Home

    Salesforce Permissions Report

    Tuesday, August 8, 2023In: Backup Print

    New Permissions Report

    Once a week, for every full backup, the permissions report uses the Field-Level-Security (FLS) feature to analyze the field level permissions in your Salesforce Org. This report lists the fields that the authenticated user does not have permission for in their Salesforce org. FLS allows a layer of permission complexity to exclude the reading of specific fields, even for users who have object permissions. By default, specific fields are excluded by certain objects for the System Admin.

    If there are any fields that need excluding, an error appears on the report page. You can choose to exclude certain fields if you do not want the authenticated user to have permission for them, or they are not deemed critical by the business.

    Permissions Report

    We aim to provide clients with a Full & Complete backup of all the Data, Metadata, Attachments, Content Documents and knowledgebase Articles. To ensure this -we automatically analyze the field-level-security on completion of every Full Backup.
    If unreadable fields are detected due to changes made to profiles and/or permissions, a warning is shown on the service's dashboard that the data has been excluded. A link is provided to a new tab ("Permissions Report") containing the report. An actionable remediation tool is also provided.

    When selecting “see report”, the option exists to export the Field Level Security Report as an XML for Profile updates. 

    This enables admins to update any profile with missing field/object permissions using Force.com IDE and other similar tools. See The steps below on how to deploy the XML as a permission set in Workbench.
    To fix these gaps within Salesforce, first ensure the user leveraged for the backup complies with these settings.

    To immediately see the changes reflected and not wait until the next Full Backup, run a manual "Analyze Profile Permissions" job directly from the  Backup-->Options-->Analyze Profile Permissions button.

    Deploy Missing FLS via Workbench

    By downloading the Salesforce compatible XML you can achieve an easy method to update a permission set that can be applied to the authenticated user.

    Note: Security assignments, permission sets, and profile management are the sole responsibility of the user.

    We recommend checking to see if you have the IntegrationUserMissingFields permission set, already set up in Salesforce. If you do, follow the instructions here.

    Part 1: Review Report and Download XML

    View the permission report in the application to see the field list and download the data as a Salesforce compatible XML.

    Part 2: Prepare the Workbench zip to Deploy

    To create a package that Workbench can consume, you must create a specific file/folder structure. First, create an additional file titled: package.xml which contains the package definitions:

    <?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
    <types>
        <members>IntegrationUserMissingFields</members>
        <name>PermissionSet</name>
    </types>
    <version>54.0</version>
</Package>

    Once the file is created, update the paired payload:

    1. On your desktop, open the permissions_update.xml with a text editor.
    2. Create a permission set instead of updating the profile, search and replace the
      <Profile xmlns= ... with <PermissionSet xmlns= .... and  </Profile> with </PermissionSet>
    3. Insert the following two lines before the closing tag </PermissionSet>: 
      <hasActivationRequired>false</hasActivationRequired>
<label>IntegrationUserMissingFields</label>
    4. Save As” the ‘permissions_update.xml’ file to ‘IntegrationUserMissingFields.permissionset’
      • Note - Renaming the file will not work as it will keep the .xml format and fail to work when uploaded.
      You should have something similar to this: 
      <?xml version="1.0" encoding="utf-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
	<fieldPermissions>
		<editable>true</editable>
		<field>Account.HiddenField__c</field>
		<readable>true</readable>
	</fieldPermissions>
	<fieldPermissions>
		<editable>true</editable>
		<field>Account.Account_L1__c</field>
		<readable>true</readable>
	</fieldPermissions>
	<fieldPermissions>
		<editable>true</editable>
		<field>Case.CaseClosedOnCreate</field>
		<readable>true</readable>
	</fieldPermissions>
	<fieldPermissions>
		<editable>true</editable>
		<field>Case.CaseReason</field>
		<readable>true</readable>
	</fieldPermissions>
	<hasActivationRequired>false</hasActivationRequired>
	<label>IntegrationUserMissingFields</label>
</PermissionSet>
    5. Create a folder called ‘permissionsets’ and move the - IntegrationUserMissingFields.permissionset file into that folder.
      • Note: The folder name is case sensitive and must be lowercase
    6. Select both the permission sets folder and the package.xml and create a zip file:

    Part 3: Deploy with WorkBench

    Via Workbench, create a new Permission Set called "IntegrationUserMissingFields" with the permission Read and Edit on all the missing fields from the edited XML.

    1. Login to your target organization.
    2. Click Migration menu
    3. Select "Deploy".
    4. Choose the package zip file and select the following options:
      1. Allow Missing Files 
      2. Single Package
    5. Click Next and then Deploy.
      • If deploying to production Rollback On Error must be selected. And the test level should be ‘Run Specified test’
      • A test class that will run successfully must be used in order for the permission set to deploy to production.
      • Further reading on adding a test class in Salesforce in this article.

      If the package deployed, a success message will appear under the Results.

      Part 4: Assign the Permission Set to the Authenticated User

      In Salesforce, assign the permission set to the authenticated user.

      1. Log in to Salesforce.
      2. Select Setup > Permission Set > 
      3. Click the permission ‘IntegrationUserMissingFields’ and then Manage Assignments button.
      4. Add the authenticated user to this permission set.
      5. After assigning the permission, validate the permissions worked by re-running the analyze permission job via Backup Services →  Options → Analyze Profile Permissions

      Part 5: Updating the Permission Set File with New Field Data

      When you need to update the IntegrationUserMissingFields permission set in Salesforce, creating a new one with the same name overwrites it.

      See the following steps to leverage the Metadata backup to append the history of the already available fields for this permission set.

      1. Select the Metadata backup for the specific service you wish to update.
      2. Access the most recent backup, then download the XML for permission sets by selecting the highlighted number next to permission sets.
      3. Open the zip file, and navigate to the permission sets folder.
      4. In the permissionsets folder, delete all the permission sets except the IntegrationUserMissingFields.permissionset file.
      5. Download the SFDC Compatible XML of the fields from the permission report for the affected backup.
      6. Open the SFDC Compatible XML and copy everything in between the opening and closing tag for <profile></profile>
      7. Open the IntegrationUserMissingFields.permissionset and paste the contents at the end of the file, before <hasActivationRequired>false</hasActivationRequired>

      <label>IntegrationUserMissingFields</label>

      1. Save the  IntegrationUserMissingFields.permissionset
      2. Resume from Part 2 to Part 4 to deploy via Workbench and update the current permission set.
      « Previous ArticleNext Article »


      Contact Us

      Sometimes you just want to talk to someone. Our customer support team is available by phone:

      Request a Technical Support Call Back
      Submit a Ticket