25 January 2013

Delegating Modify All Data


Yesterday's post on what Modify All Data can actually do generated a brief, but important, twitter thread with Andy Ognenoff (@aognenoff) and Matt Brown (@mattybme) that I'd like to talk about today.

I spend more time talking through Modify All Data than any of the other one hundred thirty some odd user permissions. Yesterday's blog was meant to highlight all of the ways it's overloaded to provide access to data and other things.

An even better way to think of it is that Modify All Data equal System Administrator. While that's not 100% true, it's the way people often think of it. As a result, it now means access to all data, as well as the ability to migrate metadata, create sandboxes, and write apex code. And that's not even all of the permissions that are required when you enable Modify All Data like View Setup and Configuration. In other words, it really means more than it probably should.

There is some hope here. We created a set of object permissions a long time ago called Modify All and View All records. Interestingly enough, these permissions were the original intent of Modify All Data in that all they are really designed to do is ignore sharing for that object - nice and simple. There are some other behaviors tied to these permissions like the ability to unlock records locked due to a workflow approval, but for the most part they were designed to offload some of the need for administrators to assign Modify All Data. For instance, rather than assign Modify All Data to grant access to all Accounts and Contacts, just grant Modify All on Accounts and Contacts.

Another example that comes up a lot with customers I talk with is login-as. Modify All Data is only one way to login-as another user, another is to use Delegated Administration which allows a user with only View Setup and Configuration permission who is assigned to a Delegated Administration group to login as a user in a specific branch of the role hierarchy.

We have discussed all of the other permissions we need to create to provide alternatives to granting Modify All Data and here is where you can help. If you have suggestions of what's most important to you, please let us know, whether its through a comment on this blog, on twitter with the #askforce or #salesforce hash tag, or by participating on the ideaexchange. Your needs will help us prioritize which portions are more important than others. Andy gave me a great example with dashboard management - what's yours?

1 comment:



  1. Nhạc Thành nhìn thấy sắc mặt của mọi người thì móc ra hơn mười viên đan dược tam phẩm.

    - Ta đã đi theo Nhạc Thành sư huynh thì về sau cũng không sợ những học viên cũ kia khi dễ.

    Một thanh sađồng tâm
    game mu
    cho thuê phòng trọ
    cho thuê phòng trọ
    nhac san cuc manh
    tư vấn pháp luật qua điện thoại
    văn phòng luật
    số điện thoại tư vấn luật
    dịch vụ thành lập doanh nghiệpm thanh niên tiến lên nói, sau đó hắn cầm lấy một viên đan dược không hề dơ dự nhét vào miệng.

    - Ngươi tên là gì?

    Nhạc Thành đối với thanh sam thanh niên này cũng hơi ấn tượng.

    - Nhạc Thành sư huynh, ta tên là Quách Dương.

    Thanh sam thanh niên cất tiếng nói.

    - Ta cũng đi theo Nhạc Thành sư huynh.

    Nhìn thấy Quách Dương nuốt đan dược, một số người cũng cầm đan dược nhét vào miệng.

    ReplyDelete