permission to Read/Edit
3. Add the field to your page layout
4. Create a new permission set
5. Choose Object and Field Permissions
6. Find your Object and Field and set Read/Edit access to TRUE for your field
7. Associate the permission set to your power user
8. Enjoy!
One thing to keep in mind is that permission sets are additive, so these are a great way to extend your base functionality for special users.
Wednesday, October 26, 2011
Thursday, October 20, 2011
Sharing and Profile View All setting
I was trying to determine through trial and error how a user had access to a particular salesforce account record. Our org-wide defaults are Private for Accounts and yet when logging in as this user I was able to see the account record. I removed each sharing rule, one-by-one, in my sandbox, and tried to see if this user still had access to the account record. To my surprise, after all sharing rules were removed, I was still able to see the account record as this user. When I opened up apex explorer and looked at the AccountShare for this account record, I saw only one rule and it was specific to the owner. While researching this issue, I came across a foot note in some documentation that indicated that the View All permission on the standard objects will override the org wide default and any sharing! If this is checked, it means that sharing is ignored. Once I unchecked this setting on the user's profile, the account was not visible to the user.
For future reference, here is add'l info on the topic from salesforce's online help:
It's not obvious because there is no AccountShare record created and I do not believe, although I could be wrong, displayed in any logging. Won't soon forget this one.
For future reference, here is add'l info on the topic from salesforce's online help:
It's not obvious because there is no AccountShare record created and I do not believe, although I could be wrong, displayed in any logging. Won't soon forget this one.
Subscribe to:
Posts (Atom)