Profiles vs Permission Sets: Stop Granting Org-Wide Admin

Introduction

As a senior Salesforce Administrator, I’ve managed numerous orgs in some of the largest enterprises in the world, and one of the most common mistakes I see is granting Org-Wide Admin (OWA) permissions. While OWA might seem like an easy solution for quick access to all objects and records, it’s actually a dangerous practice that can lead to data breaches, security vulnerabilities, and operational inefficiencies.

In this article, we’ll explore the differences between Profiles and Permission Sets, why you should avoid granting OWA, and how to effectively manage permissions using these tools. We'll also include some real SOQL queries and specific configuration steps to help you implement best practices in your org.

Understanding Org-Wide Admin

What is Org-Wide Admin?

Org-Wide Admin is a global permission that grants full access to all objects and records within an organization, bypassing any object-level security (OLS) settings. When enabled for a user profile, it essentially means that the user can see and modify any record in your org.

Why You Should Avoid OWA

1. Security Risks: OWA can expose sensitive data if proper access controls are not in place. If an admin with OWA permissions is compromised, all records in the org become accessible.
2. Operational Inefficiency: Granting full access to everyone leads to unnecessary complexity and confusion. Users may have no idea what they should or shouldn’t be doing, leading to inefficiencies.
3. Compliance Issues: Depending on your industry, such as healthcare or finance, granting OWA can violate data privacy regulations.

Profiles vs Permission Sets

Profiles

A profile is a predefined set of permissions that control the access and functionality available to users in an organization. Profiles are typically assigned at the user level and include:

• Object-level security: Controls what records a user can see.
• Field-level security: Controls which fields a user can view or edit.
• Custom settings, profiles, and permission sets visibility: Decides whether a user can manage these components.

Permission Sets

Permission sets are granular access control mechanisms that allow you to grant specific permissions to users without affecting their overall profile. They include:

• Object-level security: Controls what records a user can see.
• Field-level security: Controls which fields a user can view or edit.
• Custom settings, profiles, and permission sets visibility: Decides whether a user can manage these components.

Best Practices

1. Use Permission Sets for Granular Control: Instead of using OWA, create permission sets that grant specific access to users based on their role. For example, you might have a Sales Rep permission set that grants read and write access to Opportunities but not full access to Accounts.
2. Limit Profiles to Essential Access: Use profiles sparingly and only for high-level roles like System Administrators or Power Users. Most users should be assigned permission sets.

Real-World Example

Let’s say you have a user who needs read-only access to all objects in your org, but full write access to the Accounts object. Here’s how you can set this up:

Step 1: Create a Permission Set

1. Navigate to Setup > Permission Sets.
2. Click on New and name your permission set (e.g., "Read-Only User").

3. In the Object Settings, select the objects where the user needs read-only access:
   

   Accounts: Read Only
   Contacts: Read Only
   Opportunities: Read Only
   

4. Grant write permissions to the Accounts object:
   

   Accounts: Write Access
   

Step 2: Assign the Permission Set

1. Navigate to Setup > Users.
2. Select the user and click on Permissions in the quick action panel.
3. Click on Permission Sets and assign your newly created "Read-Only User" permission set.

Implementing Best Practices with SOQL Queries

Query for Permission Set Assignments

To ensure that all users have been assigned appropriate permission sets, you can run a query like this:

SELECT Id, Username, Profile.Name, PermissionSet.Name 
FROM User 
WHERE Profile.Name = 'Sales Rep' AND PermissionSet.Name IN ('Read-Only User', 'Write-Only User')

Query for OWA Permissions

To identify any users with OWA permissions, run the following query:

SELECT Id, Username, Profile.Name, HasAdminAccess 
FROM User 
WHERE HasAdminAccess = true AND Profile.Name != 'System Administrator'

Conclusion

By avoiding Org-Wide Admin and using Profiles and Permission Sets effectively, you can enhance security, improve operational efficiency, and ensure compliance with industry regulations. Follow the best practices outlined in this article to manage permissions in your Salesforce org.

Call to Action

If you’re interested in learning more about managing permissions in your Salesforce org or want to audit your current setup for potential issues, try the free scanner at:

https://orgscanner.dev/?utm_source=devto&utm_medium=content&utm_campaign=content_poster

This tool can help you identify and mitigate security risks in your Salesforce org.