Custom Permissions are now available in Process Builder too! Check out my how to here:Â https://thewizardnews.com/2018/01/19/power-custom-permissions-process-builder/
At the start of the new year it’s considered tradition to come up with some resolutions. Many of these we won’t keep. For example, my “I won’t eat anymore chocolate” was just a stupid resolution choice and lasted as long as it took for someone place a very nice hot cup of cocoa near me. A good resolution should contain an achievable goal, some milestones, and a timeline. For example a resolution for an Admin could be “To have less stress and a more manageable Salesforce org by updating all my validation rules to use custom settings in six months.”
I love validation rules. They’re fantastic way to keep your data clean and to help guide your users to the path they should be taking. As a company grows, every rule has this tendency to gain exceptions. We don’t want anyone to edit this field except for sales managers. Now it’s Sales Managers and their assistants. Now it’s Sales Managers, their Assistants, and this temporary consulting. Now it’s… and so forth. Sometimes these exceptions are temporary. We just need access for the next week while we update our Opportunities before the big price update.
This can be a pain in the Admin’s side. Those exceptions are typically based on Role ID, Profile ID, or even User ID. There’s been many rules that break down to:
text(StageName) = "Qualified" &&
Amount < 0.01 &&
/*Exceptions*/
not($User.ProfileId ="00eE0000000QPl2") &&
not($User.ProfileId = "00eE0000000qtl3") &&
not($User.Id = "005E0000000MQb4")
That’s pretty horrifying. I can feel the stress building up just looking at it. It’s also not very friendly. Which profiles are being referenced? Who’s the User who gets this exception? You could add some more comments in there to make it better, but it’ll still be difficult to manage when you have many validation rules. Here’s a real life example of how this causes stress: You have a new manager who’s learning the business process. He comes to you and asks what our rules are who and who has exceptions to them. Unless you have an extremely well documented and easy to search org, this can turn into a huge time sink.
So why use such a horrible to manage and difficult to read method. Let’s simplify that rule using a Custom Permissions! This is a feature that became available in the Winter ’15 release and which I completely didn’t see the value until recently.
We can take the above validation rule and strip out all the exceptions to a single line:
text(StageName) = "Qualified" &&
Amount < 0.01 &&
/*Exceptions*/
not($Permission.Ignore_Validation_Rules)
Isn’t that so beautiful? It’s so easy to read. A custom permission is really nothing more than a record that can be assigned to Profiles and Permission Sets. Users who are then assigned those Profiles and Permissions sets are also assigned this custom permission. Salesforce will look at the running user and see if that custom permission exist.
Using Custom Permissions
Creating a permission set is very easy. You’ll find Custom Permissions under the develop menu or you can be efficiently lazy like me and just type custom perm in the quick find box in setup. Once you are on the Custom Permissions page, just click “New”.
Once your permission is created, you can easily add it to your validation rule using the “Insert” button.
Here’s an example of the rule itself. In this rule, I want to prevent all edits to an Opportunity unless you have this custom permission.
Now we have our custom permission and validation rule created, let’s see what happens if I try to update my Opportunity Name, Amount, and Closed Date. You’ll see I get the error message. This is because my user does not have a Profile or Permission set with our Custom Permission. Let’s fixed that.
Adding a Custom Permission to a Profile or Permission Set is very easy. First, go to your Profile. Second, scroll to the bottom. And click “Edit” on the Enable Custom Permissions related list. Note – do not EDIT the profile. This will only work if you’re viewing the profile.
Great! So now my profile has that custom permission. Let’s see if our edit will now save.
Ta da! You can also do something similar using Custom Settings – which I also love. I’ll do an example of Custom Settings in a different post. What’s great about Custom Permissions is it’s very flexible. Want to be able to send an email automatically to customers when records are modified, but only by certain people? You can use a Custom Permission for that. You’re a developer and want to hide a section on your Visualforce page except for certain people? You can use a Custom Permission for that! When using APEX, you still have to query for the Custom Permission. Sadly the nifty global reference isn’t available yet in Apex.
The only thing missing from a Custom Permission is a very nice handy list of the Profiles and Permission Sets that have it.
So please go vote up these ideas:
Display the Profiles & Permissions Sets with Custom Permissions on Page
Was this post helpful? Consider subscribing to my e-mail notifications or following my Facebook page. Also check out Wizard Apprentice, my video training guides and of course the WizardCast podcast – Salesforce with a sense of humor.
Finally, if you want to support the site, we’re an Amazon affiliate. Purchases that start from the search widget on the page helps me pay the hosting fees. Alternatively, you can see the products that I’ve personally bought, use, and actually like on my influencer page: https://www.amazon.com/shop/kwongerific
-
[…] you can use the $Permission from a Visualforce page or as SFDCWizard points out here from Validation Rules! Here is the Visualforce page example given by Salesforce in their […]
[…] The Wizard News Blog Article […]
[…] We had a requirement recently to allow a subset of users (not aligned to specific profiles) to be able to move an Stage field forward but not backwards. We thought this was a great use case for the Custom Permissions as referenced by Brian Kwong aka @salesforceWizard here https://thewizardnews.com/2015/01/08/custom-permissions-the-joy-of-flexibility-in-validation-rules-an… and @andyinthecloud here https://andyinthecloud.com/2015/01/14/creating-assigning-and-checking-custom-permissions/ […]
Leave a Reply
Thanks for sharing this!
Reblogged this on Mike's Blog.
Really Awesome tool that i hadn’t discovered yet. I was very pleased to see that these can be assigned to both Standard and Custom Profiles
As always…helpful, funny and easy to follow!
Great post as always,
I posted a Custom permission Utility Class on my blog for developers use of the feature.
feel free to use it for the Apex side.
http://forceinit.com/post/107636773411/custom-permission-utility-class
Nice! Thanks for sharing. I wanted to go into the apex side but post was already getting long
Well .. $Permission not working in WorkFlow for some reason..
Did you manage to make some kind of formula with $Permission ?
@idanblich Try using Formula evaluates to true in your Rule Criteria for Worfklow, then Insert Field and choose $Permissions – just tested and it works great!
@Alesia Dvorkina is there a way to use the criteria instead of formula for the $Permissions? Thank you!
Nice Blog! thanks. Regarding viewing which profiles and permission sets that have this custom permission, please feel free to use the open source tool I wrote as below
https://dry-island-7551.herokuapp.com/
More info available about this tool at at https://kksfblog.wordpress.com/2015/01/08/salesforce-metadata-analyzer-audit-all-you-want/
Would be happy to get some feedback about this tool as well 🙂 (Shameless plug indeed)
KK
Can you explain the differences between custom permissions and custom settings? E.g. the VR override, i do that with a custom setting not permission.
Great question. The answer actually planned as the post this week
On the edge of my seat…
Nice work, almost at the same time i’ve been writing a blog on this very topic as well (i’ve cross referenced this one). Probably as you can imagine mind focuses more on reading from an Apex code perspective. I’ve written a small Apex helper class (CustomPermissonsReader) to make checking them easier (the SOQL required is a little cryptic!). More details here http://andyinthecloud.com/2015/01/14/creating-assigning-and-checking-custom-permissions/
Awesome! Thanks Andrew. The soql issue was one reason why I decided not to include it on this post. This pretty cool!
Your welcome, between us i reckon we have it covered! 🙂
Great post and great tool! Thank you for sharing! I like the idea of using this not only in Validation Rules, but also in Workflows. I knew I saw a post somewhere about this, but could not quite remember where… Glad I decided to listen your podcast episode IV again 🙂 … Yes, you do have listeners/followers who listen to your podcast episodes multiple times :)))
I’ve always been away and afraid of Custom Permissions.
I feel like a dumbo after reading this article. I feel the same the day I understood custom settings 😛
Thanks Brian 😀
Don’t feel dumb. Just the opposite since you learned something new!
Hi Bryan, have you tried using Custom Permissions with Validation Rules and noticed any performance issues ? Have a look at this post: https://www.salesfix.com.au/custom-permissions-validation-rules-and-apex-cpu-limits/ I’d appreciate your comments.
I’ve used them with validation rules but did not see a desegregation in performance