Custom Permissions: The Joy of Flexibility in Validation Rules and Workflow

At the start of the new year it’s considered tradition to come up with some resolutions. Many of these we won’t keep. For example, my “I won’t eat anymore chocolate” was just a stupid resolution choice and lasted as long as it took for someone place a very nice hot cup of cocoa near me. A good resolution should contain an achievable goal, some milestones, and a timeline. For example a resolution for an Admin could be “To have less stress and a more manageable Salesforce org by updating all my validation rules to use custom settings in six months.”

I love validation rules. They’re fantastic way to keep your data clean and to help guide your users to the path they should be taking. As a company grows, every rule has this tendency to gain exceptions. We don’t want anyone to edit this field except for sales managers. Now it’s Sales Managers and their assistants. Now it’s Sales Managers, their Assistants, and this temporary consulting. Now it’s… and so forth. Sometimes these exceptions are temporary. We just need access for the next week while we update our Opportunities before the big price update.

This can be a pain in the Admin’s side. Those exceptions are typically based on Role ID, Profile ID, or even User ID. There’s been many rules that break down to:


text(StageName) = "Qualified" &&
Amount < 0.01 &&
/*Exceptions*/
not($User.ProfileId ="00eE0000000QPl2") &&
not($User.ProfileId = "00eE0000000qtl3") &&
not($User.Id = "005E0000000MQb4")

That’s pretty horrifying. I can feel the stress building up just looking at it. It’s also not very friendly. Which profiles are being referenced? Who’s the User who gets this exception? You could add some more comments in there to make it better, but it’ll still be difficult to manage when you have many validation rules. Here’s a real life example of how this causes stress: You have a new manager who’s learning the business process. He comes to you and asks what our rules are who and who has exceptions to them. Unless you have an extremely well documented and easy to search org, this can turn into a huge time sink.

So why use such a horrible to manage and difficult to read method. Let’s simplify that rule using a Custom Permissions! This is a feature that became available in the Winter ’15 release and which I completely didn’t see the value until recently.

We can take the above validation rule and strip out all the exceptions to a single line:


text(StageName) = "Qualified" &&
Amount < 0.01 &&
/*Exceptions*/
not($Permission.Ignore_Validation_Rules)

Isn’t that so beautiful? It’s so easy to read. A custom permission is really nothing more than a record that can be assigned to Profiles and Permission Sets. Users who are then assigned those Profiles and Permissions sets are also assigned this custom permission. Salesforce will look at the running user and see if that custom permission exist.

Using Custom Permissions

Creating a permission set is very easy. You’ll find Custom Permissions under the develop menu or you can be efficiently lazy like me and just type custom perm in the quick find box in setup. Once you are on the Custom Permissions page, just click “New”.
Creating Custom Permission

Once your permission is created, you can easily add it to your validation rule using the “Insert” button.

Adding Permission in Validation RUle

Here’s an example of the rule itself. In this rule, I want to prevent all edits to an Opportunity unless you have this custom permission.
Validation Rule

Now we have our custom permission and validation rule created, let’s see what happens if I try to update my Opportunity Name, Amount, and Closed Date. You’ll see I get the error message. This is because my user does not have a Profile or Permission set with our Custom Permission. Let’s fixed that.
Editing an Opportunity

Adding a Custom Permission to a Profile or Permission Set is very easy. First, go to your Profile. Second, scroll to the bottom. And click “Edit” on the Enable Custom Permissions related list. Note – do not EDIT the profile. This will only work if you’re viewing the profile.
Enable Custom Permissions on Profile

Great! So now my profile has that custom permission. Let’s see if our edit will now save.
Successful Edit

Ta da! You can also do something similar using Custom Settings – which I also love. I’ll do an example of Custom Settings in a different post. What’s great about Custom Permissions is it’s very flexible. Want to be able to send an email automatically to customers when records are modified, but only by certain people? You can use a Custom Permission for that. You’re a developer and want to hide a section on your Visualforce page except for certain people? You can use a Custom Permission for that! When using APEX, you still have to query for the Custom Permission. Sadly the nifty global reference isn’t available yet in Apex.

The only thing missing from a Custom Permission is a very nice handy list of the Profiles and Permission Sets that have it. So please go vote up this idea: Display the Profiles & Permissions Sets with Custom Permissions on Page

Showing 22 comments
  • Katie McFadden
    Reply

    Thanks for sharing this!

  • martinmdrhit
    Reply

    Reblogged this on Mike's Blog.

  • Steve Williams (@MrSteve_W)
    Reply

    Really Awesome tool that i hadn’t discovered yet. I was very pleased to see that these can be assigned to both Standard and Custom Profiles

  • chriszullo
    Reply

    As always…helpful, funny and easy to follow!

  • Idan
    Reply

    Great post as always,
    I posted a Custom permission Utility Class on my blog for developers use of the feature.
    feel free to use it for the Apex side.

    http://forceinit.com/post/107636773411/custom-permission-utility-class

    • Salesforce Wizard
      Reply

      Nice! Thanks for sharing. I wanted to go into the apex side but post was already getting long

    • idanblich
      Reply

      Well .. $Permission not working in WorkFlow for some reason..
      Did you manage to make some kind of formula with $Permission ?

      • Alesia Dvorkina
        Reply

        @idanblich Try using Formula evaluates to true in your Rule Criteria for Worfklow, then Insert Field and choose $Permissions – just tested and it works great!

  • kumarrk21
    Reply

    Nice Blog! thanks. Regarding viewing which profiles and permission sets that have this custom permission, please feel free to use the open source tool I wrote as below

    https://dry-island-7551.herokuapp.com/

    More info available about this tool at at https://kksfblog.wordpress.com/2015/01/08/salesforce-metadata-analyzer-audit-all-you-want/

    Would be happy to get some feedback about this tool as well πŸ™‚ (Shameless plug indeed)

    KK

  • meighanrockssf
    Reply

    Can you explain the differences between custom permissions and custom settings? E.g. the VR override, i do that with a custom setting not permission.

  • Andrew Fawcett
    Reply

    Nice work, almost at the same time i’ve been writing a blog on this very topic as well (i’ve cross referenced this one). Probably as you can imagine mind focuses more on reading from an Apex code perspective. I’ve written a small Apex helper class (CustomPermissonsReader) to make checking them easier (the SOQL required is a little cryptic!). More details here http://andyinthecloud.com/2015/01/14/creating-assigning-and-checking-custom-permissions/

    • Salesforce Wizard
      Reply

      Awesome! Thanks Andrew. The soql issue was one reason why I decided not to include it on this post. This pretty cool!

      • Andrew Fawcett
        Reply

        Your welcome, between us i reckon we have it covered! πŸ™‚

  • Alesia Dvorkina
    Reply

    Great post and great tool! Thank you for sharing! I like the idea of using this not only in Validation Rules, but also in Workflows. I knew I saw a post somewhere about this, but could not quite remember where… Glad I decided to listen your podcast episode IV again πŸ™‚ … Yes, you do have listeners/followers who listen to your podcast episodes multiple times :)))

  • atulgupta31
    Reply

    I’ve always been away and afraid of Custom Permissions.

    I feel like a dumbo after reading this article. I feel the same the day I understood custom settings πŸ˜›

    Thanks Brian πŸ˜€

    • Brian Kwong
      Reply

      Don’t feel dumb. Just the opposite since you learned something new!

  • Jason Lawrence
    Reply

    Hi Bryan, have you tried using Custom Permissions with Validation Rules and noticed any performance issues ? Have a look at this post: https://www.salesfix.com.au/custom-permissions-validation-rules-and-apex-cpu-limits/ I’d appreciate your comments.

    • Brian Kwong
      Reply

      I’ve used them with validation rules but did not see a desegregation in performance

pingbacks / trackbacks

Leave a Reply