“Check all” in permission set and profile UI

I just started using the new permission sets mechanism. The first setting I needed to make was to enable full create, read and edit permission on a custom object that has 34 fields. Naturally the permissions default to unchecked. Checking three check boxes for the read/create/edit object-level permissions was one thing. But having to check close to 68 check boxes for read/edit field-level permissions was another. Across the 30 or so custom objects we use there are close to 1000 fields and with several permission sets needed overall thats an awful lot of tedious clicks and a step towards RSI.

The problem is that there is no “check all” feature for the field-level permissions, even though the UI is brand new. Supporting large scale development requires specific consideration – here are some examples from Eclipse’s past: large-scale development issues – but that does not seem to be a priority in the Force.com web tooling. Another example of UI that is painful when the scale goes up is picklist value deletion. This involves several clicks per value, not a problem if you are deleting a few values but a while ago I needed to delete a few hundred values…

The work-around I am using for the permission sets is to use the Check All extension to Chrome. This adds a button to the right of the URL text box that displays a menu that includes “Check All” and “Uncheck All” options that apply to all check boxes in the current page. Not perfect but better than nothing.

Note that if you have a small number of profile or permission set changes to make across many profiles or permission sets this Editing Profiles Using Profile Lists mechanism should help.

Advertisements

One thought on ““Check all” in permission set and profile UI

  1. Thanks for the honest feedback! We’ve been looking at the check all feature and it’s on the backlog but won’t be in the product in the next release. This was somewhat intentional.

    While developing permission sets, we found that a lot of admins had no idea what permissions, and in particular field level security, were enabled on their profiles. And considering that each profile can have upwards of a million access checks (2000 objects * 6 permissions each * 800 fields per object * 2 permissions * everything else), making the information meaningful to an admin is a challenge we’re still working on.

    As a result, while an admin thought that he or she had a profile with just ‘one more perm’ than some other profile, in reality it was rarely the case. Part of the reason for this assumption being wrong is the number of ways permissions are set including the check all checkbox on the field creation wizard which sets access to all profiles without first considering whether all profiles really require it. This means that admins were granting access to users who may not have really required it.

    Of course, this isn’t the case on the permission set user interface where your intention may well be to provide full access to all fields for an administrative role. We will be looking into adding this functionality but in the meantime, your workarounds are excellent and please also consider using the Force.com IDE and Metadata API to manage your permission set permissions.

    Also check out the following blog posting from Arkus, a salesforce.com partner, on best practices they found when implementing permission sets: http://www.arkusinc.com/archive/2011/a-new-approach-to-security-using-permission-sets.

    Thanks!

    Adam Torman
    Product Manager for Permission Sets

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s