So you’ve just upgraded your version of Professional Edition to Enterprise or you’re hoping to do so in the near future. So what do you do now? One feature, one that’s very, very important to businesses today, is the ability to control who can do what. For example, you want to be able to allow Sales users to control fields that are important to them and not let marketers change their values. How do you do that? With profiles.
I’ll show you how easy it is to create a profile with a simple GIF (click to watch).
That’s great. Now what should I know?
Let’s go over some key things:
1. Profiles are the base level of permissions that any user should get. What do I mean by this? If you have a group of Sales users, who usually, should not be able to edit a marketing field, they should have a profile that reflects that.
What about that one user that straddles Marketing and Sales? There’s always that one exception. Don’t worry! For that, you have permission sets. Permission sets function almost exactly the same as profiles, but they add permissions that a user would typically not have.
2. There are a few reasons to create a profile:
- The group of users need to have a different page layout
- E.g. You want sales to see different key fields than marketing. Who doesn’t want to show relevant content to specific sets of users?
- The group of users need to have org-wide email addresses
- There is an idea to have permission sets grant this. Please vote it up here!
- Login Hours
- This restricts when a group of users can log in to the system. The typical use case is Customer Support reps.
- Login IP Ranges
- This restricts ranges of IP Addresses that users can login to the system from.
- This is different than trusted company IP ranges ( Setup | Security Controls | Network Access ). This is to say what ranges of IP Addresses are trusted to not have to activate their computer via mobile or email authentication.
The profile mantra
Repeat after me: “Now that I’m on Enterprise Edition, I will only use one standard profile: system administrator.”
Okay, so creating a profile isn’t that hard. You have settings that allow you to give users access to functionality like Apex Classes, Visualforce, Data Categories and administrative permissions. A word of advice on the latter: any administrative permissions, such as “Modify All Data”, “View All Data” or “Customize Application” should be assigned via permission set and given out with caution.
Here’s the fun part. You have to talk to people in your company to start determining who should do what. If you’re thinking about getting Enterprise Edition and haven’t yet, you can start this exercise now. The easiest way to do this, in my humble opinion, is to think about the roles that you have in your organization and how those roles align to a base set of permissions, e.g. Sales, Marketing, Operations, etc. Now that you have this in mind, you will need to then take an inventory of all of the fields in your salesforce instance and say who owns what data and whether or not it should be touched by other business units. Use a tool like Easy Describe to get all fields and values.
You can then use this template to start coming up with which profiles should have access to which objects and which fields.
If you have this filled out before you make your profiles, it will make it a breeze! Remember though, this is where you need to work with key business stakeholders and ask questions about who is doing what and if they should have that permission. You will need to find multiple partners / champions / power users to work with you in constructing the right permissions, and of course, before you make the profiles, you’ll want to have tested that users can do what they should and can’t do what they shouldn’t (aka, you’ll need to create a test plan – more to come on this in the future).
Here’s a protip for editing object-level security: Use the power of list views to make mass updates to which objects groups of users can see. The gif below shows just that.
Congratulations! You’re now a pro on Profiles!