04 February 2013

Remove Unused Profiles by Running User Reports



Few people I've spoken with realize that they are continuing to maintain profiles that aren't assigned to any users. As a result, everytime they create a field, record type, tab, app, page layout they are assigning controls to profiles that aren't being used by any users.

There's any number of reasons for this:

During the initial implementation, a decision was made to create profiles based on how the organization segments their business.  But not all of these profiles were ever used.

Active users were once assigned to the profiles but have since become inactive.  This could have happened when a division was let go.  It could also have happened when users were transferred to another group with different responsibilities. I can also happen when creating a lot of one-off profiles.

It's possible to report on profile assignments using user reports.  By running these reports, you can clean up un-used profiles that are assigned to inactive users.

HOW TO CONFIGURE

Under reports, create a new administrative > user report.

  •       Type of report: matrix
  •       Columns: Profile, Active
  •       Group by: Profile (Y-axis) and Active (X-axis)
  •       Summarize: Sum on Record Count
  •       View: All Users
  •       Duration: <No Dates>

Because the resulting report will only show profiles that are assigned, and it's possible to have more profiles than what have been assigned, it's a good idea to compare the count of profiles in the report to the count of profiles in the list view.  The difference will represent the number of profiles that are not assigned to active or inactive users.


Especially when used in conjunction with a governance policy for creating profiles, cleaning up unused profiles provides for an excellent way to keep profile proliferation to a minimum.

7 comments:

  1. Keep 'em coming Adam...we are starting the planning of an instance cleanup effort and I'm eager to use your tips.

    ReplyDelete
    Replies
    1. Thanks Tammy for adding your support!! I really appreciate knowing that people are reading and using these posts as they are intended. More posts on the way!! Stay tuned - same hacker channel, same hacker time.

      Delete
  2. Is there a SOQL query possible that would list all profiles without any active users?

    ReplyDelete
  3. Hi Rhonda, I copied and modified the following SOQL from the http://www.salesforcehacker.com/2013/02/soql-pinball-wizard-cleans-up.html post on salesforcehacker.com, changing isOwnedByProfile from false to true. Hope it helps

    Use case: I want to find all profiles that are only assigned to inactive users so that I can decide whether to unassign and delete:

    SELECT Name
    FROM PermissionSet
    WHERE IsOwnedByProfile = true
    And Id Not In (
    SELECT PermissionSetId
    FROM PermissionSetAssignment
    WHERE Assignee.IsActive = true
    )

    ReplyDelete
  4. I appreciate this tip! I am helping deep clean the instance I'm in. Thanks for the instructions and helpful blog overall!

    ReplyDelete
  5. I am trying to delete profiles that only have inactive users but I am receiving a message saying in order to delete the profile I need to unassign all users from the profile. I would like to know what is a best practice for inactive users. Should I create a Custom Profile for deactivated users?

    ReplyDelete
    Replies
    1. The best practice is to create one 'empty' profile with all permissions disabled and assign inactive users to it. This has a couple benefits. It enables you to delete unused profiles, rescuing administrative overhead. But it's also a safeguard. If a user is accidentally re-activated, they won't have access to anything until you reassign their profile.

      Delete