Comparing profiles, permission sets, and users in an easy to use, intuitive, drag-and-drop user interface, is a difficult usability problem to solve. It's difficult because each user, permission set, and profile may have thousands if not millions of permissions associated with them. Therefore, when comparing users, profiles, and permission sets together, the number of questions you can ask are several orders of magnitude. Basically, instead of looking for a needle in a haystack, it's like comparing multiple haystacks looking for multiple needles of varying size, color, and material.
John Brock created such an app for a Dreamforce 2012 presentation. He set out to demonstrate what could be accomplished with the permission set and user API. Built on Heroku and the Salesforce platform using OAuth2, ExtJS4, and Java with the Play! framework, the PermComparator, provides a simple drag-and-drop user interface that allows an administrator to drag and drop users, permission sets, and profiles into a series of columns to compare and contrast their individual settings.
With each user, permission set, or profile, the administrator can compare user, object, and setup entity access permissions through a series of collapsible, accordion style lists. Within each set of permissions, the administrator can compare common, unique, and differing permissions. The easiest way to understand how to use the PermComparator is through the concept of a Venn Diagram.
Assuming A, B, and C are any combination of users, profiles, and permission sets that an administrator would compare:
- Common permissions (111) help answer the question, "How are these users, profiles, or permission sets the same as one another." This helps determine where there are redundant profiles or permission sets that could potentially be merged or deleted. This also helps when determining why one user has access that another doesn't. Since all comparisons share these permissions in common, these permission can be ruled out as creating the additional access.
- Unique permissions (001, 100, 010) help answer the question, "What does this user, profile, or permission set have that none of other ones have." This can help troubleshoot why one user, profile, or permission set has access to something where none of the others do and is a likely candidate for determining what additional access has been granted.
- Differing permissions are everything but what is common (100, 110, 010, 011, 001, 101 which is really everything in the diagram but 111). This matters most when you have more than two things you are comparing. Differing permissions answers the question, "What permissions are assigned and shared with some but not shared with everything being compared." This can help isolate potential differences which may result in discovering that a user should have a slightly different profile or permission set to get the job done.
Recently, there was a lot of buzz in the Salesforce community about this tool. It was great to hear members of the community sing John Brock's praises for the PermComparator. He was called a 'crazy genius' whose tool was 'life changing'. One thing for sure, John solved a difficult problem and created an incredible visualization tool for understanding access controls in a complex system by making it drag-and-drop simple.
The PermComparator is open source and available on GitHub to be downloaded, forked, or contributed to should you need access to the actual source code.