We have many profiles in our org, and I suspect that some of them are redundant because the person who originally set them up didn't seem to understand the purpose of Profiles (confusion with Roles, perhaps). I would like to consolidate and clean them up, but I need to be able to do a diff on them to determine which ones are redundant. Any was to do such a thing?
Attribution to: Stacey Chale
Possible Suggestion/Solution #1
You could use the Data Loader to download all of the records in the Profile Object into a CSV and use Excel to do some analysis of all of the Boolean fields. That might be easier than the XML reading/parsing.
Admittedly it is not much help with the Object/Field related settings which would obviously be required.
Attribution to: Peter Knolle
Possible Suggestion/Solution #2
For those of you still looking at this post years later, check out this web app presented at Dreamforce 2013:
https://perm-comparator.herokuapp.com/
All credit and thanks to John Brock the mad genius!
Drag and drop profiles/users/perm sets and instantly organize by comparison category (common/different/unique permissions), and further groups permissions into 'user', 'object' and 'setup entity' permissions.
Attribution to: smohyee
Possible Suggestion/Solution #3
You should check out Security Zen www.securityzen.net
It let's you compare both Profiles and Permission Sets both within orgs and between orgs. It also let's you deploy security from one environment to another. You can also find it on the Salesforce App Exchange.
Attribution to: Mike Paisner
Possible Suggestion/Solution #4
I have built this tool for profile comparisons which can compare two profile at a time and generate report in excel.
https://github.com/sushilgit/ProfileComparison
Attribution to: sushsfdc
Possible Suggestion/Solution #5
My name is Adam Torman and I'm a platform product manager at salesforce.com responsible for profiles and permission sets.
I get this question quite a bit and I wish there was an 'easy' button to push that could give you the information your looking for.
The reality is that the concept of 'easy' doesn't scale nearly as well as a user's profile or permission set.
Take an org with 100 custom objects, each object with approximately 50 fields. Add on average 2 page layouts per object with a record type a piece. Include 10 apps, 100 apex classes and 100 visual force pages. For any given profile or permission set, that means there are 11,000 permissions that can be configured ((100*6) + (100*50*2) + (100*2) + (200)) with an almost infinite number of possible combinations.
And that's not even everything that a profile can contain! Add to that 10 profiles you want to combine and compare across 100 users with 20 add-on permission sets and you have a proverbial needle in the haystack.
So when it comes to administering profiles and permission sets, it's really about finding the right tool for the job. There are many tools available to manage these profiles and permission sets, but no single tool I would recommend because every tool begins with a fundamental question, "what do I want to know" or "what do I want to do"?
Examples of questions I frequently hear include:
Who has Modify All Data?
Does Sam Bradley have the right to click on this tab or view that Visualforce page?
What's different between Sam Bradley and Mike Liescher?
What's different between the Standard User and the Basic profiles?
What's different between the PTO Manager and PTO Administrator permission sets?
How can I assign this permission set to 100 new users?
How can I remove the Modify All Data permission from any users with the Basic Profile or have North American Managers in their title
How can I automate the assignment of the API Enabled permission set anytime a user becomes a manager and remove it if it no longer applies?
How can I disable the View All Data permission from all profiles, add it to a single permission set, and assign it to all users who originally had the profile with the permission?
How can I organize my permission sets the same way I organize my business or distribute apps to people?
Each question maps to a specific task that I am performing as an administrator. Now combine each task with the concept that each user, profile, and permission set can contain an infinite number of permission and settings combinations and you have the need to find the right tool for the right job to answer the right question. And each task may map to a different tool or API that can be used to answer it.
There are some great resources to help answer specific questions. For instance:
I did a great dreamforce 2012 session with Sherrie Smith from Paychex Inc where we outlined some techniques comparing and managing profiles: http://www.youtube.com/watch?v=LcqS1KvMvK8
I did another great dreamforce 2012 session with some of my team members and partners where we dug into some of the great tools you can build on top of our API: http://www.youtube.com/watch?v=LcqS1KvMvK8
One of those tools included a graphical interface for comparing users, profiles, and permission sets but looking specifically at their user permissions: https://perm-comparator.herokuapp.com by John Brock
Check out: Using SOQL to determine your force.com user's permissions ( http://blogs.developerforce.com/engineering/2012/06/using-soql-to-determine-your-users-permissions-2.html )
Probably the best tool for a more extensive comparison of profiles is the force.com IDE native compare ( http://wiki.developerforce.com/page/Force.com_IDE ). Mike Chale's comment about using the ANT Migration Tool is another manfiestation of this.
There are some other great open resources that take the MdAPI XML and parses it to show differences like Quick Diff ( http://www.quickdiff.com/ ), or Model Metrics Diff Dog - Setting up and using DiffDog for Salesforce.com ( http://www.modelmetrics.com/tomgersic/setting-up-and-using-diffdog-for-salesforce-com-deployment-validation/ )
There are also some great AppExchange Packages including:
The Permissioner by Arkus: ( https://sites.secure.force.com/appexchange/listingDetail?listingId=a0N30000008XYMlEAO )
Snapshot by Dreamfactory: ( https://sites.secure.force.com/appexchange/listingDetail?listingId=a0N300000016cejEAA# )
The key part here really is identifying what you want to compare and why. The why part is pretty important since once you know how profiles are different, you'll want to do something with that information.
Hope this helps some! Give a shout if you want some help with it.
AT
Attribution to: Adam Torman
Possible Suggestion/Solution #6
I have developed a chrome extension that can compare (profiles from same or different orgs) and highlight all the differences. You might want to check it out:
Extension available @ https://chrome.google.com/webstore/detail/profile-comparator-for-sa/ijbipklcimjilmnaffocmjkfddhpaadg
Video that shows how this could be used: https://www.youtube.com/watch?v=8RVxcjSucQI
let me know if that helps.
Attribution to: Rajiv Bhatt
Possible Suggestion/Solution #7
My preferred method is by retrieving the profile details with the ANT-based Migration Tool. You can configure it to retrieve profiles and roles, which will come down as XML files. These can then be compared using your favorite diff tool.
More details on the Migration tool can be found on the Salesforce site.
Attribution to: Mike Chale
Possible Suggestion/Solution #8
Yes, you can compare profiles, how ever it's a bit limited. You can compare until 15 settings, using a view
Go to: Setup -> Manage Users -> profiles -> Create a new View.
Give it a name, and select the Settings you want to compare.
It's indeed limited, but it's better than nothing.
I'll point out that the way I solved the too_many_profiles was to start and move users from one to another, and wait for them to complain. I use to notify them of the change, and ask them to let me know if/what has changed. Than I create a permission set for them, and all is well.
Found that solution to be very sufficient.
*Some personal story: this was actually an idea in SF ideas that I asked for, and it was delivered :-)
http://success.salesforce.com/ideaView?id=08730000000BpoAAAS
Attribution to: Saariko
Possible Suggestion/Solution #9
I can see some steps to follow in this process:
- Identify what are the profiles associated with the users (exporting the data). For those not in use and not standard profiles, we can keep them as candidates to be removed (depending if you want to clean up).
- Compare the profiles in use, trying to compare only those used by users with more or less the same role. Consolidate.
- After the comparison and consolidation process, you will probably need to think on Permission Sets to move some settings and permissions from profiles to permission sets. In this way, you will be able to reduce more the number of profiles.
I created a tool deployPKG that will allow you to compare profiles, and in general the metadata very easy. Check out this post: Compare Profiles, Permission Sets, Picklists and more
Attribution to: ovillasmil
Possible Suggestion/Solution #10
Related to Mike Chale's suggestion via the migration tool, you can download the profile meta data in Eclipse and compare two .profiles side by side. Or you can copy and paste the contents of the files into a text editor to compare only the relevant sections if that makes sense.
Attribution to: James Loghry
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/499