Loading

Anonymous Apex to Remove Permission Set Assignments from Non CPQ Users

Date de publication: Sep 27, 2025
Description
Beginning in the Winter '21 release for CPQ, users who currently are assigned a custom permission set which includes permission to access CPQ Licensed Custom Objects (LCO) will need the CPQ user license. The new user license for CPQ is a Permission Set License (PSL) labeled Salesforce CPQ License. If users do not need CPQ access, remove the permission set from users to resolve the license validation errors. The scripts in this article are helpful for Orgs who have granted CPQ related permission sets to a broad audience which includes CPQ and non-CPQ users.

The code below identifies users who are assigned a custom permission set granting access to CPQ objects, but do not have a Managed Package License (MPL), the prior user license for CPQ. This helps identify who will need the new CPQ license and the non-CPQ users who need to remove CPQ related permissions. The list of users is generated within the script and then sent to the designated email address defined towards the bottom of the script's code. Make sure to review the users identified in the email before completing the next step. 
NOTE: The code below applies to Production Orgs only (CPQ version 224 or 226) and does not work in Sandbox. This is because the Managed Package License is a site license in Sandboxes and therefore the MPL cannot be effectively queried on a user level.
Résolution

The script initially generates two lists of users: 

  1. Non-CPQ users: defined as not having a CPQ Managed Package License
  2. Assigned a custom permission set granting access to CPQ related objects 

A final list is created of users who belong to both groups. This new list is the one that is emailed and contains the users who will have this customer permission set removed. The code's actions are as follows:

  • Generates list of users who have CPQ related permission set assigned
  • Generates list of users who do not have a Managed Package License assigned 
  • Generates a new list comparing the two above
    • Includes users who have the permission set assigned and no license
  • Emails list of users to defined email address in this line of code
    • OLD: String[] toAddresses = new String[]{'EMAIL ADDRESS'};
    • NEW: String[] toAddresses = new String[]{'myname@company.com'};
  • Uncomment the "//" from below step 5 to process Permission Set removal
    • OLD:  //delete delFinalUsers;
    • NEW: delete delFinalUsers;
  • Execute the script again to delete the custom permission set from the list of users.

Open the Developer Console to execute the script by following these steps:

  1. Open the Developer Console
  2. Debug > Open Execute Anonymous Window (CTRL+E)
  3. Copy and paste code (first delete existing code in anonymous window)
  4. Execute

NOTE: This script removes the custom permission set assignment from the list of user records. Not only will this remove the permissions to CPQ objects, but any access the custom permission set grants will be removed when the permission set is unassigned.

**REMOVES CUSTOM PERMISSION SET ASSIGNMENTS FROM UNLICENSED USERS

//1. find the different permission sets that grant access to CPQ objects

List<ObjectPermissions> objUsers = [SELECT ParentId, Parent.Name
FROM ObjectPermissions 
WHERE PermissionsRead = True AND
SobjectType in ('SBQQ__Quote__c', 'SBQQ__PricingGuidance__c', 'SBQQ__ProductRule__c', 'SBQQ__QuoteTemplate__c', 'SBQQ__Subscription__c', 'SBQQ__PriceRule__c') AND 
Parent.IsOwnedByProfile = false];
//'sbaa__Approval__c', 'sbaa__ApprovalRule__c'  - for advanced approvals

Set<Id> objPermIds = new Set<Id>();  // get unique IDs of permission sets

for(ObjectPermissions objPer: objUsers)
{
    objPermIds.add(objPer.ParentId);
}
List<Id> objPermIdsList = new List<id>(objPermIds); //contains IDs of permission sets that grant access to CPQ objects

//EXAMPLE: ('0PS2v000005TGdhGAG','0PS2v000005TGdiGAG','0PS2v000005TGdgGAG','0PS2v000005TGdjGAG','0PS2v000005WS0NGAW')

// 2. find different users who have the above permission sets  - [2]
List<PermissionSetAssignment> permSetsUsers = [SELECT Id, AssigneeId,PermissionSetId from PermissionSetAssignment where PermissionSetId  =: objPermIdsList];

//System.debug(permSetsUsers);

//3. find users who have CPQ MPL assigned  - [3]
List<UserPackageLicense> MPL_users = [SELECT UserId 
       FROM UserPackageLicense 
       WHERE PackageLicense.NamespacePrefix =  'SBQQ']; // 'sbaa' - for advanced approvals

//System.debug(MPL_users);

Set<Id> MPL_id_set = new Set<Id>();     
for(UserPackageLicense var: MPL_users)   
{
    MPL_id_set.add(var.UserId);  // gets the user id 
}

//4. Check the users who have permission sets but no MPL assigned
/* list which is retrieved from the [2](step 2) and will be iterated over to check if the user has MPL assigned (set created in step 3)..*/
  
List<PermissionSetAssignment> finalUsers = new List<PermissionSetAssignment>();
for(PermissionSetAssignment temp: permSetsUsers)
{
    if(!MPL_id_set.contains(temp.AssigneeId))
    {
        finalUsers.add(temp);  // user did not have MPL assigned, needs to be deleted
    }
}
if(finalUsers.size()==0)
    System.debug('all set');

System.debug(finalUsers.size());

List<PermissionSetAssignment> delFinalUsers = finalUsers;

//5. uncomment the line below to delete PS assignments from the list of users
//delete delFinalUsers;

String Row = '';
Row +='Id' + ','+ 'AssigneeId' + ','+ 'PermissionSetId'+'\n';
for(PermissionSetAssignment permm: finalUsers)
{
    Row +=permm.Id + ',' + permm.AssigneeId + ','+ permm.PermissionSetId + '\n' ;
}

Messaging.EmailFileAttachment csvAttachment = new Messaging.EmailFileAttachment();
Blob csvBlob = blob.valueOf(Row);
String csvName = 'userswhodoesnthaveMPL.csv';
csvAttachment.setFileName(csvName);
csvAttachment.setBody(csvBlob);
Messaging.SingleEmailMessage email = new Messaging.SingleEmailMessage();

//Replace email address below to receive communications from this script
String[] toAddresses = new String[]{'EMAIL ADDRESS'};
String subject = 'users who do not have MPL';
email.setSubject(subject);
email.setToAddresses(toAddresses);
email.setPlainTextBody('users who do not have MPL');
email.setFileAttachments(new Messaging.EmailFileAttachment[]{csvAttachment});
Messaging.SendEmailResult[] r = Messaging.sendEmail(new Messaging.SingleEmailMessage[]{email});

 

Numéro d’article de la base de connaissances

000390394

 
Chargement
Salesforce Help | Article