Salesforce Metadata API Deployment Not pushing System Permissions - salesforce

How do you get the System Permissions to be pulled?
I am working on building a Metadata deployment for our company, and part of the deployment includes creating several new profiles. We are trying to capture all of the permissions for these profiles, but can't seem to get the system permissions to match in our test runs.
I know that when you retrieve the profile object, what you get is dynamic, based on what other object you are retrieving. (see Chap 4 bullet 2)
The Following System Permissions are different between our source and destination environment
Customize Application
Manage Connections
Manage Custom Report Types
Manage Dashboards
Manage Public Documents
Manage Public List Views
Manage Public Reports
Manage Public Templates
Manage Translation
Manage Users
Modify All Data
Reset User Passwords and Unlock Users
+ Send Email
Transfer Record
View All Data
note: + indicates added in the destination. All others are lost.

In order to use the Metadata API - the user must have the "API Enabled" and the "Modify All Data" permissions.

Related

Site guest user cannot run Get Record element

In my site the guest users have access to the flow and they able to run the flow and even create records. When the flow try to find the created record the next error accrue:
Because Get_Record is passed to an action, subflow, or Lightning component, store the values of all Request_for_ChemTox__c fields that the running user has access to.
I gave access to every field for that user and still keep getting this error.
Any ideas?
It's probably not field level security (~table columns) but whole record's security (~table rows).
Check your site/community/experience settings as described in this article: https://help.salesforce.com/s/articleView?id=000352970&type=1. If there's something set - the ownership of created record is immediately transferred over to that internal user and guest loses visibility. It sucks but it's there to protect you, makes sure that if you have for example Leads or Cases submitted by guest users - they immediately "disappear", guest/hacker can't report on them, experiment with IDs in the url to learn other people's data...
You can Check Setup -> Sharing Settings for this object and create new sharing rule. (I can't upload image right now but start making new sharing rule with step 2 "rule type = Guest user access, based on criteria")
https://help.salesforce.com/s/articleView?id=sf.networks_guest_record_default_owner_best_practices.htm&type=5 has some good tips too:
If you’d like to create a different experience for guest users, use
flows in System Mode to redirect guest users to a different custom
screen after they create a record

Is this possible to create a private report filtering in Data Studio embeded report

I created a report in DataStudio and embedded it on my website. I activated the option "anyone with the link can view" so this report will be visible to my website users.
But I need to show my website users different data depending on their user ids and more important I don't want users would be able to see other users' data so if I used URL filtering users would be able to breach and search another user id to see his data.
Does anyone have a solution for this scenario?
In Google documentation I saw an option to limit the report to users in my domain, I assume this will solve this issue, but I don't find how to restrict other domains.
Users are logged onto Google
If users of your website are already logged onto Google, use the Filter by email address guide from Data Studio help center. This requires you to setup FILTER BY EMAIL and then have a field in your data can be directly used as an email filter.
Users are not logged on to Google
If you want a solution where the users don't have to be logged onto Google, you will need to:
Create a Community Connector to pass the filtered data to your users. The connector should accept a short lived token as part of the config.
Create a dashboard with your connector and pass unique short-lived tokens for each user.
You should have an endpoint that returns the current user's data based on the token provided. Alternatively, the endpoint can return only the user's identify and you can query a secondary data source with a service account filtering for the user's identity.
Your connector should call your endpoint to fetch data only for the user/for the user's identity.
This official guide demonstrates how to implement this in more details.
Disclaimer: I work in the Data Studio team and wrote the above guide.
First option is to add extra 2 fields to your data source.
User_ID
Password
For example:
Data, User_ID, Password
$10,Daniel,123
$20,Alex,456
In your dashboard, you need to create two parameters:
User_ID_Parameter
Password_Parameter
Both parameters can set the default value to null, and accepts any values.
Then create a new calculated field:
CASE
WHEN REGEXP_MATCH(User_ID,USER_ID_Parameter) AND REGEXP_MATCH(Password,Password_Parameter) THEN 1
ELSE 0
END
Then create a new filter to the chart that you want to hide:
To include the above calculated field Equal to 1
Second option is to use the Data Studio default Row Level Security
The only caveat is the users need to sign in before they can view the report.

How to restrict a user to access for specific object records without role in Salesforce

I have created an integration profile CORE_AKTANA_DI through which data for objects will be loaded into my Salesforce instance through a third-party user. I have provided "View All" permission for all objects to that profile. However, since this is a global Salesforce org, hence, there is data for other countries as well in this instance.
I want the user with the profile to see only data of France i.e with country "FR". In this case, my only choice is to:
Remove the "View All" permission of the profile from all objects.
Give the user a role such as "FR-Corp".
Create sharing rules for all objects with "Private" OWD and share with this role.
The problem is that since this is an integration profile, I cannot assign a role to the user with this profile. Also, it is not plausible to create sharing rules since there are a lot of objects with private OWD.
Same problem occurs by assigning the user to a public group, i.e a lot of sharing rules need to be created.
In this case, please suggest me the easiest possible options.
Actually, how to solve your issue is dependent on business process you are trying to implement. There are few ways:
sharing by hierarchy: setting proper roles and checking 'grant access using hierarchy'
sharing rules: setting proper sharing rules, owner/criteria based
manual sharing: using button
sharing using apex: using share object of any corresponding object
I think, this document will be useful for you.
I don't think what you say is correct:
"The problem is that since this is an integration profile, I cannot assign
a role to the user with this profile."
In my org we have a few integration connections. Each connection is anchored by a SF user license which has both Role and Profile. You should likely give the integration it's own user license and name the user something like "Integration (Fr)" Set the Roll up with appropriate hierarchy position, permissions and sharing rules and once you've done all the token resets needed set as API login only & password never expires. That should do it unless I'm missing something.

Is Active Directory suitable for these requirements?

I'm about to build a new account management system for my company. The users is external customers accessing some of our web applications. Some users are internal operators accessing the same web applications, but with certain authority. The internal operator is also using java-applications accessing a SQL-database for information retrieval.
Requirements
If the user has forgot his/hers password, it shall be possible for the user to recieve an email with a reset link, containing a unique id, that allows the user to enter a new password by following the link. The unique id shall be part of the AD-system and also have a "valid-to" timestamp.
f we recieve a list with 100000 users that shall be part of the system, it should be manageable to add them in a automatic fashion.
I'm new to Active Directory and wonder if it's suitable for these requirements, or will it be easier to manage with any other system?
I will also use CAS for authentication and single-sign-on for the web applications.

"Manage Public List Views" permission missing from Profile SObject

I am writing a visualforce page that amoung other things allows creation of Queues. However I want to control whether the section is displayed depending on whether the user has the permissions required.
According to the docs: Creating Queues the user needs to have both permissions:
"Customize Application"
"Manage Public List Views"
I am querying the profile like so:
Profile profile = [
SELECT
PermissionsCustomizeApplication
//Was expecting: PermissionsManagePublicListViews
FROM
Profile
WHERE
Id = :UserInfo.getProfileId()];
However my problem is that I don't think the "Manage Public List Views" permission is exposed on the Profile object. Is the api name so different I am missing it? Does anyone know how to check for this permission in code?
I'm not sure about the name of the permission, but you could run an method to try and insert (and then delete!) a queue in an init method or similar, if it success then you know they have all of the relevant permissions required.
The snag here of course, is you may not want them to be able to delete queues (I'm assuming they work in the manner of the other objects in the system with respect to CRUD operations).
You cannot check for these permissions in code, and Lancey Snr's suggestion is probably the easiest work around. However, I personally don't like the idea of checking permissions by creating and deleting objects in the constructor.
I'd instead create a custom setting to track the Profiles (maybe as plain text) that are allowed to create profiles. The advantage of custom settings is that the administrator can update the custom setting when a new profile is created or an old one is deleted, or the permissions have been re-configured.
Use the custom setting in conjunction with the "with sharing" keyword in the controller code, and you can ensure that users who don't have permission to create Queues, won't be be able to create it.
Anup
I've decided to limit it just to people with the "Customise Application" profile option.
The reason being that this is the important profile option. The only reason people need the public list views options is because a new view is created for each new queue.
As I have discovered there is no crud security on the queue object in apex code. So restricting queue creation only to users with "Customise Application" seems like the safest and most flexible course of action.

Resources