Ihave some action thet if I try to do it in the sandbox it succeeded but when I tryed to do it in the production it failed
I'm looking for somethin thet can help find the difference between the two environments
tenks
The question is too vague. Do you know how to capture debug logs and read them?
Could be many things - a validation rule or required field added in prod but not in sandbox. Could be a problem with some integration. Could be that the action silently calls something from a managed package and you don't have a license in production. Could be that the action checks your user's Role/Profile/permissions and something's missing. Could be some reference data missing. A flow/process builder that's deployed from sandbox but not activated.
There are some tools for comparing 2 environments (Gearset, OwnBackup...) or if you're a developer you could download the projects with sfdx/vscode and compare them with something like Winmerge.
If you want to know that about current environment you can query IsSandbox field from Organization object.
[select IsSandbox from Organization limit 1];
IsSandbox Indicates whether the current organization is a sandbox (true) or production (false) instance.
similarly you can use it in flows and other automation tools
Related
I am investigating if it is at all possible to track assigned permission sets, profiles and roles with the sfdx cli tools. So far my findings are that Permission sets and Profiles are trackable as they get converted to source but it is up to the administrator to assign profiles / permission sets after deployment.
Can anyone confirm this and point me to some documentation on the limits of what the sfdx cli can pull.
There's https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_unsupported_types.htm but that's not exactly what are you asking, the question is bit confusing.
PermissionSetAssignment table is well, a table. Normal data like Account, not metadata. Same with Users, their Roles, group memberships... You wouldn't typically store it in version control unless you're after some "golden copy" good test dataset to load to sandboxes/scratch orgs.
SF tried once to be smart with deploying queue memberships, record folder permissions and approval process assignees and the results are... Meh. You inspect the XML file and see usernames with sandbox suffix in them that they try to magically match during deployment to target org. It's "fun" when developer who created the report folder doesn't exist in production / username doesn't match (creator automatically gets added as Manager, it's extra step to remember and maybe remove that). It's even more "fun" when you keep working on the project in different sandboxes and git keeps reporting changes of suffix from ".dev" to ".proto" or ".hotfix"...
Try to rethink your question, what are you after? You can implement single sign on with piece of apex code running on login (or look into Identity Connect) so people's permissions will be synced based on their role in Active Directory/Google apps engine / what have you. Or if you really want you should be able to periodically query & upsert back CSV of PermissionSetAssignments. Or have a script during deployment to run a bunch of permset assign commands?
What will you do when John Doe moves from Marketing department to Sales? Who's right, SF or git project? Would it really need a deployment to change it?
I need to create some automated method for checking certain security settings within a given Salesforce org(s). The four big ones are:
IP Restrictions within each profile
Mobile User setting disabled
Mobile Lite disabled
Chatter Disabled
I think the first two can be accomplished through the API (SOQL to get all profiles and check loginIpRanges[] length >0 and SOQL to get all users and check isMobileUser property for each one), but I can't find anything in the API for the other two and wonder if I would have to screen scrape it.
Any suggestions on the best approach to accomplish this? A local Python or other script that connects remotely via the API and a screen scraper or Selenium script for the non-API items? An Apex or VisualForce page that is installed within each org?
I am new to Salesforce and Apex, so before I start down one road and doing it within Salesforce vs via the API I would really appreciate any guidance.
Thank you!
I think you'll have to take a mixed approach to solving this, perhaps wrapped up in some larger python script.
Use the metadata API to get all of the Profile objects and parse for loginIPRanges. You can use Apache ANT and the Force.com migration tool commands to do this. You can also get the SecuritySettings from the same API and method and get a lot of the things in the Security Health Check, if you need them. The results will be returned in XML, which you can easily parse in your python script.
Use the API and a SOQL query to check for the isMobileUser permission, use python to parse/output results. Beatbox is a good library for connecting to the standard API.
For the last two, I think you'll need to go with some screen scraping/browser automation and parsing. Hopefully someone has a better answer for this, as I'm not familiar enough to help with how to accomplish this aspect. The screens are in standard locations so it should be repeatable as long as future updates don't move things.
Ideally you'll be able to combine these into one large script that fires off beatbox, then fires off ant/migration tool, and some browser automation script.
OK, so I did the dumb thing and released production code (C#, VS2010) that targeted our development database (SQL Server 2008 R2). Luckily we are not using the production database yet so I didn't have the pain of trying to recover and synchronize everything...
But, I want to prevent this from happening again when it could be much more painful. My idea is to add a table I can query at startup and determine what database I am connected to by the value returned. Production would return "PROD" and dev and test would return other values, for example.
If it makes any difference, the application talks to a WCF service to access the database so I have endpoints in the config file, not actual connection strings.
Does this make sense? How have others addressed this problem?
Thanks,
Dave
The easiest way to solve this is to not have access to production accounts. Those are stored in the Machine.config file for our .net applications. In non-.net applications this is easily duplicated, by having a config file in a common location, or (dare I say) a registry entry which holds the account information.
Most of our servers are accessed through aliases too, so no one really needs to change the connection string from environment to environment. Just grab the user from the config and the server alias in the hosts file points you to the correct server. This also removes the headache from us having to update all our config files when we switch db instances (change hardware etc.)
So even with the click once deployment and the end points. You can publish the a new endpoint URI in a machine config on the end users desktop (I'm assuming this is an internal application), and then reference that in the code.
If you absolutely can't do this, as this might be a lot of work (last place I worked had 2000 call center people, so this push was a lot more difficult, but still possible). You can always have an automated build server setup which modifies the app.config file for you as a last step of building the application for you. You then ALWAYS publish the compiled code from the automated build server. Never have the change in the app.config for something like this be a manual step in the developer's process. This will always lead to problems at some point.
Now if none of this works, your final option (done this one too), which I hated, but it worked is to look up the value off of a mapped drive. Essentially, everyone in the company has a mapped drive to say R:. This is where you have your production configuration files etc. The prod account people map to one drive location with the production values, and the devs etc. map to another with the development values. I hate this option compared to the others, but it works, and it can save you in a pinch with others become tedious and difficult (due to say office politics, setting up a build server etc.).
I'm assuming your production server has a different name than your development server, so you could simply SELECT ##SERVERNAME AS ServerName.
Not sure if this answer helps you in a assumed .net environment, but within a *nix/PHP environment, this is how I handle the same situation.
OK, so I did the dumb thing and released production code
There are a times where some app behavior is environment dependent, as you eluded to. In order to provide this ability to check between development and production environments I added the following line to global /etc/profile/profile.d/custom.sh config (CentOS):
SERVICE_ENV=dev
And in code I have a wrapper method which will grab an environment variable based on name and localize it's value making it accessible to my application code. Below is a snippet demonstrating how to check the current environment and react accordingly (in PHP):
public function __call($method, $params)
{
// Reduce chatter on production envs
// Only display debug messages if override told us to
if (($method === 'debug') &&
(CoreLib_Api_Environment_Package::getValue(CoreLib_Api_Environment::VAR_LABEL_SERVICE) === CoreLib_Api_Environment::PROD) &&
(!in_array(CoreLib_Api_Log::DEBUG_ON_PROD_OVERRIDE, $params))) {
return;
}
}
Remember, you don't want to pepper your application logic with environment checks, save for a few extreme use cases as demonstrated with snippet. Rather you should be controlling access to your production databases using DNS. For example, within your development environment the following db hostname mydatabase-db would resolve to a local server instead of your actual production server. And when you push your code to the production environment, your DNS will correctly resolve the hostname, so your code should "just work" without any environment checks.
After hours of wading through textbooks and tutorials on MSBuild and app.config manipulation, I stumbled across something called SlowCheetah - XML Transforms http://visualstudiogallery.msdn.microsoft.com/69023d00-a4f9-4a34-a6cd-7e854ba318b5 that did what I needed it to do in less than hour after first stumbling across it. Definitely recommended! From the article:
This package enables you to transform your app.config or any other XML file based on the build configuration. It also adds additional tooling to help you create XML transforms.
This package is created by Sayed Ibrahim Hashimi, Chuck England and Bill Heibert, the same Hashimi who authored THE book on MSBuild. If you're looking for a simple ubiquitous way to transform your app.config, web.config or any other XML fie based on the build configuration, look no further -- this VS package will do the job.
Yeah I know I answered my own question but I already gave points to the answer that eventually pointed me to the real answer. Now I need to go back and edit the question based on my new understanding of the problem...
Dave
I' assuming yout production serveur has a different ip address. You can simply use
SELECT CONNECTIONPROPERTY('local_net_address') AS local_net_address
I'm a developer at a small company where we're struggling for consistent change control. I'm running into issues where non-dev staff are tweaking stored procedures and triggers in production installations. Their changes are being overwritten when we apply upgrades because they've gone outside of the process the dev team uses to verify db changes are incorporated into source control.
How would you recommend approaching this problem from a technical as well as personal perspective?
Edit 1: A little background on our current process might help this along. We're using a continuous integration server (TeamCity) to generate install artifacts and label svn upon check in. I'm using NMigrations to manage schema and sp/trigger changes when we apply fixes. Unfortunately it's beyond my ability to stop unauthorized schema changes so what I would love to find is a design pattern that allows for an overridable trigger/sp definition.
You need to clearly separate:
source control management
release management
Tweaking in prod shouldn't be possible if the release environment is protected through strict ACL preventing anyone duly appointed to deploy and change stuff.
If that deployment process is automated, then all changes will go through the proper channel because anyone will known a simple "push button" process will be enough to deploy the hotfix.
But if getting that fix in source control and deploy it is complicated, then a tweak directly in prod is usually the result...
Limit rights to change stored procedures and triggers, especially on production. Go ahead and let them know first so they aren't blindsided, but clearly protect production from all unauthorized changes.
Assumption: live/production web app suppresses errors being shown to end-users.
Suppose your tech support team wants to see live data but through the eyes of the development-side of the application (maybe you want to see what errors are occurring, or want to see when you've got an issue fixed using an end-user's data).
Right now we've got one database serving both the dev and live boxes (not my idea - I know it's gross).
Ideas?
Edit: Best/handy tools for implementing your suggestion?
We replicate the data back to a different database. Yes, there is a delay, but it keeps people hands out of the production servers. This also allows us to "hide" information that tech support (and other people for that matter) aren't supposed to see.
In addition to replicating data down, on production, we see who's logged into the application, and if it's a member of the company, send them to the real error page versus the happy kitten playing with a ball of yarn apologizing.
Back up and restore from live to dev on a regular basis (once, twice a day). It doesn't need to be realtime (as you might be entering data from the dev side anyway, which could cause problems).
If you have PCI or HIPAA data, make sure you don't put that in your dev environment -- that might break laws.
I generally like to have a 3-tier system for web development:
Development
Testing
Live
Most of the time testing is an exact copy of the live system, except that errors are turned on, when a new version is about to be moved live it's replaced with the new version BEFORE live is, to detect upgrade issues.
Development is completely separate from live, to allow for major changes to things like the database, or changes to the production environment.
I would firstly make errors are either emailed to someone with details of how the user got there or at minimum logged so you can watch the error log while you perform similar actions to see if you get the same messages in the log.
And yes, copying the database on the dev server/site is probably your only option. You don't want any changes made by the development team to live data and you'll probably also have changes that won't work with the production database at some point.
I wouldn't recommend doing a nightly copy as a developer might be in the middle of some new feature where they have added data and then it's erased that night. I usually copy the production database(s) to dev each time a major version is released. This also allows me to do speed testing with a lot of live data. On some systems I also change everyones password to a default so I can login easily as any user.
If your configuration permits it:
a. Add a logging function (if there isn't one already) to write messages of interest to a log file.
b. Run the unix command
tail -f < logfile.txt
which will stream the growing log file to your console.
http://www.monkey.org/cgi-bin/man2html?tail
If you have Windows, you might try this:
http://tailforwin32.sourceforge.net/