Month: December 2020

Creating a Salesforce Permission Set subset from multiple Profiles

This tool is for reducing the size of your Profiles by extracting common elements and placing in a common Permission Set.

Complex Salesforce orgs often have large Profiles, and Users can only have one Profile. This means that when you create a new App or implement a Release Update (for example), then your Admins will need to go through and ensure all Profiles are updated the same way. You will then also have to test each Profile fully.

I created a simple command line utility to identify the most common elements in a set of Salesforce Profiles and generate a common subset Permission Set as well as the newly reduced Profiles.

https://github.com/andrewwhitten/Salesforce-Profile-Refactor

Salesforce provides Permission Sets and Permission Set Groups that allow you to define a set of Permissions not tied to any Profile. This means for example that if you have 100 class accesses that are needed by multiple Profiles, you could define one Permission Set and assign to everyone who has those Profiles.

In a really simple example, I cloned three new Profiles from the standard ‘Minimum Access – Salesforce’ Profile. (In a real world example this hierarchy would be better defined as Roles). Each has Profile level access to different Apex Classes in our Org:

Initial Profile state

We can see that all these Profiles have access to the X-Wing and Y-Wing classes, so we can add those to a Permission Set:

Reduced Profiles with common Permission Set

Furthermore, we can see that the ‘General’ and ‘Major’ profiles have other common classes, meaning we can divide up further:

Reduced Profiles with two common Permission Sets

Now, the Rebel Alliance has just acquired a new B-Wing vehicle for everyone. To grant access the Admin can now just add this to the main Permission Set, instead of to each Profile:

Adding a new permission element that everyone has access to

For such a simple example it is easy for an Admin to set this up by hand, however what if you have 15 profiles that are thousands of configuration lines long?

The tool generates a Permission Set, however if your common files are still large then I would suggest looking at creating a Permission Set Group and splitting the generated Permission Sets up inside it instead.

Assumptions

This post will only cover the generation of Profile and Permission Set metadata files. The process for pulling and pushing Profile metadata from an org really depends on how well your devops is set up. SFDX tools can pull and deploy Profiles, but not consistently without some issues.

Warning and Disclaimer

Always use this tool in sandboxes and never directly in Production! Try and design an improved Permission Set and Profile combination in a sandbox, and then test that extensively. You need to have personal confidence that the new Permission Set is going to work for your users.

If you do progress to Production, then also do have a roll back strategy to the old Profiles.

Finally, please ensure that you have all the training and knowledge required to pass the ‘Sharing & Visibility Designer’ Certification. You really need to understand how Profiles and Permission Sets work, and all potential impacts to your org. Unit Tests, manual testing and automated testing are rarely comprehensive enough to catch every scenario.

Instructions

  1. Ensure Microsoft .Net 5.0 is installed on your system (Windows, Mac or Linux)
  2. Place all Profile metadata files in the \input directory (you can specify another directory for input and output if desired)
  3. Run this command (sample input files provided): dotnet SalesforceProfileRefactor.dll \input \output

MacOS Example:

Run the tool from the command line

You will see a new folder generated under ‘Output’ with the current date and time stamp. Inside is the common Permission Set as well as the newly reduced Profiles:

How the tool looks

Open the generated Report.csv in Excel (or similar), and you will see that it has moved 2 Apex Class access elements and 5 user Permission elements into the common Permission Set:

The output report in MS Excel

Changing the code:

The tool has been developed in Microsoft .Net 5.0 and should run on Windows, MacOS and Linux. You can change the code in community (free) versions of Microsoft Visual Studio 2019 for either Mac or Windows.

Notes:

  1. I chose to do this in C# .Net because I already knew how to manipulate XML with it. Additionally Visual Studio is great at generating the XML schema wrapper class.
  2. At this early stage I doubt there are many people who need this utility. Even I am hoping to use it very rarely. Java would have been a more natural choice for the Salesforce community, but would have taken me longer.
  3. Code Optimization – I traded accuracy and reliability over code speed. I have a recent i7 running at 2.8 Ghz and the whole operation takes less than 7 seconds to process 600,000 Profile configuration lines, therefore I am not too concerned about it.
  4. GUI – I have some thoughts about extending this with a user interface to help visualize the process better, perhaps by comparing specific types of elements and attributes between files rather than all.
  5. Naming – Ensure that the name of the files is correct for either Sfdx or older metadata deployments. I might include this as a command line option in future.

Experience on passing the Salesforce Certified Data Architecture and Management Designer

Experience on passing the Salesforce Certified Data Architecture and Management Designer

I had planned to take the Salesforce Certified Data Architecture and Management Designer exam at the beginning of 2020, but between a major change in the exam’s structure in March and challenges to both study and work from home since then I have delayed until now. After passing the exam this weekend I wrote down some thoughts:

This exam had a lot of multiple ‘Correct’ answers, requiring you to select the ‘best’ one. This made me uncomfortable, but my strategy was just to choose the answer I would use in real life and not try and second guess what the examiner was thinking.

Many questions were helped by my real life experience of large and complex orgs. In fact it would have been extremely hard to pass this exam by study alone. Some questions I had not studied for at all, and just knew from my own experience.

Maybe I’m now used to these exams, however I found the questions clearer and easier to parse than in my previous Salesforce exams. I didn’t even write down on the (supplied) paper pad anything to deconstruct them  this time..

Areas to consider:

  • The difficulty of the questions varied significantly, from really basic to really hard and nuanced. If you find yourself despairing then really just push on, you will get to easier ground soon enough. The pass mark is 59%, and I’m sure that you can get within striking distance by just answering the easy ones first.
  • Many question topics were also covered by the Salesforce Certified Sharing and Visibility Designer exam. Many people say that exam was harder, so I was well served by having completed that already. I would suggest putting in the study for that exam as well, even if you do not intend to take it yet.
  • Be across your Salesforce licensing and usage limits. Yes, Salesforce can do it, but does your org have the licensing to back it up?
  • Integration! When is it best to use Salesforce Connect, Data Loader, REST/SOAP API, or third party ETL tools? Think about scenarios where your users need to access data held in another system.
  • Some questions were not clear if the best solution was a Salesforce tool or a third party tool. It is a Salesforce exam, so obviously you are going to be tempted to go with the Salesforce option with all other things being equal. Not sure what to recommend other than go with what you think is right.
  • When to use a managed package from the AppExchange? This is challenging because many of these products charge by the amount of users, and if you have thousands of users then it is non-trivial to suggest your business procure a managed package in real life if it can be avoided. Salesforce does however recommend implementing custom code as a last option, so just bear that in mind.
  • The Focus On Force exam preps and practice exams were valuable and good value. I feel that although they won’t help you pass the exam by themselves, they will nevertheless bring you to a higher level after you finish the trailhead materials.

The worst thing about these exams (not specific to Salesforce) is that there is no way to go back and discuss what the right answer should have been for some of those borderline questions. It would be great if Salesforce allowed us to flag and give feedback on each question as we go through. The one text field at the end doesn’t really help for this (at this point you have committed and just want the results already!).

There you have it. Good luck on your exam and reaching Certified Application Architect!