A Script to Create a Modify All Data Permission Set

 If you follow the principle of least permissions -- and you should -- then it should make you cringe a bit to grant someone admin permission in production.

System Administrator allows anyone with that permission to pretty much do whatever they want. That cuts both ways, where it removes obstacles to people's day to day, but also creates risks for honest mistakes and even bad-actor behavior.

We're working on how to structure permission for our admins and devs so that they can do their day job, but remove permission to change metadata since that needs to go through DevOps.

Cloning the System Administrator Profile and removing "Customize Application" is a start. But as your org changes, you have to make sure that permissions are added to the cloned Profile as fields are created. Basically, we need a way to ensure "Modify All Data" includes permissions to all objects, fields, tabs, etc.

To facilitate this, as a little side project I've created an Apex class that will grant access to a given Permission Set to:

  • All objects (read or read/write)
  • All fields (read or read/write)
  • Apex classes
  • Apex pages (Visualforce)
  • Custom Apps
  • Record Types
  • Tabs

I designed it to be standalone so you can drop it in your sandbox and run it. You can run it on a new Permission Set or an existing one and it will add the missing permissions.

For more information, check it out on Github:

Click Here for the Github Project

Comments

Post a Comment

Popular posts from this blog

Setting a DateTime to a Weekday in a Formula

Image
This is one of those things that took way too long to sort out. WEEKDAY() is a great formula function, but it only works on Dates.  Our requirement was to set the value to three days from now, but only if the day is a weekday, and put it in a datetime field. Thinking it through, they wanted the result to come out as follows. Cases received on Monday are due Thursday (+3 days) Cases received on Tuesday are due Thursday (+3 days) Cases received on Wednesday are due Monday (+5 days, skipping 2 weekend days) Cases received on Thursday are due Tuesday (+5 days, skipping 2 weekend days) Cases received on Friday are due Wednesday (+5 days, skipping 2 weekend days) Cases received on Saturday are due Wednesday (+4 days, skipping 1 weekend day) Cases received on Sunday are due Wednesday (+ 3 days) WEEKDAY() returns  an integer value, where 1 is Sunday and 7 is Saturday. Therefore: CASE(WEEKDAY(TODAY()), 4,now()+5, 5,now()+5, 6,now()+5, 7,now()+4, now()+3 ) Since WEEKDAY() only works o
Read more

"Disjunctions not supported" - Why Custom Metadata and Flow Don't Mix

Salesforce has been focusing a lot on Flow recently, as they should. It splits the difference nicely between Process Builder and Apex code. We recently used Flow to implement what I'd expect is a common use case - when a record is created, lookup a value from a table and update the record. In this case, it's a light lead score we call a "fireball" value. This worked great since in most use cases we'd get one record at a time. But we found during Lead conversion, we would get a few records through at a time, which caused the process to break with a really odd error: Error Occurred: This error occurred when the flow tried to look up records: Disjunctions not supported. After some research it became clear that this is the error you get when you try to query a custom metadata table using an "OR" condition. But my Flow didn't use an "OR" condition in the metadata lookup. The answer was lurking in this obscure documentation: When you define mult
Read more

Update Knowledge Articles in Bulk

Image
Recently we had a big Knowledge Centric Support (KCS) initiative where we generated a ton of Articles for use in a Community. (We're still on Classic Knowledge.) Problem is, some users forgot to tick the "Customer" box when creating the Articles. So those articles didn't appear to external users in the Community. You can update these Articles in bulk, but you need to use a few obscure hooks in Apex. This method will create a draft of the Article, update the Knowledge Article Version, and then re-publish without creating a new Version. The following code will update the 'IsVisibleInCsp' flag for a single Article specified in the 1st query, which will make it visible to Customers. Here's a bulkified version. This is heavy on the CPU so I run it 10 at a time. When going over these in bulk, you might run into a situation where there is an existing draft of an article that has been previously published; i.e., it's actively being updated. In t
Read more