25 January 2013

Delegating Modify All Data

Yesterday's post on what Modify All Data can actually do generated a brief, but important, twitter thread with Andy Ognenoff (@aognenoff) and Matt Brown (@mattybme) that I'd like to talk about today.

I spend more time talking through Modify All Data than any of the other one hundred thirty some odd user permissions. Yesterday's blog was meant to highlight all of the ways it's overloaded to provide access to data and other things.

An even better way to think of it is that Modify All Data equal System Administrator. While that's not 100% true, it's the way people often think of it. As a result, it now means access to all data, as well as the ability to migrate metadata, create sandboxes, and write apex code. And that's not even all of the permissions that are required when you enable Modify All Data like View Setup and Configuration. In other words, it really means more than it probably should.

There is some hope here. We created a set of object permissions a long time ago called Modify All and View All records. Interestingly enough, these permissions were the original intent of Modify All Data in that all they are really designed to do is ignore sharing for that object - nice and simple. There are some other behaviors tied to these permissions like the ability to unlock records locked due to a workflow approval, but for the most part they were designed to offload some of the need for administrators to assign Modify All Data. For instance, rather than assign Modify All Data to grant access to all Accounts and Contacts, just grant Modify All on Accounts and Contacts.

Another example that comes up a lot with customers I talk with is login-as. Modify All Data is only one way to login-as another user, another is to use Delegated Administration which allows a user with only View Setup and Configuration permission who is assigned to a Delegated Administration group to login as a user in a specific branch of the role hierarchy.

We have discussed all of the other permissions we need to create to provide alternatives to granting Modify All Data and here is where you can help. If you have suggestions of what's most important to you, please let us know, whether its through a comment on this blog, on twitter with the #askforce or #salesforce hash tag, or by participating on the ideaexchange. Your needs will help us prioritize which portions are more important than others. Andy gave me a great example with dashboard management - what's yours?

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.