12 May 2014

How to get a list of permissions for your organization

I see this question on discussion boards and forums often:

"why doesn't salesforce publish a list of permissions available in my organization?"

The simple answer is because permissions are far more dynamic than what a static list defined in the documentation can enumerate.

User permissions like 'New Report Builder' are dependent on specific organization configurations called organization permissions and organization preferences.

Organization permissions are controlled by salesforce support and organization preferences are controlled by organization administrators. That way, features can be enabled selectively in an organization based on paying for it or requesting it from support but administrators often have the ultimate control to determine whether or not to actually use that feature by going into setup and enabling the preference. This makes introducing new functionality dependent on the administrator's release schedule rather than salesforce.com's upgrade schedule.

All this means is that permissions are dynamic based on what the organization has enabled. By going to a profile or permission set in the setup user interface,  you can see what permissions are assignable to users. However, you can also use the API to generate a list of permissions on the profile or permission sets. It won't include 100% of permissions, but it will include most of them.

On the profile and permissionset subjects is a series of fields that are prefixed with the word, 'Permissions.' For instance, 'PermissionsCustomizeApplication' is the 'Customize Application' permission found on your profile or permission sets.

Some permissions are fairly straight forward like PermissionsModifyAllData. Others take some thought like PermissionsInstallMultiforce which actually grants the access to download AppExchange Packages.

Using a tool like workbench can help you understand which permissions are available in your organization. Just go to Info > Standard & Custom Objects > Choose 'Profile' or 'Permission Set'.

We've heard that administrators and developers want more of these user permissions exposed to the API. With the Spring '14 release, we added the following permissions to version 30.0 of the API:

  • PermissionsAllowEmailIC
  • PermissionsAssignTopics
  • PermissionsChatterInternalUser
  • PermissionsChatterInviteExternalUsers
  • PermissionsChatterOwnGroups
  • PermissionsContentAdministrator
  • PermissionsContentHubUser
  • PermissionsCreateTopics
  • PermissionsCreateWorkspaces
  • PermissionsDeleteTopics
  • PermissionsEditTopics
  • PermissionsEnforceMutualAuthentication
  • PermissionsForceTwoFactor
  • PermissionsHasFileSync
  • PermissionsIdentityEnabled
  • PermissionsIsSsoEnabled
  • PermissionsManageContentPermissions
  • PermissionsManageContentProperties
  • PermissionsManageContentTypes
  • PermissionsManageNetworks
  • PermissionsManageRealm
  • PermissionsModerateChatter
  • PermissionsModerateNetworkFeeds
  • PermissionsModerateNetworkFiles
  • PermissionsTwoFactorApi
  • PermissionsViewContent
  • PermissionsViewGlobalHeader

There are more to add. Until then, continue to use tools like workbench or describeSObject('Profile') in your code to easily find out what permissions are available to you in your organization.

No comments:

Post a Comment