28 October 2013

A drag-and-drop tool for comparing profiles, permission sets, and users

Comparing profiles, permission sets, and users in an easy to use, intuitive, drag-and-drop user interface, is a difficult usability problem to solve. It's difficult because each user, permission set, and profile may have thousands if not millions of permissions associated with them. Therefore, when comparing users, profiles, and permission sets together, the number of questions you can ask are several orders of magnitude. Basically, instead of looking for a needle in a haystack, it's like comparing multiple haystacks looking for multiple needles of varying size, color, and material.

John Brock created such an app for a Dreamforce 2012 presentation. He set out to demonstrate what could be accomplished with the permission set and user API.  Built on Heroku and the Salesforce platform using OAuth2, ExtJS4, and Java with the Play! framework, the PermComparator, provides a simple drag-and-drop user interface that allows an administrator to drag and drop users, permission sets, and profiles into a series of columns to compare and contrast their individual settings.

With each user, permission set, or profile, the administrator can compare user, object, and setup entity access permissions through a series of collapsible, accordion style lists. Within each set of permissions, the administrator can compare common, unique, and differing permissions. The easiest way to understand how to use the PermComparator is through the concept of a Venn Diagram.

Assuming A, B, and C are any combination of users, profiles, and permission sets that an administrator would compare:

  • Common permissions (111) help answer the question, "How are these users, profiles, or permission sets the same as one another." This helps determine where there are redundant profiles or permission sets that could potentially be merged or deleted. This also helps when determining why one user has access that another doesn't. Since all comparisons share these permissions in common, these permission can be ruled out as creating the additional access.
  • Unique permissions (001, 100, 010) help answer the question, "What does this user, profile, or permission set have that none of other ones have." This can help troubleshoot why one user, profile, or permission set has access to something where none of the others do and is a likely candidate for determining what additional access has been granted.
  • Differing permissions are everything but what is common (100, 110, 010, 011, 001, 101 which is really everything in the diagram but 111). This matters most when you have more than two things you are comparing. Differing permissions answers the question, "What permissions are assigned and shared with some but not shared with everything being compared." This can help isolate potential differences which may result in discovering that a user should have a slightly different profile or permission set to get the job done. 

Recently, there was a lot of buzz in the Salesforce community about this tool. It was great to hear members of the community sing John Brock's praises for the PermComparator. He was called a 'crazy genius' whose tool was 'life changing'. One thing for sure, John solved a difficult problem and created an incredible visualization tool for understanding access controls in a complex system by making it drag-and-drop simple.

The PermComparator is open source and available on GitHub to be downloaded, forked, or contributed to should you need access to the actual source code.


  1. Hi Adam,

    Thank you for this post. Very helpful!! Just one thing, the app does not show the custom objects from my organization. Is there anything I'm missing?

    Thank you.
    Puneet Mehta

    1. Hi Puneet,

      I'm really curious about this. There's no reason why custom object permissions shouldn't show up when you drag and drop a user/profile/permission set unless there aren't any assigned already. Can you provide some more details so that we can reproduce what you're seeing? Thanks!

  2. HI Adam,
    Thanks for putting through this nice article. I observe lot of inconsistencies in using this app. Some times the drag of (Profile, User, Permission Set) doesn't do the pull and thus comparing becomes difficult. I have system administration profile and don't have any IP restrictions as well. Did you noticed any such inconsistency?

    1. hmmm, very strange. It shouldn't be a permission issue if you have access to view the profile, user, or permission set in the first place. Have you tried this experience in different browsers?

    2. I logged in with one of my sandboxes and nothing only header comes up like profile, permission set, and users but doesn't show up anything as data..could you guide what is wrong that am I doing?

    3. @unknown - can you provide me more information (NOT username/password please!!).

      Are you clicking the Login Sandbox blue button when you first login?
      Are you using the public herokuapp: http://perm-comparator.herokuapp.com

      are you able to access any of this data using the API natively using a tool like workbench? Thanks!


  3. No field settings, only objects. Not much help.

    1. Thanks for the feedback. What are you trying to do?

  4. My client is blocking the IP address for permcomparator, does anyone have it by chance?


Note: Only a member of this blog may post a comment.