We are going to enable some login users with very restricted access. These are volunteers or interns. In order to do this we are going to start with an empty profile. Regrettably we have inadvertently added lots of permissions to the standard “Minimum Profile” provided by Salesforce way back in the Summer 2020 release. Unless you uncheck it, all new items get added to this. So, I’ve accidentally added a couple dozen apps, loads of APEX access, and even most new objects that I’ve added to this minimum profile without realizing what I was doing. Whoops! So, we’ve made that standard profile useless with lots of accidental additions that would take hours and hours to clean-up. Don’t do this but I’m not sure you can avoid it. I noticed some Salesforce standard features are also enabled on this minimum profile. So, what’s a clever admin to do?
Fortunately, it is reasonably easy to add a blank profile using workbench. See TomForce youtube video here: https://www.youtube.com/watch?v=JpKry4La-4I&t=27s The general idea is that you use workbench to insert a new record for a profile that only has a name and a license type. Everything that can be blank is now presumed blank. This takes 5 minutes (more if you’ve never used a workbench) vs a few hours looking at that minimum profile profile and wondering what has been granted. I could be wrong about this since it’s a locked profile but it sure shows access when I test with a login assigned to that profile.
Here is the new profile I created using my naming convention to make sure I can tell what I did vs what comes with other packages:
Then I added default page layouts for these objects expected to be used right away. You MUST add a default page layout for every object in the profile that you eventually give any user with that profile access. Layouts and Default Record types are set in the profile and not in any permission set as of 2024. That’a bit of a bummer but OK.
I also added these system propers to get the user to Lightning instead of Classic:
In Assigned Apps, I added and made default Salesforce Chatter. Something has to be default that is visible or you get an error and stay in classic.
So with all that done, I created a user and used the login function to test. Wondering how I create a test user? I call them Nobodyx @SYMin (where x is a number 1, 2, 3, etc) with no role, the assigned minimum profile and I uncheck all the user option boxes. You have to give them a unique email address within all of Salesforce–I used nobodyx@symin.org. With that you can login as them using the login-as admin function. No password ever needs to be set so there seems to be no added security risk. Delete when you desire.
This is what I see with the new test user assigned the new minimum profile. I could create a different home page for this chatter app and avoid some of the errors, but I see no real point right now. I don’t know how the Power of Us Hub app is assigned nor how to get rid of it. Notice that there are no objects available. And Just the one App and the rogue app available. This is pretty much what we were looking for!
To use the “login as” feature, you may have to enable it for your profile or permission set. Do note that when you do so, it opens a new window and shows the banner at the top of the running users. Here are the rules I’ve learned to avoid problems:
- Don’t leave that window as the running test user
- Use the logout link at the top before going to any other salesforce window
- Refresh the salesforce window you return to as admin, especially if you get an error or are prompted to login again. Refreshing seems to get the original session back.
- If you login again as your admin profile, expect all other sessions and windows to be closed so try to avoid it.
To to summarize:
- You can assign this minimum profile to a user (with no checkboxes required on the user config page although there are profile set that will probably require you to add true checkboxes)
- You can begin to give the user with this profile access to objects via a permission set group that consists of one or more permission sets. (more on this in our next blog)
- You must return to this profile and assign any necessary default record types and default page layouts for any objects you assign via permission set. This is a pain but those are the rules for now. Do note that if you fail to do this you will likely get a “punt” error message form a lightning record page (“Unfortunately there was an error. Contact your admin”) — this isn’t a very helpful message but remember to check for missing default layouts and record type see you see it.)
- You have to consider what to do about home pages that may reference items the user doesn’t have access to. Home pages remain a mess in my opinion. Most orgs have them system wide defaulted but they can be assigned per app or user.
- You need to test out using a nobody user with no actual password and login as the user through the admin user panel.
P.S. I eventually discovered that the Power of Us Hub was showing up in the App Menu regardless of permissions because it was turned on by default for new users in “App Menu” settings. I have no idea how this interacts or doesn’t with permission sets and groups. Seems weird that so many other apps are marked similar but don’t show up.
