17 January 2013

Comparing Profiles and Permission Sets

I get this question quite a bit and I wish there was an 'easy' button to push that could give you the information your looking for.

The reality is that the concept of 'easy' doesn't scale nearly as well as a user's profile or permission set.

Take an org with 100 custom objects, each object with approximately 50 fields. Add on average 2 page layouts per object with a record type a piece. Include 10 apps, 100 apex classes and 100 visual force pages. For any given profile or permission set, that means there are 11,000 permissions that can be configured ((100*6) + (100*50*2) + (100*2) + (200)) with an almost infinite number of possible combinations.

And that's not even everything that a profile can contain! Add to that 10 profiles you want to combine and compare across 100 users with 20 add-on permission sets and you have a proverbial needle in the haystack.

So when it comes to administering profiles and permission sets, it's really about finding the right tool for the job. There are many tools available to manage these profiles and permission sets, but no single tool I would recommend because every tool begins with a fundamental question, "what do I want to know" or "what do I want to do"?

Examples of questions I frequently hear include:

  1. Who has Modify All Data?
  2. Does Sam Bradley have the right to click on this tab or view that Visualforce page?
  3. What's different between Sam Bradley and Mike Liescher?
  4. What's different between the Standard User and the Basic profiles?
  5. What's different between the PTO Manager and PTO Administrator permission sets?
  6. How can I assign this permission set to 100 new users?
  7. How can I remove the Modify All Data permission from any users with the Basic Profile or have North American Managers in their title
  8. How can I automate the assignment of the API Enabled permission set anytime a user becomes a manager and remove it if it no longer applies?
  9. How can I disable the View All Data permission from all profiles, add it to a single permission set, and assign it to all users who originally had the profile with the permission?
  10. How can I organize my permission sets the same way I organize my business or distribute apps to people?

Each question maps to a specific task that I am performing as an administrator. Now combine each task with the concept that each user, profile, and permission set can contain an infinite number of permission and settings combinations and you have the need to find the right tool for the right job to answer the right question. And each task may map to a different tool or API that can be used to answer it.

There are some great resources to help answer specific questions. For instance:

I did a great dreamforce 2012 session with Sherrie Smith from Paychex Inc where we outlined some techniques comparing and managing profiles: http://www.youtube.com/watch?v=LcqS1KvMvK8

I did another great dreamforce 2012 session with some of my team members and partners where we dug into some of the great tools you can build on top of our API: http://www.youtube.com/watch?v=cUQem7yvL6Q

One of those tools included a graphical interface for comparing users, profiles, and permission sets but looking specifically at their user permissions: https://perm-comparator.herokuapp.com by John Brock

Check out: Using SOQL to determine your force.com user's permissions ( http://blogs.developerforce.com/engineering/2012/06/using-soql-to-determine-your-users-permissions-2.html )

Probably the best tool for a more extensive comparison of profiles is the force.com IDE native compare ( http://wiki.developerforce.com/page/Force.com_IDE ). Mike Chale's comment about using the ANT Migration Tool is another manfiestation of this.

There are some other great open resources that take the MdAPI XML and parses it to show differences like Quick Diff ( http://www.quickdiff.com ), or Model Metrics Diff Dog - Setting up and using

DiffDog for Salesforce.com ( http://www.modelmetrics.com/tomgersic/setting-up-and-using-diffdog-for-salesforce-com-deployment-validation/ )

There are also some great AppExchange Packages including:

The Permissioner by Arkus: ( https://sites.secure.force.com/appexchange/listingDetail?listingId=a0N30000008XYMlEAO )

Snapshot by Dreamfactory: ( https://sites.secure.force.com/appexchange/listingDetail?listingId=a0N300000016cejEAA# )

The key part here really is identifying what you want to compare and why. The why part is pretty important since once you know how profiles are different, you'll want to do something with that information.

Hope this helps some! Give a shout if you want some help with it.


  1. Adam, wonderfully useful information in this blog! FYI - your first two YouTube video links are the same...

  2. @Jeff Rogers - thanks for the catch! Just fixed it. Appreciate the feedback!!!

  3. @Adam - the App Exchange links need updating

  4. You should consider adding Security Zen to the list of solutions. It is on the App Exchange, the free version compares both profiles and permission sets both within and between environments. The paid version also allows you to deploy security changes.


Note: Only a member of this blog may post a comment.