RSS

Using Custom Permissions

20 Nov
Using Custom Permissions

A few years back my boss gave me a really cool gift for Christmas…an iPad. Of course I worked my backside off that year, as I have every year, so it could be construed that I earned it, but nevertheless, it was a totally cool gift which I totally appreciated and which I would not have gone out and gotten for myself.

My kids were thrilled when they got their hands on it, and quickly monopolized it to the extent that I hardly used it at all. But I didn’t mind.

Fast forward a few years where the kids are now more interested in their own personal devices and I now find that I would love to use the thing a whole lot more. The problem is, its software can no longer be upgraded, and it’s now too old to run the new apps that are being released which greatly reduces it functionality.

The point to this story is that when building out your Salesforce platform, it’s best to keep in mind that updates are inevitable so always be on the lookout for ways to implement customizations in such a way that they can be quickly and easily updated as new demands come along.

Custom Permissions, which were released Winter 2015, are one of the tools that can be used to achieve this flexibility.


What Are Custom Permissions?

Custom permissions are global variables that you can check for in your processes and validation rules (for more information on global variables, see prior post: Global Variables). If the custom permission is present for the user the global variable will evaluate to true, and if absent, false.

$Permission.Is_allowed_ice_cream


A Hypothetical Scenario:

Let’s say that the employees of your company are competing against those of another to see which team can rack up the highest percentage of weight loss over the,next three months. Since everyone wants to beat the other company it’s decided that the ice cream freezer will be locked, and a cadre of brave soles will determine who gets an occasional treat.

Ice Cream

Ice Cream!

You’re tasked with locking the freezer down for everyone except those few lucky ones. Not only that, but the ice-cream-grantor committee has decided that the list of lucky ones who get ice cream may change from time to time.

At first a chill runs down your spine at the thought of having to change the freezer validation rules at every whim of the committee, then you remember that you have custom permissions at your disposal.


Creating Custom Permissions

After you have locked the ice cream freezer you now need to create a way to open it back up for the privileged few. You go to Setup > Develop > Custom Permissions and create a new permission. It’s really quite easy…all you do is type out what the permission is (“Is allowed ice cream”) into the Label field and optionally adjust the Name field and enter a Description. Since you’ve got a lot to do you just let Salesforce complete the Name field:

Create Custom Permission

Create Custom Permission

.

Next you look at the list of lucky users who are allowed to have ice cream to determine how granular you need to be in applying your permission. In other words, can you add the permission to a Profile (all the people assigned to the profile are on the list), or should you add the permission to a permission set and then assign the permission set to individual users? And as you’re reviewing the list you have to chuckle to yourself because you see that the committee has granted themselves access, but have denied access to Milton, who was recently moved to the basement.

You see that you can apply the permission to a profile that happens to be the profile for all the committee members, and you decide to create a Permission Set as well, just to be ready to grant access to anyone else that gets added to the list.

Add Custom Permission to Profile

Add Custom Permission to Profile (part 1)

Add Custom Permission to Profile

Add Custom Permission to Profile (part 2)

Add Custom Permission to Permission Set

Add Custom Permission to Permission Set


Using Custom Permissions

Once you have created a custom permission, the $Permission global merge field variable is now available anywhere you can enter a formula, so your final step is to adjust your ice cream processes to check for this permission. All you have to do is look for $Permission in the list of available fields, then select your “Is_allowed_ice_cream” permission, just like selecting a cross-object field. In your formula this field will evaluate to true if it is present for the user (has been assigned to them through their profile or through a permission set), and false if it is not present.

The hardest part of this project is that you may have ice cream processes in several places (workflow, approval processes, visual flow, and field validation rules for example), so it may take a bit of work to get everything running as expected, but once in place, a custom permission will give you quite a bit of flexibility in controlling who has access to the freezer.

Custom Permission in Formula

Custom Permission in Formula

Custom Permission in Visual Flow

Custom Permission in Visual Flow

 


 Preparing for the Future

It occurred to me, as I was researching this topic, that it would be really handy to have a crystal ball so that these types of features could be anticipated in advance and could be written into complex processes right from the get go. It’s a lot harder to go back into a process and add functionality than it is to write it in from the start. I have yet to do this, but it will definitely be something I’ll be giving some thought to and will post my findings if it comes to pass that I figure out a nifty way to do this.

Cheers!


References:

Advertisements
 
Leave a comment

Posted by on November 20, 2015 in Global Variables, Permissions

 

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: