Unwrapping AppExchange Packages

Unwrapping Appexchange packageAs I write this, Hanukkah is long over, Christmas is approaching, and when I’m not at work, I’m busily wrapping gifts for my family. As a child, when you received a gift, you may have had to decide whom to share it with – basically, who gets access to it. Today, when you install an AppExchange package, you have to make a similar decision. Who should get access to the new package’s components, and how should you give that access to them?

When you install an AppExchange app, one of the steps asks:


These are standard options: they’re present for every AppExchange package that you install. But what do these options mean?

These options determine who has access to the package’s components. They specify whether all admins (that is, all Profiles that have the “Customize Application” permission), all users, or only users with certain Profiles should have the following:

  • Full access to all objects and fields in the package
  • Execute access to all VF pages and Apex code in the package
  • Access to all apps (i.e., those defined in the app pull-down) in the package
  • Access to tabs, page layouts, and record types based on how they’re defined in the package

Often, the package’s installation instructions will tell you which option to choose. However, if they don’t, here are some guidelines:

If the package includes a configuration page that you don’t want non-admins to use, you should not use Grant Access to All Users. Selecting that option will grant access to the admin page to all users, include the non-admins.

If the package includes permission sets that grant access to the package’s components, you should pick the Select Security Settings option (which lets you specify access at a per-Profile level), give all of the Profiles “No Access,” and then use the permission sets to grant access on a user-by-user basis.

Alternatively, you can pick Grant Access to Admins Only to give just admins full access to all of the package’s components, and then use permission sets (if they’re included in the package) to grant user-level access to individual components.

Note that none of the above impacts app licenses. If the app is licensed at a per-set level (that is, if you don’t have a site-wide license), you’ll need to add licenses for those users, via Setup | Installed Packages | app name | Manage Licenses. This is important, because even if you pick Grant Access to All Users, users will still need to have a license to the app in order to be able to see any of its components.

With that, it’s back to gift wrapping for me. I wonder if my father would appreciate a gift-wrapped version of the new OpFocus Quote Sync app….

MJ Kahn, SVP of Technology at OpFocus

about the author

MJ Kahn

At OpFocus, MJ architects and constructs solutions that would impress the builders of the pyramids. She solves technical puzzles that would frustrate daVinci. She leaps tall buildings (like the new Salesforce tower) in a single bound.

Well ok, maybe she doesn’t. But she does help lead an amazing team of smart, talented, and dedicated consultants who do. MJ’s job at OpFocus is provide technical leadership and guidance to OpFocus clients and team members so that, working together, we can create innovative yet practical solutions to real-world business problems within the Salesforce ecosystem.

Prior to OpFocus, MJ built an extensive background in technology and has held a variety of development, consulting, and management positions at companies like Sybase, Vignette, and Honeywell, among others. In these roles, MJ’s focus was helping companies effectively and intelligently use technology to solve business problems. An Apex and Visualforce consultant since mid-2008, MJ has worked with scores of companies to help them understand and utilize platforms like Force.com to solve business issues and also guide them in developing their own AppExchange product offerings.