Salesforce Custom Permissions

Hey folks, we’re going talk about Salesforce Custom Permissions today!

Imagine you’ve a requirement where you want to give the permission to some users to cancel an Order in Salesforce.

On top of that, the business wants to restrict the right to cancel orders only to those who can approve Orders. That’s were custom permissions come ! Let’s deep dive into this feature…

What are custom permissions in Salesforce?

Custom permissions are permissions you need to create to differenciate users that can perform an action from those who can’t.

For Salesforce features that come out of the box, of course you can control the permissions by editing the profile or permission set, but when it comes to the business rules expected by you company, you have to go for custom !

Why not just checking user’s Permission Set / Profile?

Yes you’re right. It’s possible and I’ve seen it on several Salesforce implementation. But…

It’s not possible to check if a user has a given Permission Set in a validation Rule: you need to go with a Trigger, bulkify, write the Unit test… arf… lot of work 😉
If you want to check a long list of user profile in a validation rule, it will become hard to read…

Long story short: don’t do that. It’s painful and you implementation is not sustainable. Prefer Custom permissions.

Create the custom permissions

For this requirement, we’ll need 2 custom permissions:

Approve order
Cancel order

To implement the fact that Cancel Order requires Approve Order, check the required custom permissions section for Cancel order and add Approve order.

Add a custom permission as required for this custom permission

Assign Salesforce Custom Permissions to users

There are 2 ways to assign Custom Permissions to a user:

Permission set method

From Setup, enter Permission Sets in the Quick Find box, then select Permission Sets.
Select the permission Set you want to add the custom permission to
Go to custom permission and add the custom permissions you want

It's not possible to add the custom permission set without adding the other, as expected

Note that the requirement is perfectly implemented: if I try to add the Cancel Order Custom permission set without the Approve Order, it’s not allowed !

Profile method

For adding a Custom Permission Set to a profile, it’s the same process as for permission sets:

From Setup, enter Profile in the Quick Find box, then select Permission Sets.
Select the profile you want to add the custom permission to
Go to “Enabled Custom Permissions” and add the custom permissions you want

Implement the Custom Permission checks

Check Custom permission in validation rule

Easy, to do, just use the Permission in the validation rule:

!$Permission.Cancel_Order_CUST_PERM
&&
ISPICKVAL(Status, 'Canceled')
&&
ISCHANGED(Status)

Check custom permission in a Trigger

For an implementation in a Trigger and more generaly speaking in any Apex code, use the static FeatureManagement.checkPermission method as per below.

(note that to keep the code simple, the below implementation doesn’t respect the trigger best practice, please check them )

trigger OrderTrigger on Order (before insert, before update) {
	Boolean canCancelOrder = FeatureManagement.checkPermission('Cancel_Order_CUST_PERM');
    for(Order loopOrder: Trigger.New){
        Boolean raiseError = loopOrder.Status == 'Canceled';
        raiseError = raiseError && ! canCancelOrder;
        if(raiseError){
            loopOrder.addError('You cannot cancel the order');
        }
    } 
}

Check custom permission in a Salesforce Flow

Same as in the Validation Rule, use the Permission variable to check if the current user has the custom permission or not.

The below {!$Permission.Cancel_Order_CUST_PERM} allow me to do this check in the implemented flow.

Use custom permission in a Salesforce flow

As per the newly Salesforce release Winter’24, it’s now possible to add error to prevent record save in trigger, so don’t hesitate, use it !