13 May 2013

Why 'Standard' Profile Permissions Can't Be Changed



I saw this question on the Salesforce StackExchange and thought it would be good to clarify why 'standard' profiles are immutable:
"Why does salesforce not allow us to change the permissions of standard profiles to standard objects? I know the workaround to use is to clone that standard profile into a custom one, but it seems like a pretty random limitation to impose."
Profiles are an extension of licensing in salesforce.com. Licenses enforce access and define the maximum allowed permissions for a user. Profiles are actually the glue that connects licenses and users together. Every time you create a user, you specify a license and then assign a profile from a picklist that only includes profiles that share the same license. Under the covers, a profile is actually the middle object between user and license.

Every time a license is added to an org, we automatically create one or more 'standard' profiles with immutable user and object permissions. You'll notice that other things on 'standard' profiles can be changed like assigned apps, tab settings, and record types.

A best practice for customers with the ability to create 'custom' profiles is to use these 'standard' profiles as templates in order to clone and create their own. In some editions where custom profiles are not allowed, assigning 'standard' profiles is the only way to provide access for users. Check out this blog posting to understand more about this best practice.

The 'standard' profiles are also considered managed just as components in an appexchange package are managed by an ISV (Independent Software Vendor). 'Custom' profiles, similar to any other customization in your org that you create, are considered not managed and have special rules that protect them from being changed during a release cycle.

From release to release, we may add an object or a new set of functionality that we want to license differently. A full CRM salesforce license may get access automatically to some new sales feature whereas the platform license may not.

When we upgrade our code during the release, we may allow and enable access to these objects and new features through object and user permissions on 'standard' profiles. But you'll notice that we almost never change your 'custom' profiles. This enables easier transition through our release process since you can choose whether to include access to these new objects or new features in your own 'custom' profiles.

Another reason why we will enable certain objects or user permissions in the 'standard' profiles is that they are used in group and professional editions where there is no ability to clone or customize a profile and you wouldn't get access to new features or objects unless we enabled permissions automatically on our 'standard' profiles.

There are many reasons why 'standard' profiles are immutable and I hope this blog posting helps illuminate why.

13 comments:

  1. Good information as usual (slowly making it through all your posts). I would like to point out one implication that we ran into when we turned on Chatter Plus. The "standard" profile that was created by support actually contained a random grouping of custom objects. I would really recommend having NO object cred on the Chatter Plus or Force.com one app licenses where the license is supposed to be limited to only certain object and/or a certain number of objects. This was problematic for our org because:
    -The custom objects added to the standard profile added up to 14 objects, leaving us out of compliance on that profile (license type is limited to 10) and no way to fix it.
    -Two of the objects had a dependency to Case (which isn't included at all in Chatter Plus), and therefore when we Cloned it, we couldn't make any changes to that profile until we fixed that dependency. Since you can't edit two object CREDs at once in the Enhanced Profile editor, had to revert back to the old version, remove the objects and then switch back. This took quite awhile to figure out.

    In general, we're moving to a model where the profile itself only has CRED on standard objects and all custom object cred is handled via permission sets, which really is a better way to do it and setting up those standard profiles with no custom object cred really makes the most sense as it forces you to go to the custom, which I believe is the goal anyway.

    ReplyDelete
    Replies
    1. Really good points! I've shared internally. Thanks for the feedback!

      Delete
  2. Hi - in our org, we would like to restrict group creation from any other users except System Administrator. But when users with the "Chatter User" profile are created by invitation - they are by default given the access to create new groups. Is there a way to go around this without having to create a custom profile?

    ReplyDelete
    Replies
    1. Hi Candy,

      Sorry for the delayed response. Unfortunately, we don't allow editing of standard profiles (currently). That may change in the future. Creating a custom profile is really a best practice. The only standard profile I ever recommend assigning is the System Administrator. Otherwise, the first thing I do with all profiles in a new org is create a custom clone of it so that I have full control of the permissions.

      Delete
  3. Getting below error while updating any profile in salesforce. Please help.


    Error: Invalid Data.
    Review all error messages below to correct your data.
    • Permission Create Invoices depends on permission(s): Read Orders
    • Permission Delete Invoices depends on permission(s): Read Orders
    • Permission Edit Invoices depends on permission(s): Read Orders
    • Permission Read Invoices depends on permission(s): Read Orders

    ReplyDelete
    Replies
    1. Hope you solved this by now but the short answer is that objects have dependencies between them and you must fulfill those dependencies before saving the profile. IN this case, you can't change the permissions because Read Orders is required.

      Delete
    2. This is an unfortunately common issue especially after turning on a new feature in SF or installing a package. In terms of how to fix it, you have to go into the OLD profile setup page (toggle this setting from User Interface in setup). That allows you to change multiple object permissions at once and then save. If you are using the new interface, it's impossible to fix as you can only set one object's permissions at a time.

      Delete
    3. Not entirely impossible: http://www.salesforcehacker.com/2013/01/mass-edit-profiles-using-enhanced.html?m=1

      Delete
  4. The issue where you have dependent permissions can't be solved with enhanced profile list views. They allow you to change many of the same permissions across profiles. What the issue described above involves is actually change many different OBJECT permissions at the same time on the same profile. In the Enhanced Profile List Views, each object permission is its own separate column requiring its own separate save. Oftentimes it is multiple sets of non-interrelated dependencies as well (e.g. 10 objects affected but really the issue is 4 specific object permissions that need to be removed simultaneously). Enhanced Profile List Views are also basically unusable in larger orgs as all you see is the "Search to refine criteria" error. Much faster and easier to go back to the old editor.

    ReplyDelete
  5. Existing without the answers to the difficulties you’ve sorted out through this guide is a critical case, as well as the kind which could have badly affected my entire career if I had not discovered your website.
    CRM with Invoicing

    ReplyDelete
  6. I really thank you for the valuable info on this great subject and look forward to more great posts UN38.3 standard

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. A Rutgers School of Business study published last year, however, suggests it might just be the British research that's all wet or at least bit damp. "People oftentimes cannot recall ads or they cannot connect an ad with the brand. Marketing communications can still have an impact even if people cannot recall certain elements of them. (tags: Cheap Real Yeezys, Discount Jordan Shoes Wholesale, Cheap Yeezys)

    Anyway, the bottom line that I came to in my reasoning is that when we store these types of data in subpages of a material article, that simple fact in some sense already says that it is a property of the material. And all indications were that if the scheme were to continue, it was going to get nothing but worse. The real problem with having all the data on a single template with a switch to give only the data called, is that the wiki "compiler" has to load the entire template every time you want even a small bit of info. (tags: Coach Outlet Store Online , Michael Kors Bags Sale, Coach Outlet Store, MK Outlet)

    "I have [and] I would suspect others have also,'' Scarnecchia said. "He definitely has the skills to play out there there's no doubt. He's long and he's big. Birmingham girl, 9, to be first double amputee child to walk runway at New York Fashion WeekDaisy May Demetre from Northfield, is 'living her best life' as she gets set to walk in an official New York Fashion Week show the first ever child with the disability to do soDouble amputee Daisy May Demetre walking at London Fashion WeekBut as proud dad Alex Demetre tells Birmingham Live, his brave daughter living her best life "I can take any credit for it."She owns who she is and she not afraid. I tell her are the amputee sensation of the world "She loving it, she modelled for Nike last week."The 36 year old Severn Trent Water worker says he made the bundle of energy a promise which drives him on.Incredible night at star studded Pride of Birmingham awardsDouble amputee Daisy May Demetre who has become a model wins Child of Courage award at Pride of Birmingham 2019"I promised her 18 months ago she would be the world most inspirational double amputee because she saved my life."He is referring to the dark days after his daughter was born where he hit rock bottom, drinking and even gambling away 70,000."It was traumatic when she was born", he explains."We knew from the pregnancy scans that there was something wrong and I turned to drink and gambling and thought of suicide." I couldn see a future for her.Daisy May Demetre and dad Alex"I was drinking until I blacked out and the gambling is escapism. I got to the point where I was 70,000 down (tags: Jordan Shoes For Sale Cheap, 2020 Jordan Release Dates, Ray Ban Sunglasses Outlet).

    ReplyDelete