Security: Scenario 1 Solution

The solution section provides an overview of how to solve this scenario, and why that solution was chosen.  The Solution Steps section immediately following outlines the exact steps used to replicate the solution.

Solution:

Standard profiles are essentially used as templates that remain mostly the same throughout all Salesforce orgs.  As you can make only a very limited number of changes to a standard profile, the solution is to create a custom profile corresponding to the functionality needed by a set of users.

In this scenario, I would create a profile called “Inside Sales”, and enter in the description “standard profile w/o export report permission” along with details about the profile’s usage.

This serves two purposes:

  1. It removes the restrictions of a standard profile.
  2. It establishes a baseline set of permissions for specific users.  For instance, if both the inside and outside sales teams use the same profile, then if I need to change permissions for only one team, I’ve got a lot more work to do.  Where you draw the lines between profiles, permission sets, and the security model as a whole is an art, not science.  Rely on those that know your business well, ask a lot of questions, and understand how Salesforce works.

Success Criteria:

These steps were generated with the enhanced profile editor disabled. If these steps do not match what you see in your org, go to Setup –> Customize –> User Interface, and ensure that ‘Enable Enhanced Profile User Interface’ is unchecked.
  1. Setup –> Manage Users –> Profiles
  2. New Profile (Button)
  3. Select Existing Profile “Standard User”, Profile Name “Inside Sales”, Save
  4. Edit Profile, Uncheck “Export Reports” (you may want to search the page), Save
  5. Setup –> Manage Users –> Users
  6. Edit James Smith, Select Profile “Inside Sales”, Save
  7. Click Login next to James Smith, Select Reports Tab, Run any Report, Verify that “Export Details” is not present

49 Responses to “Security: Scenario 1 Solution”

  1. khocatherine July 29, 2017 at 3:40 pm #

    Hi John,

    In Users, I only have the Edit option next to Smith, James. All users only have Edit, there’s no Login link beside their names. Is it something that I have to enable manually? Thanks

    • JohnCoppedge July 31, 2017 at 12:31 pm #

      Yes you need to enable login as any user in login access policies

      • jortiz October 6, 2017 at 9:31 pm #

        I don’t see the option to enable this under login access policies?

  2. hsen July 21, 2017 at 7:30 pm #

    I cannot uncheck “Export Reports” box when I click on Edit, why is that?

  3. jindainthara May 12, 2017 at 12:43 pm #

    Hi John,
    I don’t have privilege to run report although I am an admin and didn’t modify anything. Why?

    • JohnCoppedge May 12, 2017 at 5:43 pm #

      I can’t imagine a scenario where that would be the case- are you sure you’re logged in as a system admin and assigned the standard (non-custom) system administrator profile?

      • jindainthara May 13, 2017 at 8:57 pm #

        Hi John,
        Thank you for reply.
        Yes, I have the standard admin profile and still don’t have privilege. I try assigned to the “standard” profile but nothing changed.

        Anyway, I created another account and did everything the same and it worked this time. Still couldn’t figure out what I did wrong for the first time.

  4. akshadaks January 24, 2017 at 12:34 am #

    Hi John.

    I don’t see any login option next to John Smith. Please assist.

    Regards
    Akshay

  5. Svi November 14, 2016 at 10:46 pm #

    Hi John,

    I was not able to find the option where I can uncheck the box for run reports, and I was trying to do this from the James account as a System Administrator? Could you please help me with this?

    • JohnCoppedge November 16, 2016 at 10:43 pm #

      You need to create a new profile while logged in as the system administrator (your primary developer edition login)… are you following the steps above?

      • Svi November 17, 2016 at 10:25 pm #

        Yes, I was trying to create the profile from System administrator account but Im not able to find the option to uncheck the export option?

      • Svi November 17, 2016 at 10:38 pm #

        while creating the new profile from the standard user profile , I didnt find an option to edit profile anywhere? Could you please tell where do I find an option to change the profile?

      • Sal February 22, 2017 at 11:37 pm #

        Hi, I am facing the problem. Any help ?

        • Sal February 22, 2017 at 11:38 pm #

          same* problem as svi

          • JohnCoppedge February 23, 2017 at 8:54 pm #

            Make sure “Enable Enhanced Profile User Interface” is turned off in the user interface settings – that may be the issue.

  6. mayousaf May 21, 2016 at 3:03 pm #

    Thanks I just completed exercise
    Just to clarify
    Steps to grant access were
    personal setup—>my personal information–>grant login access

  7. CarlosSiqueira May 12, 2016 at 10:09 pm #

    I have disabled the Enhanced Profile User Interface as you suggested before, so you might want to mention that you find the “Export Report” under “General User Permissions” towards the end of the page. If you have the Enhanced Profile active, you need to go half way down on the page , under System and click on “System Permissions” to see the “Export Reports” option.

  8. pjonnala December 5, 2015 at 9:17 pm #

    When you say inside sales team what is it in salesforce. Is it a group. How would you assign a profile to a whole team

  9. mcshockey June 3, 2015 at 5:50 pm #

    Hi John,

    For the above exercise, do I need to create the fictitious user James Smith?

    Thanks,

    Mike

  10. sksood May 22, 2015 at 12:03 pm #

    In the enhanced profile view settings am I right in stating that the ability to export reports check box is now under the Systems Permissions settings. Once you edit this ‘view’ then the user can enable or disable the ‘Export Reports’ permission.

    Thanks

    • JohnCoppedge May 31, 2015 at 6:03 pm #

      Yes you can make that edit using the enhanced profile view or by directly modifying the profile

  11. Matej Blatnik April 29, 2015 at 11:24 am #

    Dear John,

    If I was to assign a permission set to a user for a certain period of time (ie during the manager’s holiday period), do I need to revoke this permission sets manually or is there an option of assigning them with time validity?

    Thank you in advance.

  12. Dorothy Narvaez April 2, 2015 at 6:46 pm #

    Ugh – totally got that had to create a new profile but totally missed the uncheck export report part … 🙁

  13. john roy January 12, 2015 at 4:01 am #

    I found my error. I mistakenly tried to use a permission set to remove. When I figured out that was wrong, I failed to delete the permission set from the user. My bad (of course that means I pretty much did scenario two…)

  14. john roy January 12, 2015 at 2:52 am #

    I’ve tried this exercise twice, and it doesn’t seem to work. I created a new profile, and removed the check in the checkbox next to “Export reports”, under the sys admin login. assigned it to the Smith id and logged into the smith id. The export details option is still there and allows exporting. What am I doing wrong?

  15. Rudy Ornelas January 8, 2015 at 1:44 am #

    Hi John,

    How do I log out as James Smith and back as an Admin? Only way of doing this is by logging out completely.

  16. moshtagh Foroohar Pak November 26, 2014 at 11:29 pm #

    John, in item 7 , I can not see “Run any Report” in Reports tab. Do you know what is the reason?

    • JohnCoppedge November 28, 2014 at 3:03 am #

      That just means locate any report (there should be a few standard reports) and select it.

  17. shanmugapriya ramalingam August 5, 2014 at 1:31 am #

    John, i have performed the above exercise,when i run the report the export detail button is enabled and i can export the details. what should i do to disable the export detail button. i m working on summer 14 developer edition

    Thanks

  18. Eric Podewell July 12, 2014 at 7:24 pm #

    Instead of performing steps 2 & 3 in the solution above, can’t you just find the “standard user” profile, click ‘clone’, and then edit it to uncheck “export reports”, and save? Or is this method wrong?

  19. Tijana Avramovic May 18, 2014 at 1:33 pm #

    John, I don’t see button for “login” next to user. Do I need to enable something in order for this button “login as user” to show up?
    Thanks!

  20. Eileen Kingsley-Hamm February 3, 2014 at 4:11 pm #

    You have a typo in the header – Secnario.

Leave a Reply