25 March 2013

How Not To Give Out Modify All Data

Have you ever given Modify All Data to a user but didn't really want to?

If so, you're not alone.  There are several permissions that may be used to define an administrator. Modify All Data is the single best way to do it - it gives the user full access to all org data and about thirty other magical powers that clear their path to getting their job done. It is the ultimate power in the permission universe. After all, isn't that what it's really about, making it easy for a user to do their job?  Maybe it is, but it wouldn't it be great if you didn't have to give out full access to everything just to allow a user to download the data loader or empty the recycle bin?

It is possible to ween your users off their addiction to Modify All Data.  The key to properly enabling your users is to begin identifying the tasks that they perform that might require a permission like Modify All Data.  In some cases, those tasks are fairly straight forward and can be remedied.  For instance, I used to hear a great deal that Modify All Data had to be given out in order for someone to manage all of the data related to a custom object.  This didn't make much sense why we gave a bazooka to do a fly swatter's job, so we created the Modify All object permissions. Now a user may be granted Modify All records instead of Modify All Data in order to manage the data related to that one object and business process. This is an example of an easy decision to make.

But there are some requirements in the system such as the requirement for the automated case creator user to have Modify All Data. This isn't something that is easily remedied. 

And then there are some tasks that really can be remedied through creative solutions and features that you may have long forgotten about from the ADM 201 Admin training you took four years ago.  For instance, the ability to Login-As is granted for all users with Modify All Data.  But if your requirement is to enable users to Login-As a group of users, you can use the Delegated Administration feature found under Setup | Administration Setup | Security Controls | Delegated Administration to create a group and assign them Login-As rights to a role and/or subordinate roles worth of users.  In this case, all that would be required of the user is to have View Setup and Configuration.

In this post, we looked at a couple of specific examples how to remove Modify All Data from users who don't need it by giving them an alternative permission.  In future posts, we'll continue to examine creative ways to enable users with only the tasks they need to do rather than give them the easy way out by giving them the reins to the Death Star.

2 comments:

  1. One thing I've learned this feature does NOT do, is override the field level Read Only settings in the profile. If the profile has a field flagged as Read Only, Modify All Data does not let you write to that field.
    iDeals virtual deal rooms

    ReplyDelete
  2. There needs to be a Modify All permission for reports! The only way to currently allow users to unschedule their own reports is to give them Modify All Data, which is insane. In fact, users should be able to unschedule reports that they created and own as defaults (we need to track not just report creators but owners!).

    ReplyDelete