As a salesforce administrator, you would always be facing situations on huge number of profiles and roles which eventually get duplicated and clog the whole org resulting in a huge mess. Obviously we know the impacts of a large number of duplicate profiles and roles. It adds to a lot of unwanted maintenance time and every page layout and record type change has to grow through profiles. So the question is how do we clean up our profiles and roles and make a smooth release without impacting the current system?

1. Identify the  profiles

First make a list of profiles to be cleaned up. These profiles is could be part of your duplicate profile cleaning up exercise or unwanted profiles which you feel no longer needed.

2. Analyze impact

Next step is to take each profile and identify configuration and code components which use these profiles. This can be done easily by downloading the project in eclipse and adding all the configuration components in it. Then do a search on the eclipse project for the profile name and eclipse would find any references for the profiles in all the components. My profile impact analysis sheet would help you to identify the components to look for potential profile references. Create a mapped profile sheet which would map the old profiles to the new profiles.

3. Reassign current users to new profiles

Using list views, you can identify list of users who use the cleaned up profile. With data loader, the profile ids of the old user can be replaced with new profiles and reuploaded to a sandbox for testing.

4..Watch out for extraneous permissions

Compare the old profile and new profile and identify unique profile settings which the old profiles have in terms of field security settings, object permissions, apex and visual force. Make a list of these settings and ensure that they would be addressed in the new mapped profile. To compare the profiles, the easiest way is to download the project in eclipse to a folder. Then using beyond compare tool, you can compare old profiles to new ones and identify the unique permissions.

4. Roll back plan

Refresh the production org to a new sandbox with all the configuration settings. Now on the refreshed sandbox, create a changeset with all the current profiles in production. This would be changeset which you would use to deploy if there is a major issue. Create an excel file with the old users mapped to the old profiles which can be used to update the users with the old profile. With the unique permission list which you identified for the old profiles, create a manual instruction which can be used to remove all the unwanted permissions from the new profiles so that the permissions are restored back to the old profiles.

6. implement the profile clean up in your production org.

If the profile clean up goes well in your testing, you can do the production rollout in the following sequence

a. Reassign users to the new profile using data loader

b. Update unique permissions to the new mapped profiles.

c. Delete the old profiles.

d. Create a test class which would check for extraneous permissions on the new mapped profiles which would throw an error if there is a mismatch in permissions.

Using the above strategy , profile clean up can easily be done and a smoother release can be done easily. Please click like if you like this post or please feel free to email me at buyan@sforcemaximizer.com for further questions.