function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Administer only 1 profile and it's users.

Please forgive the naive question but aay I have Profile A - System Admins.... Profile B - System Admins.. How do I give Profile A the capability to perform full admin of Profile A and all it's users without also giving the capability to perform admin over profile B?




Is this possible?  Thank you


Hi Nenz -


Do both profiles have the "Manage Users" perm?




Yes my understanding is that in order to manage users at all.. an admin needs this permission. The problem is that I don't want an admin from profile A to be able to touch profile B. I don't think SFDC allows for the further granularity I need unless I'm missing something.




You are correct.  This level of granularity does not exist.  "Manage Users" would need to be removed in order to prevent the other profile from altering the other.  The Setup Audit Trail does give some feedback into changes that were made though.


hmm just bumped into something what about delegated administrations??  ie.. setup / security controls / delegated administration


That could work assuming the role hierarchy is built in a way that allows it to happen.


Delegated administration is where you would assign a certain user to do Specific tasks like creating users and only adding certain profiles.


When you create a user you must choose a profile as it is a required field.


Delegated administration also allows you to specify which profiles are Allowed to be assigned to users, of course they cannot edit these profiles and this means that they cannot edit any profile, But I don’t think this will solve your issue.


You spoke about giving full admin rights to profile A so would you be including the permission "manage users" for profile A ?


Delegated Admin may be enough to satisfy the client now but I don't think that is 100% of what they want.  Yes they do want to assign certain users the ability to add other users to certain profiles and roles but they also would want the ability to edit those associated profiles.  I can't give them manage users permissions since that is too generic and not granular enough as it allows the ability to edit every profile which I do not want.  Really this is one org used by multiple entities where private data is very important for Entity A not to see Entity B all the way up from it's data to managing it's users.


So no full admin rights including 'manage users' will not be given to profile A in order to retain privacy. This has the unfortunate side effect of not being able to give the customer what that want..  simply certain users in profile A to manage all users in profile A as well as the settings of the profile without having any capability to touch profile B... it'd rather not even have profile B visible to profile but I don't think that is possible either.


Thank you!




As you say it's not that granular, this might be something for the ideas exchange.


From here you can see that you need the "manage user" permission to even edit a profile and it is then across the board



Of course manage users gives other rights, so you would have to have a fair level of trust in that user if giving that permission, so you spoke about sensitivedata, this is something you should consider when giving this permission


Generally the manage user permission is giving to the "System Administrator" profile, and this profile 99% of the time has the view all data and modify all data perms, so again the level of trust here would have to be 100%


Separately but related, the separation of data is usually done using record types as appose to profiles, I know this may not prevent security breaches but this is certainly the best conventional way

This way you can have different layouts appropriate to the 2 different types of business


Sometimes people use record types to separate their objects between the U.S and Europe

as different region of people need to see different fields and different layouts

Something in Europe may not apply in the U.S


Hope this helps in your overall business process decision as an alternative