+ Start a Discussion
Always ThinkinAlways Thinkin 

.profile XML files: customizing, diffing, extracting?

I need help finding a good way to compare Profiles to each other. I want to be able to see and extract the diff between two Profiles to determine what Object-level, Field-level and Permissions exist in one but not in the other. The goal is to build Permissions Sets that contain the differences, and then to reduce the number of Profiles we have. We will add the Permissions Sets to Users who need access to more fields or permissions (e.g. Send Mass Email).


I have done text comparisons between the .profile XML files generated by the IDE, but there's not an easy way to copy just the differences that I know of. Additionally, the XML would have to be converted to spreadsheet (or other user friendly format) that I can give to Premier Support & Admin so that they can build the Permissions Sets.
A difficulty with the .profile XML files is that they do not contain the App & System Permissions (userPermissions tags such as Send Mass Email), although the new Permissions Sets XML files do! This leads me to believe that the userPermissions metadata is somehow accessible for the .profiles and that the IDE has not been updated to include it yet.
I've queried the Profiles through Apex and all you get is the Permissions but not the Field-level or Object-level security. I recognize that a query would have to join so many objects to derive the complete list of all permissions that the .profile XML files shows that it's unlikely to be possible.
Because we have to do this for 4 orgs with 20-30 profiles in each, I'm trying to find the most efficient way to generate the diffs (we don't have to do every possible combination but possibly as many as 100).
So, to summarize:
Is there a way to build a custom .profile XML?
What's an efficient way to extract a diff to a friendly format?

Thanks for posting!!


This is a tough problem to solve. A profile, and a permission set for that matter, can contain values for upwards of several million access control rows (up to 2000 custom objects times up to 800 custom fields per object = 1.6 million rows before you add in custom apex classes and pages and then multiple all of that by up to 1000 permission sets per org and an unlimited number of profiles).


Right now, the best way to handle this is through a combination of the sObject SOAP and Metadata API. sObject API because it covers user permissions in both, Metdata API because it covers custom component access controls for most of the rest of it.


An example of a tool that will help today from Model Metrics is the DiffDog: http://www.modelmetrics.com/general/setting-up-and-using-diffdog-for-salesforce-com-deployment-validation/.


There's also a great little app built on heroku that allows you to compare metadata: http://forcecontinuum.herokuapp.com/step1.jsp


Ultimately, these tools are as good as the API they consume. We are working on adding more support for permission sets with the API - stay tuned!