Admins

An Easier Way to Deploy Profiles and Permissions Sets

By Alex Brausewetter

May 27, 2019

Profiles and Permission Sets have always been a pain to deploy, but the recent Salesforce outage known as #permissiongeddon on Twitter makes it even more of a pressing issue for teams.

For many Salesforce admins and developers, Profiles and Permission Sets have always been somewhat of a pain to manage. Yes, they can be deployed via Change sets or Ant scripts, but neither option works all that well. Accordingly, many teams manage their Profiles and Permission Sets manually.

It appears that there is also a correlation between the size of the Salesforce Org and the reliance on manual steps to manage Profiles and Permission Sets. This probably has a lot to do with the importance these vital types have for organizations. As we recently saw with the most recent massive Salesforce outage known on Twitter as #permissionsgeddon, relying on a script to manage permissions can be nerve-wracking for many organizations.

Still, manual steps come with their own challenges and dangers. Manual steps performed by human beings are prone to error. And for anyone who has had to manually deploy a large group of Profile or Permission Set changes you can be forgiven for mistakes as each item looks perilously close to the last after awhile.

Free Profiles & Permissions Deployer

Blue Canvas, a source control and CI tool for the Salesforce ecosystem, has recently released a free tool for the community that can help take some of the manual steps out of deploying Profiles and Permission Sets while still giving you the oversight you want for such a critical part of your Salesforce org. (Disclosure, I’m the CTO of Blue Canvas).

You can access the free Profiles and Permission Sets deployment tool here. We have developed it for our customers but are now proud to offer it for free to the entire Salesforce community.

It’s a relatively simple tool, but in its simplicity lies its power. The tool allows you to connect to and compare any two Salesforce orgs, whether they are sandboxes or production orgs. Once connected you’ll see a complete diff of all Profiles and Permission Sets between the orgs. The tool allows you to filter by Profiles, Permission Sets, Apex Classes, Objects and Fields (Field Level Security), and VisualForce Pages.
You can then use these diffs to create a custom changeset with a few clicks. And when you are ready to deploy you can do it with a single click.

The filters allow you to be very granular about which types and which permissions changes you want to include. You can deploy entire Profiles or Permission Sets. You can update existing permissions at the Field, VF Page or Object level (we’ll be continuing to add more types and filters in the coming weeks).

Recovering From #Permissiongeddon

Unfortunately, a full recovery from the recent Salesforce incident has not been possible for all orgs. As of May 20, 2019 over 10% of Salesforce orgs still did not have their permissions fully restored and Salesforce began informing customers that they would have to restore their orgs on their own. (A recovery script had mixed results and was not as successful as hoped over the weekend).

If you are affected by this and want to restore your org on your own, unfortunately, there is no magic solution. However, the Profiles & Permissions Deployer can help. It’s especially helpful if you have an unaffected Sandbox with previous permissions still intact. We’ve helped dozens of organizations recover so far and more are still coming.

If you have an unaffected Sandbox with all of your permission in place (you can confirm this by logging into the Sandbox, opening Setup, checking a non-Salesforce Administrator profile and looking at Standard Object Permissions. If Read, Create, Edit and Delete are unchecked for all objects the sandbox was reset and it cannot be used to restore).

Connect this sandbox as the Source Org, then connect your Target Org. Click Compare and in the left sidebar, you should see all of your Profiles listed. You can add them to a “change set” and deploy them.

It’s not a perfect solution, but it beats manually reconfiguring your orgs. You can also find out more about the outage by following this unofficial Google doc which logs notes from all of Salesforce’s support webinars.

The Author

Alex Brausewetter

Alex Brausewetter is a founder of Blue Canvas where he does coding, product design, and architecture.

More like this:

Comments:

    Maninder
    May 27, 2019 8:21 pm
    I tried connection with the sandvox. It gives me this error.{"error":"Invalid `state.csrf_token`."} i have verified my credentials which is valid.
    Reply
    Salesforce Solutions
    May 28, 2019 3:22 pm
    hi alex, the product looks good, but can it happen that in future it becomes a paid product (currently free) ? and any org. using it has to either pay or uninstall.
    Reply
    Alex Brausewetter
    May 28, 2019 7:45 pm
    Apps on https://tools.bluecanvas.io are free and remain that way. It's our contribution to the Salesforce community.
    Reply
    Alex Brausewetter
    May 28, 2019 7:46 pm
    Looks like your session expired. If you keep having trouble, get in touch with support@bluecanvas.io and we'll help you out.
    Reply
    Saket Kolhapure
    May 28, 2019 11:54 pm
    Hi Alex, this seems to be a good tool to migrate the permissions. But considering the recent salesforce incident, it impacted all the sandboxes along with production, we could not have used this tool. What would be helpful from my perspective, is a tool which backs up all the profiles and permissions set access settings. The backup can be used in the events of any adverse change either from salesforce or customer itself. Please let us know if there is any such tool available.
    Reply
    Ellen Moorehead
    May 29, 2019 8:40 pm
    Hello Saket, we should talk! OwnBackup offers daily, automated back ups of data, meta data, chatter and attachments across all environments = PROD and Sandboxes. We were able to assist about 60 customers from the service disruption on May 17. Check us out! Thank you. Ellen
    Reply
    Alex Brausewetter
    May 29, 2019 10:56 pm
    We've considered offering permissions backup, but at the moment this isn't on our roadmap. If we see lots of demand, we might add it.
    Reply
    Roger Borges Grilo (@SalesforceRoger)
    May 30, 2019 10:52 am
    Let's say I need to compare the differences between 2 permission sets; what simple tool do you recommend?
    Reply
    Sumir Saini
    June 03, 2019 10:07 pm
    Roger check out - https://perm-comparator.herokuapp.com/
    Reply
    Sumir Saini
    June 03, 2019 10:07 pm
    Roger checkout - https://perm-comparator.herokuapp.com/
    Reply
    Becca
    September 10, 2019 10:30 pm
    I just want to know if all the changes actually track in the audit log... I know they don't with ant. So I often want to tear out my eyes
    Reply
    Nicole Dawes
    July 16, 2021 6:57 pm
    Hey Becca! You should check out www.strongpoint.io - their tool integrates right into the Salesforce platform and monitors and tracks any specified change you want. It's a lot more comprehensive than the audit log.
    Reply
    Nagarjuna
    April 04, 2022 8:29 am
    Hi I am facing this error may and not able to connect two orgs at all {"error":"Invalid `state.csrf_token`."} please help out
    Reply
    Gene Teglovic
    May 27, 2022 12:19 am
    Most of these posts are from 2019. I simply cannot get this tool to work. I logged in to the source and target orgs. I selected the profile which I want to move from the source org to the target. Note that the profile does not exist yet in the target org. Then I hit the "Compare" button. It listed out all the apex classes, objects and VF pages, so it is finding the profile in the source org.. Then I did "add all to change set" and then Deploy. It runs for quite some time and says it finishes. However, there is no outbound change set in the source org, no inbound change set in the target org. And no profile in the target org. What am I missing? support@bluecanvas.io are you still around? I get that this is a free product so expectations are low; Id buy you a nice bottle of Scotch! . :-) It would be a fantastic thing it if I could get this to work. Thanks in advance!
    Reply
    lae
    August 15, 2022 11:29 pm
    This is amazing! Thank you so much for sharing!
    Reply
    Vinod
    September 30, 2022 8:09 am
    I was trying to deploy profiles but it seems not working with Record types. Giving me error : FIELD_INTEGRITY_EXCEPTION: No default record type specified for recordTypeVisibility. Even though default record type is set in source org profile level. Can someone please help in this? Or any other way I can deploy such profile? Thanks!
    Reply
    Greg
    April 24, 2024 2:35 pm
    OMG, finally! Thank you for this awesome tool :)
    Reply

Leave a Reply