It turns out that it allows a user to do a lot of things and should only be given to a select few users in any org.
If a subset of rights is needed to manage users but not manage Profiles or Sharing, check out the Delegated Administration feature.
Manage Users allows you to do the following:
- Profiles
- Manage Profiles (more detail below)
- Assign Profiles
- View Field Accessibility
- Sharing
- Manage User Roles
- Manage Forecast Roles
- Assign Roles
- Manage Public Groups
- Manage ALL Personal Groups
- Assign Public Groups
- Manage Queues
- Assign Queues
- Manage Territories
- Manage Sharing Settings
- Recalc Sharing Rules
- Manage Dimension Categories
- Manage Sales Teams
- Manage Account Teams
- User Management
- Create/Edit Internal User and have access to all User fields
- Manage Hierarchical User Fields
- Assign License
- Activate User
- Expire All Passwords
- Set Org Password Policies
- Reset User Password
- Reset Username
- Reset Email
- Assign Mobile Configuration
- Assign Workflow Manager Field
- Manage a User's Divisions
- Manage a User's OAuth
- View Login Histor
- View Training History
- Delegated Portal Administration
- Create/Edit Portal User
- Edit Self-Service User
- Other Permissions
- Manage Opportunity Update Reminders
- Activate Opportunity Update Reminders
- Manage SAML Subject
The rights to manage a profile is more complex than what is required for most setup objects. Because of the various relationships between setup components and a profile, (objects, fields, layouts, apex, etc...) there are multiple permissions that govern access to manage *all* aspects of the profile but in reality, there are specific permissions to manage different controls within a profile. To be safe, an Admin with both Customize Application and Manage Users can manage all aspects of a profile. However, if a user only has Manage Users, they can
clone/delete a profile *or* change any of the following:
- Properties (Description/Name)
- Page Layouts
- Record Types
- Tab Settings
- Assigned Apps
- User Permissions
- Desktop Client Access
- Login Hours
- Apex Class Access
- Visualforce Page Access
If a user has both Manage Users and Customize Application, in addition to everything above, they can change the following:
- Object Permissions
- Field Permissions
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.