Review profiles with “Modify All”

Admin Solution

This profile and/or permission set has the ability to Modify All Data. Review assigned users and confirm its use cases. Minimizing access to Modify All Data can help keep your org secure. 

‍

‍Step 1: Identify Relevant Profiles and Permission SetsStart by identifying Profiles and Permission Sets with Modify All Data permissions. You can use a tool like Hubbl Diagnostics, or attempt to identify them manually in Salesforce. To review using Hubbl Diagnostics:To review manually in Salesforce:

‍

• Profiles: View each profile record and confirm if Modify All Data is checked.
• Permission Sets: Create a new list view with a filter of “Modify All Data equals TRUE”.

‍

‍Step 2: Review if Modify All Data is Required for Profile or Permission SetOnly a limited number of users should require Modify All Data, such as system administrators, and users associated with backup and restore software. Most scenarios do not require Modify All Data. Scenarios where Modify All Data is being misused generally break down into one of two scenarios:

‍

1. Accidental use: The permission isn’t required, but was unintentionally included. This could be due to cloning an existing Profile or Permission Set, or accidentally checking it.
2. Unknown permissions: This is common for integration users where it’s difficult to narrow down permissions without trial and error, or “delegated admin” type scenarios where a user has a subset of admin rights. In both cases, it’s possible to resolve the issue but it may take some time. The correct permissions may be View All or Modify All, but on specific objects, rather than system-wide.

‍

‍Step 3: Update the Permission

‍‍

• In the "Quick Find" box on the left side of the Setup menu, type "Profiles" (or “Permission Sets”) and click "Profiles" under the "Users" section.
• Scroll through the list of profiles or use the search function to find the profile that incorrectly has "Modify All" permissions.
• Click on the profile name to open the profile details.
• Look for the "System Permissions" or "Administrative Permissions" section and click "Edit".
• Scroll down to find the "Modify All" permission. This might be under "General User Permissions" or a similar subsection. 
• Uncheck the "Modify All" permission checkbox for each object it’s currently applied to, if it's not appropriate for this profile to have such broad access.
• Click "Save" at the bottom of the page to apply the changes.

‍

‍Step 4: Test the ChangesIt's important to test the changes by logging in as a user with the modified profile (or having such a user test) to ensure they can still perform their required tasks without the "Modify All" permission. This will help you identify if any adjustments need to be made.

‍Note: Be cautious when modifying permissions, especially removing "Modify All" permissions, as it can impact users' ability to perform their jobs. Always communicate changes with the affected users beforehand. Test changes in a sandbox environment prior to deploying to production.

‍

‍Developer Solution

‍This profile and/or permission set can Modify All Data. Review assigned users and confirm its use cases. Minimizing access to Modify All Data can help keep your org secure. 

‍Step 1: Identify Relevant Profiles and Permission SetsStart by identifying Profiles and Permission Sets with Modify All Data permissions. You can use a tool like Hubbl Diagnostics, or write SOQL queries to find relevant profiles and permission sets.To review using Hubbl Diagnostics:

• Open your scan and select the Profiles and Permission Sets tab
• In Risky Permissions, click on Modify All Data to filter the list

To review manually using SOQL queries:

For Profiles:

SELECT Id, Name FROM Profile WHERE PermissionsModifyAllData = TRUE

‍

For Permission Sets:

SELECT Id, Name FROM PermissionSet WHERE PermissionsModifyAllData = TRUE AND ProfileId = NULL

‍

‍Step 2: Review if Modify All Data is Required for Profile or Permission Set

‍Only a very limited number of users should require Modify All Data, such as system administrators, and users associated with backup and restore software. Most scenarios do not require Modify All Data. Work with your administrator to determine which Profiles and Permission Sets need to be updated.

‍

‍Step 3: Write Apex Script to Update the Profile Permissions

‍To mass update profiles and permissions rather than editing individual items in the UI, a script can be created:

// Use the names from the queries in step 1

// A set of Ids could also be used rather than names

Set<String> profileNames = new Set<String>{'ExampleProfile', 'AnotherProfile'};

List<Profile> profilesToUpdate = [SELECT Id FROM Profile WHERE Name IN :profileNames];

for(Profile p : profilesToUpdate) {    

p.PermissionsModifyAllData = false;

}

update profilesToUpdate;

// Use the names from the queries in step 1

‍

For Permission Sets simply substitute “PermissionSet” for Profile.

‍

‍Step 4: Test the Changes

‍It's important to test the changes by logging in as a user with the modified profile (or having such a user test) to ensure they can still perform their required tasks without the "Modify All" permission. This will help you identify if any adjustments need to be made. Also, run all apex tests and check for failures to determine if the permission changes mean that any test code needs to be updated.

‍

‍Note: Be cautious when modifying permissions, especially removing "Modify All" permissions, as it can impact users' ability to perform their jobs. Always communicate changes with the affected users beforehand. Test changes in a sandbox environment prior to deploying to production.

1. Open your scan and select the Profiles and Permission Sets tab
2. In Risky Permissions, click on Modify All Data to filter the list