Unwrapping AppExchange Packages
As I write this, Hanukkah is long over, Christmas is approaching, and when I’m not at work, I’m busily wrapping gifts for my family. As a child, when you received a gift, you may have had to decide whom to share it with – basically, who gets access to it. Today, when you install an AppExchange package, you have to make a similar decision. Who should get access to the new package’s components, and how should you give that access to them?
When you install an AppExchange app, one of the steps asks:
These are standard options: they’re present for every AppExchange package that you install. But what do these options mean?
These options determine who has access to the package’s components. They specify whether all admins (that is, all Profiles that have the “Customize Application” permission), all users, or only users with certain Profiles should have the following:
- Full access to all objects and fields in the package
- Execute access to all VF pages and Apex code in the package
- Access to all apps (i.e., those defined in the app pull-down) in the package
- Access to tabs, page layouts, and record types based on how they’re defined in the package
Often, the package’s installation instructions will tell you which option to choose. However, if they don’t, here are some guidelines:
If the package includes a configuration page that you don’t want non-admins to use, you should not use Grant Access to All Users. Selecting that option will grant access to the admin page to all users, include the non-admins.
If the package includes permission sets that grant access to the package’s components, you should pick the Select Security Settings option (which lets you specify access at a per-Profile level), give all of the Profiles “No Access,” and then use the permission sets to grant access on a user-by-user basis.
Alternatively, you can pick Grant Access to Admins Only to give just admins full access to all of the package’s components, and then use permission sets (if they’re included in the package) to grant user-level access to individual components.
Note that none of the above impacts app licenses. If the app is licensed at a per-set level (that is, if you don’t have a site-wide license), you’ll need to add licenses for those users, via Setup | Installed Packages | app name | Manage Licenses. This is important, because even if you pick Grant Access to All Users, users will still need to have a license to the app in order to be able to see any of its components.
With that, it’s back to gift wrapping for me. I wonder if my father would appreciate a gift-wrapped version of the new OpFocus Quote Sync app….