Loading

Read Only Profile Conversion to Custom Profile

Julkaisupäivä: Oct 13, 2022
Kuvaus
At Salesforce, we understand that the security and protection of your data is critical to your business. To further protect your data, we are making changes to the Read Only standard profile that reflect security best practices and allow you to customize this profile to fit your business's needs. Because Trust is our #1 Value, we wanted to be transparent about these changes and provide you with information on what actions you can take.

The Read Only standard profile is defined as allowing assigned users to view the Salesforce org's setup, run and export reports, and view, but not edit, other records. Over time, as Salesforce's products and offerings have expanded, additional permissions have been added to the Read Only standard profile that go beyond this definition.

Depending on your business's risk tolerance and definition of read only, some of these permissions may be more permissive than is represented in the profile's definition, because they give implicit or explicit edit access in order to allow key Salesforce features to function. For example, users with the Read Only profile are allowed to post in Chatter, an action which involves editing a database table under the hood.

To allow for flexibility in your org's definition of read only, we are converting the Read Only standard profile to a custom profile. This change allows you to edit permissions in this profile as your business needs require. You can also rename the profile as you'd like, for example, to reflect what it permits or who it should be assigned to.
Ratkaisu

When will this change happen?

The Read Only standard profile will be converted to a custom profile in existing orgs with the rollout of the Summer '21 release. We recommend that you use this transition time to review the permissions included in this profile and make changes as required.

As part of this change, Essentials editions can create up to two custom profiles and Professional editions can create up to three custom profiles. The converted custom Read Only profile counts towards this limit.

New Salesforce orgs created in Spring '21 and later don't have the Read Only profile. For new orgs who want to create a Read Only profile, we recommend that you start with the Minimum Access standard profile as a least-privilege profile base, and assign custom permission sets to grant this user the Read access required by your business needs.


How does this change impact my org?


The Read Only standard profile is converted to a custom profile that your Salesforce admins can modify. The value of the fullName field of the profile in the Metadata API is changed from "ReadOnly" to "Read Only". 

Your org can be impacted in these scenarios. 
 

  • Metadata retrieve() or deploy() calls on the Profile Metadata type that reference "ReadOnly" are invalid. For example, a retrieve() call with the below .xml file returns no result. 
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
      <types>
              <members>ReadOnly</members>
              <name>Profile</name>
      </types>
<version>50.0</version>
</Package>
 
  • The Read Only custom profile name isn't localized. Queries of Profile.Name will always return in English, regardless of the language of the user who issues the query.  
  • Some Apex tests that rely on the Read Only standard profile to validate negative access conditions don't work as before, especially for packaging use. Like all other custom profiles, the converted Read Only custom profile doesn't preserve consistent access rights in different orgs.
 

What do I need to do?

The "Convert the Read Only Standard Profile to a Custom Profile" release update is available in Spring '21. Review this release update for step-by-step instructions and recommendations on actions to take before and after the profile is converted. We have also summarized the actions to take here.


Before the profile is converted

We recommend that you first review the permissions included in the Read Only profile in the "What permissions are included in the Read Only Profile?" section. Evaluate whether the users currently assigned to the Read Only profile should continue to have the included permissions. 

If you want to change the permissions granted to users assigned the Read Only profile, we recommend that you reassign users to the Minimum Access standard profile, which is a least-privilege access base. Then grant more permissions as required via permission sets or permission set groups.


To reassign users with the Read Only profile to the Minimum Access profile:

  1. From Setup, in the Quick Find box, enter Profiles.
  2. Select Profiles
  3. Navigate to the Read Only profile.
  4. Click Assigned Users in the enhanced profile user interface or View Users in the original profile user interface.
  5. For each user, update the profile assignment to the Minimum Access - Salesforce profile.
  6. To grant more permissions, you can create a new permission set from scratch. Or you can create a permission set based on the Read Only profile by using the Converter feature in the Salesforce Labs Profile and Permission Set Helper app. 

If you continue to use Salesforce's Read Only profile with the currently assigned users, verify that your org's custom code still works before the rollout of the Summer '21 release. Make sure that you've reviewed the changes in the "How does this change impact my org?" section. Verify that your org's custom code that references the Read Only standard profile in the impacted scenarios is updated, so that your configurations and deployments remain intact when the Read Only profile is converted.

We recommend that you update your Apex tests that rely on the Read Only profile. Use the Minimum Access Profile and additional permission sets instead for testing the user context.

 

After the profile is converted

After the Read Only standard profile is converted to a custom profile, you can remove or add permissions as your business needs require. You can also change the Read Only profile name. For example, the name can reflect that some permissions grant edit access or who its assignees are. If you change the profile's name, to prevent errors or disrupted functionality, review all Apex code and customizations that reference the Read Only profile. Update all references with the profile's new name. 

We recommend that you test all changes to the profile in a sandbox or Developer Edition org before enabling it in your production org.


Edit Permissions in the Read Only Custom Profile After It Is Converted


Enhanced Profile User Interface
  1. From Setup, in the Quick Find box, enter Profiles.
  2. Select Profiles.
  3. Navigate to and click on the "Read Only" profile.
  4. Click on "System Permissions" or "App Permissions." Or, search for the permission you want to add or remove in the search box.
  5. Click Edit
  6. Edit the permissions.
  7. Click Save.

Original Profile Interface
  1. From Setup, in the Quick Find box, enter Profiles.
  2. Select Profiles.
  3. For the "Read Only" profile, click Edit.
  4. Edit the permissions.
  5. Click Save.
 

Rename the Read Only Custom Profile After It Is Converted


Enhanced Profile User Interface
  1. From Setup, in the Quick Find box, enter Profiles.
  2. Select Profiles.
  3. Navigate to and click on the "Read Only" profile.
  4. Click Edit Properties.
  5. Update the Name of the profile.
  6. Click Save.

Original Profile Interface
  1. From Setup, in the Quick Find box, enter Profiles.
  2. Select Profiles.
  3. For the "Read Only" profile, click Edit.
  4. Update the Name of the profile.
  5. Click Save


Resources


What permissions are included in the Read Only profile?

See this table for a list of included user permissions and their descriptions:
 
PermissionDescriptionCategory in Enhanced User InterfaceCategory in Original Profile InterfaceProvides implicit or explicit edit access?
Access ActivitiesAccess tasks, events, calendar, and email and activity-based features, such as Einstein Activity Capture and Activity Metrics.System PermissionsGeneral User Permissions 
Access LibrariesAccess libraries.System PermissionsAdministrative Permissions 
Allow Access to Customized ActionsUnsupported. Use the page layout editor to customize which actions show up in Salesforce and in the Salesforce mobile app.System PermissionsGeneral User Permissions 
Allow View KnowledgeAllow user to view knowledge articles.App PermissionsGeneral User Permissions 
Apex REST ServicesAllow access to Apex REST services.System PermissionsAdministrative Permissions
API EnabledAccess any Salesforce.com API.System PermissionsAdministrative Permissions 
Assign TopicsAssign existing topics to feed items. Remove topics from feed items.System PermissionsGeneral User Permissions
Chatter Internal UserUse all Chatter features. See Chatter Overview in the Salesforce Help for more information.System PermissionsAdministrative Permissions
Create and Customize List ViewsCreate list views; modify and delete own list views.System PermissionsAdministrative Permissions
Create and Customize ReportsCreate, edit, and delete reports in personal folders.System PermissionsAdministrative Permissions
Create and Own New Chatter GroupsCreate and own new Chatter groups.System PermissionsAdministrative Permissions
Create Public LinksLet users create links to share files externally. Unlike content deliveries, public links can't be password protected. To let a user create links to files in a library, enable Deliver Content for that user in the library.System PermissionsAdministrative Permissions
Create TopicsCreate new topics by assigning them to feed items.System PermissionsGeneral User Permissions
Edit My Own PostsAllow users to edit their own feed items.System PermissionsAdministrative Permissions
Edit Opportunity Product Sales PriceChange the sales price on opportunity line items.App PermissionsGeneral User Permissions
Edit TopicsEdit topic names and descriptions.System PermissionsGeneral User Permissions
Export ReportsUse Export Details and Printable View to export reports.System PermissionsGeneral User Permissions 
Field Service StandardGive users access to all standard Field Service Lightning features.System PermissionsAdministrative Permissions 
Invite Customers to ChatterInvite Customers to Chatter.System PermissionsAdministrative Permissions
Knowledge OneReplaces the Articles tab with the Knowledge tab.App PermissionsGeneral User Permissions 
Lightning Console UserGives the user access to Lightning console apps.System PermissionsAdministrative Permissions 
Lightning Experience UserAccess Lightning Experience and switch between Lightning Experience and Salesforce Classic.System PermissionsAdministrative Permissions 
Lightning LoginDetermines if a user is eligible to use Lightning Login functionalities.System PermissionsAdministrative Permissions 
Manage Macros Users Can't UndoCreate, update, and run macros that include irreversible instructions.App PermissionsAdministrative Permissions
Read D&B Company recordsRead D&B company records.App PermissionsGeneral User Permissions 
Run ReportsRun reports and dashboards.System PermissionsGeneral User Permissions 
Select Files from SalesforceSelecting a Salesforce file is an option when attaching a file.System PermissionsAdministrative Permissions 
Send Outbound MessagesSend outbound messages to an external Web service API.System PermissionsAdministrative Permissions 
Send Through GmailWhen you enable this feature, some of your Salesforce org's data may be saved or processed by a third party, who may offer different privacy and security protections for such data. Salesforce.com is not responsible for the privacy and security of the data that is shared with third parties as a result of your decision to enable this feature.

Allow users to send emails through Gmail when composing emails in Lightning Experience. The Send Email through External Email Services user permission is enabled by default on standard profiles.		System PermissionsAdministrative Permissions
Share Files with People in CommunitiesShare files in communities by changing their sharing settings or posting them to profiles.System PermissionsAdministrative Permissions
Show App Launcher in CommunitiesDisplay the App Launcher icon in communities.System PermissionsAdministrative Permissions 
Show Company Name as Community RoleAllow users to see other users' company name in community role.System PermissionsAdministrative Permissions 
Subscribe to ReportsSubscribe to reports in Lightning Experience to schedule report refreshes and send notifications by email. Your organization's data may be saved and/or processed by third-party services, and Salesforce is not responsible for data users choose to send outside of Salesforce.System PermissionsAdministrative Permissions 
View Help LinkAllow user to view help link.System PermissionsAdministrative Permissions 
View KnowledgeView Salesforce Knowledge articles.App PermissionsGeneral User Permissions 
View Roles and Role HierarchyAllow user to view roles and role hierarchy.System PermissionsAdministrative Permissions 
View Setup and ConfigurationView the App Setup and Administrative Settings pages.System PermissionsAdministrative Permissions 
View TopicsView topics on posts, comments, and records.System PermissionsAdministrative Permissions 
Knowledge-artikkelin numero

000393290

 
Ladataan
Salesforce Help | Article