This profile and/or permission set has the ability to Modify All Data. Review assigned users and confirm its use cases. Minimizing access to Modify All Data can help keep your org secure.
Step 1: Identify Relevant Profiles and Permission Sets
Start by identifying Profiles and Permission Sets with Modify All Data permissions. You can use a tool like Hubbl Diagnostics, or attempt to identify them manually in Salesforce.
To review using Hubbl Diagnostics:
- Open your scan and select the Profiles and Permission Sets tab
- In Risky Permissions, click on Modify All Data to filter the list
To review manually in Salesforce:
- Profiles: View each profile record and confirm if Modify All Data is checked.
- Permission Sets: Create a new list view with a filter of “Modify All Data equals TRUE”.
Step 2: Review if Modify All Data is Required for Profile or Permission Set
Only a limited number of users should require Modify All Data, such as system administrators, and users associated with backup and restore software. Most scenarios do not require Modify All Data. Scenarios where Modify All Data is being misused generally break down into one of two scenarios:
- Accidental use: The permission isn’t required, but was unintentionally included. This could be due to cloning an existing Profile or Permission Set, or accidentally checking it.
- Unknown permissions: This is common for integration users where it’s difficult to narrow down permissions without trial and error, or “delegated admin” type scenarios where a user has a subset of admin rights. In both cases, it’s possible to resolve the issue but it may take some time. The correct permissions may be View All or Modify All, but on specific objects, rather than system-wide.
Step 3: Update the Permission
- In the "Quick Find" box on the left side of the Setup menu, type "Profiles" (or “Permission Sets”) and click "Profiles" under the "Users" section.
- Scroll through the list of profiles or use the search function to find the profile that incorrectly has "Modify All" permissions.
- Click on the profile name to open the profile details.
- Look for the "System Permissions" or "Administrative Permissions" section and click "Edit".
- Scroll down to find the "Modify All" permission. This might be under "General User Permissions" or a similar subsection.
- Uncheck the "Modify All" permission checkbox for each object it’s currently applied to, if it's not appropriate for this profile to have such broad access.
- Click "Save" at the bottom of the page to apply the changes.
Step 4: Test the Changes
It's important to test the changes by logging in as a user with the modified profile (or having such a user test) to ensure they can still perform their required tasks without the "Modify All" permission. This will help you identify if any adjustments need to be made.
Note: Be cautious when modifying permissions, especially removing "Modify All" permissions, as it can impact users' ability to perform their jobs. Always communicate changes with the affected users beforehand. Test changes in a sandbox environment prior to deploying to production.
