Wednesday, July 1, 2015

Quick Tips: Custom security settings (When to use Salesforce Custom Permissions?)

How often did each one of us get into a situation where we have to create custom security rules? For e.g.
  • Call center agents should not be able to give credits. Only Supervisors or Finance team can give credits
  • Only Finance and Account Manager can generate invoice.
And the most trivial way to achieve it is something like

if(profileName == 'Supervisor || profileName == 'Finance'){
     //business logic to give credits
}
else{
    //throw error message
}

Now, one of the best ways to handle this is by using "Custom Permissions". It allows you to leverage Salesforce security infrastructure and loosely bind that to your custom logic. This helps in making your code scalable and robust. You'll learn that below.

What are Custom Permissions?
Custom Permissions was made GA in Summer '15 (ver 34.0). It is a unique way of creating a custom permission which is required/ to be used by your custom logic. For e.g. in above example, if we create a custom permission "Can give Credits" then we have ability to provide this permission to user via profile/ permission set.

Apex code needs to be modified as (Helper class implementation shared later) :-
if(UserPermissionsHelper.doesUserHavePermission('CanGiveCredit')){
    //business logic to give credits
}
else{
    //throw error message
}

Now, the above code is flexible as it doesn't have hard-coded reference to the profile and hence, if in future there are new profile which need same ability to give credits, it can be achieved by simply giving custom permission to the new profiles.

How to use Custom Permissions?
  • In Formulas (easy):- In validation rules it can be simple used by using global variable "$Permission". For e.g.
 
  • In Visualforce (easy) - 
<apex:commandbutton action="{!save}"
rendered="{!$Permission.Can_Generate_Invoice}"
value="Create Credit"> </apex:commandbutton>
  • In Apex (bit tricky as of now) - This is a little tricky wherein data is to be extracted from multiple entities (refer below entity diagram) to evaluate user's access to custom permissions.
Custom Permission - entity diagram

So, in order to retrieve custom permissions via Apex, following queries can be used:-

  1. Query to retrieve all custom permissions and where ever that permission is assigned (profile / permission set)
    Select c.Id, c.DeveloperName, (Select ParentId From SetupEntityAccessItems) From CustomPermission c
  2. Retrieve all permission sets/ profiles assigned to current user (loop through all permissions to determine permission assigned to current user)
    Select SetupEntityId From SetupEntityAccess Where SetupEntityId in :mapCustomPermissions.keySet() AND ParentId in (Select PermissionSetId From PermissionSetAssignment Where AssigneeId = :UserInfo.getUserId())

Popular Posts