28 January 2013

What can Manage Users Permission do?

I had a question come up regarding what the Manage Users permission on a profile actually enables a user to do.

It turns out that it allows a user to do a lot of things and should only be given to a select few users in any org.

If a subset of rights is needed to manage users but not manage Profiles or Sharing, check out the Delegated Administration feature.

Manage Users allows you to do the following:

  • Profiles
  • Manage Profiles (more detail below)
  • Assign Profiles
  • View Field Accessibility
  • Sharing
  • Manage User Roles
  • Manage Forecast Roles
  • Assign Roles
  • Manage Public Groups
  • Manage ALL Personal Groups
  • Assign Public Groups
  • Manage Queues
  • Assign Queues
  • Manage Territories
  • Manage Sharing Settings
  • Recalc Sharing Rules
  • Manage Dimension Categories
  • Manage Sales Teams
  • Manage Account Teams
  • User Management
  • Create/Edit Internal User and have access to all User fields
  • Manage Hierarchical User Fields
  • Assign License
  • Activate User
  • Expire All Passwords
  • Set Org Password Policies
  • Reset User Password
  • Reset Username
  • Reset Email
  • Assign Mobile Configuration
  • Assign Workflow Manager Field
  • Manage a User's Divisions
  • Manage a User's OAuth
  • View Login Histor
  • View Training History
  • Delegated Portal Administration
  • Create/Edit Portal User
  • Edit Self-Service User
  • Other Permissions
  • Manage Opportunity Update Reminders
  • Activate Opportunity Update Reminders
  • Manage SAML Subject

The rights to manage a profile is more complex than what is required for most setup objects. Because of the various relationships between setup components and a profile, (objects, fields, layouts, apex, etc...) there are multiple permissions that govern access to manage *all* aspects of the profile but in reality, there are specific permissions to manage different controls within a profile. To be safe, an Admin with both Customize Application and Manage Users can manage all aspects of a profile. However, if a user only has Manage Users, they can

clone/delete a profile *or* change any of the following:

  • Properties (Description/Name)
  • Page Layouts
  • Record Types
  • Tab Settings
  • Assigned Apps
  • User Permissions
  • Desktop Client Access
  • Login Hours
  • Apex Class Access
  • Visualforce Page Access

If a user has both Manage Users and Customize Application, in addition to everything above, they can change the following:

  • Object Permissions
  • Field Permissions

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.