Skip to content

Ops Center Permissions Explorer

Jump to bottom
Johannes Fischer edited this page Dec 18, 2024 · 14 revisions

Purpose

Many times when investigating issues, object or field level access can play a role in the root cause analysis. It is relatively easy to find out what permission sets and profiles a user belongs to, but cumbersome to identify what the permissions for relevant objects and fields are. With the Permission Explorer, users can easily review and filter permissions for all profile and permission sets.

Please note that the tool is still in its infancies and will require some future enhancements for better results and usability!

Limitations

Out of the box, Permission Explorer supports querying the permission objects using Apex SOQL. This means that there is a limitation of a maximum of 50,000 records to be retrievable per permission type. In larger orgs with managed packages and lots of permission sets and profiles, there will be easily thrice as many records if not more. For this purpose, RFLIB supports a second approach of using the Salesforce REST API to query all of those records. This approach requires some detailed setup steps in the org as outlined in the section Enabling the REST API Query Mode below.

Caching

Permission Explorer uses client side caching for the result retrieved by the controller actions. After the data is retrieved from the server for the first time, no additional server request for the given Permission Type will be made, but the cached value returned. This will improve the load time, especially when using the REST API.

User Interface

There are two different flavors of the user interface. The standard mode is for viewing Object and Field Permissions for Profiles and Permission Sets. The extended mode allows to search for users by their name, which will then display Object or Field Permissions for that user.

Standard Mode

  1. Select the type of permission to be displayed in the list. The modes were separated due to the different fields that need to be displayed for Object vs Field permissions, and to reduce the number of records to be queried since it could be easily more than 100k records for larger orgs.
  2. Check the total number of permissions found for the current type.
  3. Filter the results by Profile or Permission Set name, Object and/or Field API name. Hit Enter or click the search button for the search to execute. Searching while typing is not supported in Permission Explorer for performance reasons.
  4. For the remaining results, navigate through the pages using either the buttons or enter the page number.
  5. Export the total number of records for the current type to CSV. The name of the file will be automatically determined.

Optionally, you can search for a user, which will then automatically insert the user's Profile into the search field and filter the results. This link will only appear for Profile types. Additionally, you can change the number of results to be displayed by page using the Gear button.

Extended Mode

When searching for the permissions of specific users, there is a slightly different user flow. Select one of the Permissions Type that include the for a User suffix and follow the instructions below. Note that, for users, RFLIB will query both Profile and and Permission Set permissions.

  1. Input the user's full name. A dropdown will appear with matching user names. Select one of the users from the list, which will search for the user's permissions.
  2. Check the total number of permissions found for the current type.
  3. Filter the results by Profile or Permission Set name, Object and/or Field API name. Hit Enter or click the search button for the search to execute. Searching while typing is not supported in Permission Explorer for performance reasons.
  4. For the remaining results, navigate through the pages using either the buttons or enter the page number.
  5. Aggregate the results for this user. This will take duplicate values and merge the results. For example, if there is a Field that has only a read permissions in the Profile but read and edit permissions in Permission Set XYZ then the aggregated result will match the Profile since this is ultimately the access that the user has. IMPORTANT: In the aggregated mode, RFLIB will display the first Profile or Permission Set name it finds for any given Object/Field record. This does not represent the entity that contains all the permissions.

Just like the standard modes, it is possible to export the user's permission. However, the file name will only contain the user's Salesforce record ID, not the name. Last, one can change the number of records to be displayed on the page.

Apex Cursor (beta) Support (RFLIB 7.0 or later)

Starting with RFLIB 7.0, the Ops-Center Permissions Explorer leverages the Apex Cursor feature (beta) to improve performance and reduce complexity when working with larger orgs. The Apex Cursor allows querying and paginating through large datasets (50,000+ records) more efficiently, eliminating the need for complex query logic or handling governor limits. This ensures a smoother experience when exploring permissions in large environments.

For more details on the Apex Cursor feature, refer to the official Salesforce documentation.

Enabling the REST API Query Mode (RFLIB 6.x and earlier)

To retrieve more than 50,000 records, the LWC user session must be granted access to the Salesforce REST API, which it does not have by default. To successfully call the REST API from the Apex controller, a Connected App, Authentication Provider and Named Credentials must be configured. The following list describes this set up in details.

Since access to the REST API is significantly slower and consumes API request governor limits, Permission Explorer is optimized to always query permissions with a result set size of less than 50,000 records using the Apex SOQL.

Create Connected App

  1. Go to Setup -> App Manager
  2. Click "New Connected App"
  3. Set the following values:
  • Enable OAuth Settings: CHECKED
  • Enable for Device Flow: CHECKED
  • Require Secret for Web Server Flow: CHECKED
  • Require Secret for Refresh Token Flow: CHECKED
  • Callback URL: {leave default}
  • Selected OAuth Scopes: Manage user data via APIs (api)
  1. Click "Save"

All other optional fields can be left empty or unchecked. Use any value for the remaining mandatory fields, i.e. "RFLIB Process Explorer REST API" for the Connected App Name.

  • Click on "Manage Consumer Details" to get access to the Consumer Key and Consumer Secret, which will open in a different tab.

Create Authentication Provider

Consider opening this in a different tab.

  1. Go to Setup -> Auth. Providers
  2. Click "New" button
  3. Set the following values:
  • Provider Type: Salesforce
  • Name: rflib Permission Explorer
  • URL Suffix: {use default}
  • Consumer Key: {copy value from Connected App}
  • Consumer Secret: {copy value from Connected App}
  • Default Scopes: api
  1. Click 'Save"

All other optional fields can be left empty or unchecked.

Complete Connected App Setup

  1. Copy Callback URL from Authentication Provider setup into the Callback URL field of the Connected App

Create External Credentials

  1. Go to Setup -> Named Credentials
  2. Select the "External Credentials" tab
  3. Click "New" button
  4. Set the following values:
  • Label: RFLIB Admin User
  • Name: RFLIB_Admin_User
  • Authentication Protocol: OAuth 2.0
  • Authentication Flow Type: Browser Flow
  • Scope: api
  • Authentication Provider: RFLIB Permission Explorer

Create Principal

Once the External Credential record is saved, scroll down to the "Principals" section and do the following:

  1. Client "New" button
  2. Set the following values:
  • Parameter Name: Any name describing the user, i.e. Admin
  • Sequence Number: 1
  • Identity Type: Named Principal
  • Scope: api
  1. Click "Save"

Create Named Credentials

  1. Go to Setup -> Named Credentials
  2. Click "New" button
  3. Set the following values:
  • Label: RFLIB Permission Explorer
  • Name: rflib_SF_REST_API
  • URL: <Enter the URL of your org, but make sure to use the My Domain version: https://*.my.salesforce.com>
  • Enabled for Callouts: Checked
  • External Credentials: RFLIB Admin User
  1. Click "Save"

IMPORTANT: Using "rflib_SF_REST_API" as the Named Credential name is a critical to make this configuration work.

NOTE: If the OAuth process fails after authorizing the application, check your security settings for IP range restrictions. You may have to add the Salesforce IP range to the list of valid IP ranges.

Create Permission Set

  1. Go to Setup -> Permission Sets
  2. Click "New" button
  3. Set the following values:
  • Label: RFLIB Permission Explorer REST
  • API Name: RFLIB_Permission_Explorer_REST
  1. Inside the Permission Set, click on "External Credential Principal Access"
  2. Click "Edit" button
  3. Select the "RFLIB_Admin_User - Admin" entry and move it to the enabled list
  4. Click "Save"

IMPORTANT: Assign the Permission Set to any user that will use Permission Explorer

Set the RFLIB Global Config Value

  1. Go to Setup -> Custom Metadata Types
  2. Click "Manage Records" for the "rflib Global Setting" CMT
  3. Click "Edit" for the "Permissions Explorer REST API Enabled" record.
  4. Set the "Value" field to "TRUE"

The REST API is now enabled for Permission Explorer to retrieve result sets with more than 50,000 records.

Overview

Logging

Ops Center

Trace ID

Advanced Features

Managed Packages

HTTP Mocking

Global Settings

Clone this wiki locally