05 August 2013

Reduce Users with Too Many Administrative Rights

Giving out Modify All Data, Customize App, or Manage Users to other users is like giving the ultimate power in the salesforce.com universe.  And with total power comes... a lot of risk.

Ultimately, as organizations segment and divide into multiple organizations housed in a single org, the need to grant more delegated administrative rights grows exponentially.

There are options that you can explore:

  1. Modify All Records or View All Records instead of Modify All Data or View All Data
  2. Sharing instead of Modify All Data or View All Data
  3. Delegated Administration instead of Manage Users for specific roles or Customize Application for Custom Objects

The best way to proceed is to take away any of these administrative permissions from your users and let them try to perform their daily tasks.  You will quickly find where these permissions were needed and where you can compensate by providing alternative permissions or configurations.

For instance, one customer I worked with recently removed Modify All Data from a group of delegated admins.

One issue that came up was the need to use the data loader.  They solved this by downloading the client to a shared directory.

Another instance came up where delegated administrators needed to login as end-users; however, these admins could not have the Manage Users permission.  Using Delegated Administration groups, these admins were able to login and manage users for a role and the role's subordinates without requiring Manage Users (only View Setup and Configuration was required).

Ultimately, some tasks must still be performed by a System Administrator, but at least you can begin to whittle down the number of administrators who have too much access.


  1. Okay, I'm late to the party, but the data loader issue is one I've been trying to find a workaround for for years (there are some 3rd party tools, but they're buggy and require you uploading your data into them, which raises security issues).

    So if user can access the APEX data loader through a shared directory (i.e. don't need to access the internal parts of Salesforce to download it), they can then log into it directly and use it with their standard credentials without having Mod All?

    What kind of permissions does that require? (I assume Mod All on the particular object? Or can any user do this without any particular permissions?)

    1. API Enabled is all that's required to access the API. From there it follows the standard permission model - to query accounts you need read on accounts, to insert an account you need create on accounts, etc...


Note: Only a member of this blog may post a comment.