Loading

Anonymous Apex to remove CPQ Licensed Custom Object access from Permission Sets

Publiceringsdatum: Sep 27, 2025
Beskrivning
Beginning in Salesforce CPQ 228, Permission Set Licenses (PSL) were introduced for the package. Users are required to have a CPQ PSL assigned in order to view and interact with CPQ licensed objects. This change can impact existing Permission Sets (PS) if they grant access to Child objects without also granting access to its CPQ parent object. When trying to save changes to these Permission Sets, a validation error message similar to the examples below can appear and prevent the Save action:
  • Read on XXXXXX can't be granted. Grant the permission using a permission set with the required license or use permission set not associated with a specific license.
  • DEBUG|Obj perms update failed due to the follow reason: System.DmlException: Delete failed. First exception on row 0 with id 110Dx0000074p0iIAA; first error: FIELD_INTEGRITY_EXCEPTION, Cannot take away Read or ViewAllRecords if parent permission set has View All Data permission enabled: [],AnonymousBlock: line 23, column 1
 

The Permission Set needs to be returned to a valid state before the system allows any kind of changes. Removing all relevant CPQ/AA Object permissions will bring the Permission Set back to a valid state. To update the permission set to be compliant post-upgrade to CPQ 228 (Winter '21), admins can use the query below to assist in removing CPQ-related object permissions from custom profiles. Follow the steps below to execute the script in the Developer Console:
  1. Open the Developer Console
  2. Debug > Open Execute Anonymous Window (CTRL+E)
  3. Copy and paste code in Anonymous Window
  4. Check: Open Log
  5. Execute
  6. Check the 'Debug Only' filter box

NOTE: 
  • The DocuSign Recipient object defines Quote Template as the master in their master-detail relationship. As such, Orgs that are using DocuSign may need to remove permissions to the DocuSign Recipient object if the person is not a designated CPQ user with a related license. Otherwise, the user will be required to have a CPQ Permission Set License assigned.
  • The System Permissions View All Data and Modify All Data need to be removed from Permission Sets in order for the script to run successfully. 
Lösning
// 1. Define CPQ+AA objects (LCO + dependents) by hierarchy order for deletion
String[] customLCOAndDependentObjects = new String[] {
'SBQQ__QuoteLinePricingGuidance__c','SBQQ__QuoteDocument__c','SBQQ__QuoteLineConsumptionRate__c','SBQQ__QuoteLineConsumptionSchedule__c','SBQQ__QuoteLine__c','SBQQ__QuoteLineGroup__c','SBQQ__Quote__c',
'SBQQ__PricingGuidanceTier__c','SBQQ__PricingGuidance__c',
'SBQQ__ErrorCondition__c','SBQQ__ConfigurationRule__c','SBQQ__ProductAction__c','SBQQ__ProductRule__c',
'SBQQ__LookupQuery__c','SBQQ__PriceCondition__c','SBQQ__PriceAction__c','SBQQ__PriceRule__c',
'SBQQ__LineColumn__c','SBQQ__TemplateSection__c','SBQQ__QuoteTemplate__c',
'SBQQ__SubscriptionConsumptionRate__c','SBQQ__SubscriptionConsumptionSchedule__c','SBQQ__SubscribedAsset__c','SBQQ__Subscription__c',
'sbaa__ApprovalSnapshot__c','sbaa__Approval__c',
'sbaa__ApprovalCondition__c','sbaa__ApprovalRule__c'
};

// replace below with perm set id
String permSetId = '';
ObjectPermissions[] profileObjPerms;
// 2. Iterate and delete, so not all done in 1 batch
for(String objName : customLCOAndDependentObjects) {
// Query for object permissions by object
profileObjPerms = [SELECT Id FROM ObjectPermissions
where Parent.Id = :permSetId and SobjectType = :objName];
System.debug('Object perms for object:'+objName+':'+profileObjPerms.size());
try{
// Uncomment below line before executing
// delete profileObjPerms;
} catch(Exception e){
System.debug('Obj perms update failed due to the follow reason: '+ e + ',' + e.getStackTraceString());
}
}

// 3. Query to ensure all the relevant object perms are cleared
ObjectPermissions[] objPerms = [SELECT Id FROM ObjectPermissions
where Parent.Id = :permSetId and SobjectType = :customLCOAndDependentObjects];
System.debug('Rerun Object Perm Records for CPQ & AA: '+ objPerms.size());


NOTE: If Price Rule is not defined as the Master Object for SBQQ__LookupQuery__c, you can remove  'SBQQ__LookupQuery__c' from the list of objects in Step 2 of the code above.

Knowledge-artikelnummer

000394589

 
Laddar
Salesforce Help | Article