function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
maddy27maddy27 

Prevent access to custom profile

Hi ,

I have following requirement where we have a custom Profile(SystemSupport)  which is similar to System Admin profile.
I need to make sure following access should be disabled for a SystemSupport profile user.

1. Prevent from adding new user.
2. Prevent user from deploying the changes.
3.Prevent user from making any metadata changes(wf/validation rule/flows etc)

Please let me know the right approach for this change.

Thanks in advance.

 
Best Answer chosen by maddy27
AnudeepAnudeep (Salesforce Developers) 
1. Prevent from adding new user.
> Try removing create access on User object
2. Prevent user from deploying the changes.
> The “API Enabled” and “Modify All Data” [...] are required to access Metadata API calls. You need to disable those. See this post to learn more

3.Prevent user from making any metadata changes(wf/validation rule/flows etc)
> Same as above

Let me know if it helps

All Answers

AnudeepAnudeep (Salesforce Developers) 
1. Prevent from adding new user.
> Try removing create access on User object
2. Prevent user from deploying the changes.
> The “API Enabled” and “Modify All Data” [...] are required to access Metadata API calls. You need to disable those. See this post to learn more

3.Prevent user from making any metadata changes(wf/validation rule/flows etc)
> Same as above

Let me know if it helps
This was selected as the best answer
maddy27maddy27
Thanks @Anudeep  for sharing above 

I have made following changes 

1.Prevent user to create Users

Under System Permission –
Manage Users:
Create, edit, and deactivate users, and manage security settings, including profiles and roles.

2. Prevent User to deploy changes

Under System Permission –
1. Modify Metadata Through Metadata API Functions:
Create, read, edit, and delete org metadata. Users must have appropriate access rights to the metadata they're trying to modify. Be careful if delegating this permission. Some metadata executes in system context, when object permissions, field-level security, and sharing rules that apply to the user are ignored. For example, Apex executes in system context.
2. Modify All Data:
Create, edit, and delete all organization data, regardless of sharing settings.
3. Deploy Change Sets:
Deploy inbound change sets.
4. API Enabled:
Access any Salesforce.com API.
5. Allow user to modify Private Connections:
Allow users to modify Private Connections through the Metadata, Tooling, and Connect APIs.


Let me know how it looks.
 
maddy27maddy27
Hi Anudeep,

What if i need to the system support user to login as other user to troubleshoot any issues.
I would need Login access to login as other user without giving create new user access.

Is it possible?