Tuesday, September 7, 2021

Profile and Permission Set Helper (2)

Almost 3 years ago, I blog about an app called Profile and Permission Set Helper from Salesforce Labs. This app helps you to convert existing Profiles permissions in your org to Permission Sets, when I wrote that blog, the app was still at version 1.5.

Fast forward 3 years later, now the app is on version 2.28, in addition to helping you to convert from a profile to a permission set, it also has a new feature called Permission Analyzer, here is the description of the app

Analyze by a permission to view the list of profiles and permission sets that contain it. You can also analyze by user to view a summation of all permissions assigned to a user. View which specific profiles or permission sets contain a permission. Understand your permissions structure with just a few clicks and keep your permission assignments up-to-date.

In my use case, I have a user that suddenly has edit to all accounts, although the user profile doesn't have Modify All on Accounts, so what is the caused?

Using Permission Analyzer, I look up that user then drills into Account object and see how the user gets Modify All permission on Account.

In the above sample, the permission set name is a clear "Modify Acct", so you can guess what is inside the permission set, imagine if that permission is called "View Campaign", at a glance, you will not guess that permission set has anything to do with Account.

However, if you are good with SOQL, you can get almost the same result using query

SELECT Id, SObjectType, Parent.Label, Parent.IsOwnedByProfile
FROM ObjectPermissions
WHERE PermissionsModifyAllRecords = True 
AND (ParentId IN (SELECT PermissionSetId FROM PermissionSetAssignment WHERE Assignee.Name = 'Hello User'))
AND (SobjectType = 'Account')
ORDER BY Parent.IsOwnedByProfile DESC, Parent.Label