Skip to main content

Quick Tips: Custom security settings (When to use Salesforce Custom Permissions?)

How often did each one of us get into a situation where we have to create custom security rules? For e.g.
  • Call center agents should not be able to give credits. Only Supervisors or Finance team can give credits
  • Only Finance and Account Manager can generate invoice.
And the most trivial way to achieve it is something like

if(profileName == 'Supervisor || profileName == 'Finance'){
     //business logic to give credits
    //throw error message

Now, one of the best ways to handle this is by using "Custom Permissions". It allows you to leverage Salesforce security infrastructure and loosely bind that to your custom logic. This helps in making your code scalable and robust. You'll learn that below.

What are Custom Permissions?
Custom Permissions was made GA in Summer '15 (ver 34.0). It is a unique way of creating a custom permission which is required/ to be used by your custom logic. For e.g. in above example, if we create a custom permission "Can give Credits" then we have ability to provide this permission to user via profile/ permission set.

Apex code needs to be modified as (Helper class implementation shared later) :-
    //business logic to give credits
    //throw error message

Now, the above code is flexible as it doesn't have hard-coded reference to the profile and hence, if in future there are new profile which need same ability to give credits, it can be achieved by simply giving custom permission to the new profiles.

How to use Custom Permissions?
  • In Formulas (easy):- In validation rules it can be simple used by using global variable "$Permission". For e.g.
  • In Visualforce (easy) - 
<apex:commandbutton action="{!save}"
value="Create Credit"> </apex:commandbutton>
  • In Apex (bit tricky as of now) - This is a little tricky wherein data is to be extracted from multiple entities (refer below entity diagram) to evaluate user's access to custom permissions.
Custom Permission - entity diagram

So, in order to retrieve custom permissions via Apex, following queries can be used:-

  1. Query to retrieve all custom permissions and where ever that permission is assigned (profile / permission set)
    Select c.Id, c.DeveloperName, (Select ParentId From SetupEntityAccessItems) From CustomPermission c
  2. Retrieve all permission sets/ profiles assigned to current user (loop through all permissions to determine permission assigned to current user)
    Select SetupEntityId From SetupEntityAccess Where SetupEntityId in :mapCustomPermissions.keySet() AND ParentId in (Select PermissionSetId From PermissionSetAssignment Where AssigneeId = :UserInfo.getUserId())


Popular posts from this blog

Quick Tips: Salesforce default Images

Well, I'm sure a lot of you still rely on using out of the box salesforce images for displaying quick icons within formula fields or even using them within your Visualforce pages. Lately, I realized that a lot of earlier resources are no longer accessible, so I tried to quickly extract all images from Salesforce CSS files and provide a quick reference here. Please note, I've referenced all images from SF servers directly, so if anything changes, the image should stop rendering here. As these images are completely controlled by Salesforce, and in case they change anything, it might lead to image not being accessible. Image path Image /img/samples/flag_green.gif /img/samples/flag_green.gif /img/samples/flag_red.gif /img/samples/color_red.gif /img/samples/color_yellow.gif /img/samples/color_green.gif /img/samples/light_green.gif /img/samples/light_yellow.gif /img/samples/light_red.gif /img/samples/stars_100.gif /img/samples/stars_200.gif /img/samples/stars_300.

Lightning: Generate PDF from Lightning components with in-memory data

I'm sure as everyone is diving into lightning components development, they are getting acquainted with the nuances of the Lightning components framework. As well as, its current limitations. Being a new framework, this is bound to happen. Although we have our users still using salesforce classic, we have started using lightning components framework our primary development platform and Visualforce is considered primarily for rendering lightning components within Classic Service console. Recently, while re-architecting a critical module, we encountered a problem wherein we needed to generate PDF from lightning components. Now, being Javascript intensive framework, it has limited room for such features (may be included in future roadmap). As of now, there is no native feature within the lightning framework to do so (at least I didn't find anything). Common Scenario - Create Visualforce page to retrieve data and generate PDF For scenarios where the data exist within Sa

Lightning: Generate PDF within Lightning Experience with Salesforce Data

Some time back I posted a solution to generate PDF from Lightning components using in-memory data. Post url: It was developed for a specific scenario, wherein we need to generate PDF where: User interface is Salesforce classic Initiated via Lightning Component Data doesn't exist within Salesforce and is completely in-memory As complex and tricky this situation was, we did end up finding a stable and equally tricky solution. However, I realize that there are still lack of solutions (or maybe my search skills are downgrading) to generate and automatically download PDF document from Lightning Experience, without using any lightning components, wherein data exists within Salesforce. You can use the earlier solution in that case, but it will be an overkill. There are various solutions available to generate PDF from javascript. But, I still think the plain old method of converting HTML to PDF (via