Delegated administration

Before jumping into monitoring and auditing, we're going to look at a Salesforce CRM feature that has been delivered to ease your daily life as an administrator, concentrating on important tasks such as designing data-sharing policies or implementing business processes rather than unlocking users or creating new ones. If you are a good administrator, then you are good at multitasking, but this skill is not enough when dealing with user-crowded organizations or poorly trained users.

By delegating some administrative powers, we are granting users the ability to handle other users and other administrative tasks. This is especially useful when dealing with organizations with complex role hierarchies or organizations that are distributed worldwide, where it is hard for you to quickly answer user needs from the other side of the world (we are great administrators, but we need to sleep, too).

There are three ways to achieve this delegation:

  • Assign selected users a System Administrator profile
  • Assign a profile with Manage Users permission
  • Enable delegated administration

Using the System Administrator profile is the easiest choice, but it leads to a potential Armageddon: we are giving our (sometimes poorly trained?) users the power to change every aspect of the organization. This is why we should not do this, unless the user in question will be a skilled administrator.

If you are reading this book, you are a trusted administrator in your company. Don't take this recognition for granted; keep learning, but most of all, don't assume that other people will automatically take as much care of your organization as you do. What is our suggestion? Give your sheriff’s star only to people you trust.

Another way to delegate is to assign the Manage Users permission. We can create a permission set with this system permission and assign it to certain users.

This is not a cool choice at all. In fact, we are giving a user way more than what we actually need them to have. They can now expire all passwords, clone, edit, or delete profiles, edit or delete shared settings, and edit user login hours (I've seen people locking down their profiles with login hours when no other admin was there to help them!).

They can also create new system administrators because there is no restriction on the kind of profiles they can handle: that leads to the Armageddon we mentioned earlier.

The right choice is delegated administration, a safe method for providing delegated user management access by granting limited administrative privileges to a selected set of users.

After delegation, they'll be able to do the following:

  • Create and edit users
  • Unlock users
  • Reset passwords
  • Assign specific profiles
  • Assign permission sets
  • Assign users to public groups
  • Log in as another user, for users who granted login access to their admins
  • Manage custom objects (except when creating relationships or changing organization-wide sharing defaults)
Everything is role-constrained, which means that they can manage only users within a specific role and its subordinates.

Defining a delegated administration group is straightforward. Navigate to Setup | Security | Delegated Administration and click on the New button. This will bring up the following screen:

Delegated administrator group

Fill in the following options:

  • Name/developer name: Identify the group.
  • Enable group for login access: Users within this group can log in as a user that they manage.
  • Delegated administrators: Choose the trusted users that you want to be delegates.
  • User administration: Users within selected roles will be administered by this group.
  • Assignable profiles: Delegates can only assign users the selected profiles.
  • Assigned permission sets: The same as assignable profiles, but applying to permission sets.
  • Assignable public group: The same as assignable profiles, but applying to groups.
  • Custom object administration: Custom objects that can be partially managed by delegates (for example, page layouts and new custom fields).

Remember that we cannot assign profiles or permission sets with the Modify All Data permission.

Delegates must fill in the Role field for the users they are creating, forcing them to put new users in the role hierarchy (as an administrator, when we create a new user, we don't need to fill in the role field). They also cannot modify any permission set.

If you want to delegate data management for only one  object , simply assign the delegate the View All  or Modify All  permissions and skip delegated administration.

Remember that we cannot assign partner and customer portal users to delegated administration. You can instead give a portal administrative duties to portal users.

Once administrative delegation is enabled, we can start monitoring who does what and the status of our precious organization, as shown in the following sections.

本周热推:
Office 2010轻松入门机械识图与AutoCAD技术基础(2006版)巧学活用AutoCAD数据库原理与应用技术学习指导基于企业网站的顾客感知服务质量评价理论模型与实证研究
上一章目录下一章