Salesforce Permissions Report

    Once a week, for every full backup, the permissions report uses the Field-Level-Security (FLS) feature to analyze the field-level permissions in your Salesforce Org. This report lists the fields the authenticated user does not have permission for in their Salesforce Org. FLS allows a layer of permission complexity to exclude the reading of specific fields, even for users with object permissions. By default, specific fields are excluded from the System Admin by particular objects.

    If any fields need to be excluded, an error appears on the report page. You can exclude specific fields if you do not want the authenticated user to have permission for them or if the business does not consider them critical.

    We aim to provide clients with a complete backup of all Data, Metadata, Attachments, Content Documents, and Knowledge Articles. To ensure this, we automatically analyze the field-level security upon completion of every Full Backup.


    If unreadable fields are detected due to changes made to profiles and/or permissions, an email identifying the fields unreadable due to permission exceptions is sent to the user and the service's Permissions Report page shows a warning that the data has been excluded.

    To immediately see the changes reflected and not wait until the next Full Backup, manually run an "Analyze Profile Permissions" job directly by clicking the Analyze Permissions button.

    An actionable remediation tool is also provided. The Field-Level Security Report can be exported as a ZIP package to update the integration user's permission set. Click Download Package to export the Field-Level Security Report. The permissions report only shows fields the integration user cannot access. It does not show what object permissions are missing.

    This enables admins to update the permission set to any user with missing field permissions, using Force.com IDE and other similar tools. See the steps below on how to deploy the Package as a permission set in Workbench.
    To fix these exceptions within Salesforce, first ensure that the authenticated user complies with these settings.

     

    Deploy Missing FLS via Workbench to Correct Permission Exceptions

    By downloading the Salesforce-compatible package, you can easily update a permission set that applies to the authenticated user.

    NOTE: Security assignments, permission sets, and profile management are the sole responsibility of the user.
    NOTE: We use IntegrationUserMissingFields as the default name for the permission set. If you prefer a different name for the permission set, follow the instructions in Part 4 (below).

    Part 1: Review Report and Download Package

    View the permission report in the application to see the field list and download the data as a Salesforce-compatible Package.

    NOTE: If the package download has failed, click on Analyze Permissions. Once the job has been completed, try again to download the package.

    The downloaded package may include fields that are marked as excluded. You can remove these fields from the package by opening the package and removing them manually from the permissionset file.

    NOTE: Read and Write permission will be assigned to all fields (for Backup and Restore).

     

    Part 2: Deploy with WorkBench

    Via Workbench, create a new Permission Set called "IntegrationUserMissingFields" with the permission to 'Read' and edit all the missing fields.

    1. Login to your target organization.
    2. Click 'Migration Menu'
    3. Select 'Deploy'.
    4. Choose the package zip file and select the following options:
      1. Allow Missing Files 
      2. Single Package
    5. Click Next and then Deploy.
      • When deploying to production, 'Rollback On Error' must be selected. And the test level should be ‘Run Specified test.’
      • In order for the permission set to deploy to production, a test class that will run successfully must be used.
      • Further reading about adding a test class in Salesforce in this article.
      NOTE: The test class specified to run when deploying to production must run successfully. It is advised to select a class with a small size and to avoid test classes from managed packages.

       

       

      A success message will appear under the 'Results' when the package has been successfully deployed.

       

      Part 3: Assign the Permission Set to the Authenticated User

      In Salesforce, assign the permission set to the authenticated user.

      1. Log in to Salesforce.
      2. Select Setup > Permission Set > 
      3. Click the permission ‘IntegrationUserMissingFields’ and then Manage Assignments button.
      4. Add the authenticated user to this permission set.
      5. After assigning the permission, validate the permissions worked by re-running the analyze permission job via Backup Services →  Options → Analyze Profile Permissions.

       

       

      Part 4: Using Non-default Permission Set Name

      Part 4.1: When merging to an existing permission set is not required 

      1. Download the SFDC Compatible Package from the permission report for the affected backup.
      2. Use a text editor to open the package.xml file within the downloads package.
      3. Replace the name: IntegrationUserMissingFields with the name you prefer for the permission set.
      4. In the permissionsets folder, rename the file IntegrationUserMissingFields.permissionset to the name that you prefer.
      5. Open the .permissionset file and replace the name IntegrationUserMissingFields with the permission set name that you prefer (within the 2 tags <label>...</label>).

      Part 4.2: When merging to an existing permission set is required 

      1. Download the SFDC Compatible Package from the permission report for the affected backup.
      2. Use a text editor to open the package.xml file within the downloads package.
      3. Replace the name: IntegrationUserMissingFields with the name you prefer for the permission set.
      4. In the permissionsets folder, rename the file IntegrationUserMissingFields.permissionset to the name that you prefer.
      5. Open the .permissionset file and replace the name IntegrationUserMissingFields with the permission set name that you prefer (within the 2 tags <label>...</label>).
      6. Select the Metadata backup for the specific service you wish to update.
      7. Access the most recent backup, then download the XML for permission sets by selecting the highlighted number next to permission sets.

      1. Open the downloaded zip file, and navigate to the permission sets folder.

      1. Open the .permissionset with the name you set.
      2. Copy all  <fieldPermissions> …  </fieldPermissions> tags

      1. Paste it to the the .permissionset at the end of the file, before <hasActivationRequired>false</hasActivationRequired> <label>IntegrationUserMissingFields</label>

      Part 4.3 

      1. Compress the updated package. 
      2. To deploy via Workbench, continue with the procedures described above.
         

       

       

       

      « Previous ArticleNext Article »