Administration should be as easy as pressing a big red button have everything automatically turn out the way you want.
Take custom objects and their permissions for example. It's very easy to create a custom object. As an administrator, it's just a couple of clicks. And it's just as easy to enable users to use these custom objects through object permissions on a user's profile. Within a few minutes, everyone can use a custom object. And therein lies a challenge in the big red button.
What if some people should not use those custom objects? And what if we couldn't remove that access from some of our users like customer or partner portal users and now we're exposing internal data externally? As the adoption of both profiles and custom object grows in our org, we may be faced with more work to remove access from people who shouldn't have it than make sure the right people can access it to do their jobs.
With the Spring '10 release for Enterprise and Unlimited Edition orgs, instead of defaulting object permissions to 'on' or full access when creating a new custom object, we now default access to 'off' or no access. As a result, custom objects can be created more securely in Enterprise and Unlimited Edition because we don't assume that everyone should have full access including delete on all newly created objects.
Creating custom objects more securely creates two additional bits of work for admins.
- If users are assigned to 'standard' profiles, a profile that comes pre-created with every org, those users should be migrated to a custom profile in order to use the newly created custom object. This is because object permissions on 'standard' profiles are unchangeable.
- After creating a new custom object, the admin will need to go and configure the permissions for their custom profiles.
Reassigning users to custom profiles can be as easy as:
- cloning the standard profiles
- going to each standard profile, clicking on the 'View Users' button, and going through the list of users to reassign each one to a custom profile.
However, if you have a lot of users to reassign, you may want to handle this reassignment by exporting your users using a tool like the data loader or Excel connector and updating them with the new custom profile id.
The advantage of changing this assignment is that custom profiles are fully configurable; unlike 'standard' profiles, the user and object permissions are editable. In addition, custom profiles are also your intellectual property and won't be modified from release to release.
Setting custom object permissions may be handled using the Enhanced Profile List Views. If you haven't tried this feature out yet, it allows you to create custom list views of your profiles and their user/object permissions. It also allows mass inline editing of the list view. As a result, after creating a collection of new custom objects, you can create a custom profile list view, filter only those profiles you want to grant access to, and mass update the object permissions for all of the new custom objects at once. To enable this feature:
- go to Setup | App Setup | Customize | User Interface and select Enable Enhanced Profile Management.
- go to your profiles list under Setup | Administration Setup | Manage Users | Profiles to start creating lists and updating object permissions across multiple profiles.
Administration should be as easy as pressing a big red button and having everything automatically turn out the way you want. And by pressing that red button you can now make sure that it makes custom objects more secure so that you can sleep better at night knowing that the right people are getting the right level of access.
