I have a managed package with some custom Lead fields and a few custom objects. I'd like the clients who install our package to have a few more levels of access to our custom objects other than 'Full Access' and 'No Access' (eg maybe a 'Read Only). My first thought was to package a Profile and have those permissions mapped on the 'Choose Security Level' screen of the package install, but then it came up that Standard Profiles can't be changed so they'd need to either already have custom Profiles or create them just for our package install. That then led me to Permission Sets, which can be manually assigned to specific users. The downside to this route is that you'd have to assign each user the permission set one by one (although there might be an app that does it). Has anybody else encountered this dilemma and what course of action makes most sense? One or the other, or both?

I am using the web server oauth2 flow and have an application that lets a user connect 2 salesforce orgs to my application (which is Python/Django).  I found that if the user authenticates org 1 they come back to my app and when we try to send them to authenticate org 2 it automatically redirects them back to my site (the callback url) with the credentials for org 1.

Unfortunately, that means they have to log out of each org to set up the connection for the next one.  Is there a way to always prompt the user when they hit the oauth approval page instead of immediatly bouncing them back immately?  I tried changing the "state" parameter too but no luck - it just assumes if you've been authenticated for one org that you have to go back to that one if you're still logged into it.  The immediate parameter is defaulted to false and i even explicitly tried to set it with no luck.  I just want it to get that prompt page so you can get the option to log out and login as a new org.

Thoughts?