FAQ: Inserting Profiles

I inserted a Profile using Security Zen. How come it has more permissions than I specified?

When a Profile is inserted, the Salesforce profile creation process starts by cloning the "Standard" profile.  The permissions you specify in Security Zen for your new profile are then applied on top of the cloned "Standard" profile.  This can lead to some unexpected results!

If you are deploying a new Profile to an environment, make sure that it includes permissions for all entities (Object, fields, tabs, etc.).  Make sure to specify false or no access for unwanted permissions.  If an entity is blank or not specified in your inserted profile, permissions will NOT be automatically removed.  The default permissions cloned from the "Standard" profile for that entity will remain.

There is a feature in Security Zen specifically to address this issue for Objects.  Once you have the security matrix configured, connect to the target environment where you want to deploy security.  Select "Workspace Actions->Add Missing Objects To Workspace From Connection".

This feature will add a row to the security matrix for each object in the target environment that is not already in the workspace.  For Profiles that do not exist in the target environment, the N (i.e. No Access) permission will be populated.  All other added cells will be blank to indicate no change in permissions.

Note that not all objects are listed in the configure window and therefore they could be missed.  Work.com objects in particular are not listed.  You should still check the final result within Salesforce to make sure permissions have been set properly.

For the truly adventurous:

You can also modify the "Standard" profile to change the starting point for inserted profiles.  You will notice that some settings (such as standard object permissions) cannot be modified in the Salesforce user interface for the "Standard" Profile.  You might also notice that the standard object permissions on the "Standard" Profile can be modified using Security Zen.

Wait!  Hold on!  What was that?!?  You can modify something using Security Zen that Salesforce doesn't allow you to do in the Salesforce user interface?!?  Yes, that is correct!

Is this a good idea?  Well, we leave that up to you.  If you have users in the "Standard" Profile, then obviously you will have to consider what permissions you want them to have.  Even if you do not have users in the "Standard" profile, you should still proceed with caution if you choose to modify something that Salesforce doesn't natively allow you to access.

Our initial tests indicate that changes to the "Standard" Profile do propagate to new inserted profiles including changes to Standard object permissions.  However, this approach has NOT been extensively tested.   Repeat - we have NOT tested the full effects of changing standard object permissions on the "Standard" Profile.

Proceed at your own risk if you choose to modify something using Security Zen that Salesforce does not allow you to do natively.