User Profiles and Permission Sets related to Pardot licensed orgs were modified by Salesforce
API , Platform , Sales and Marketing , Service , Custom Objects , Sandbox , Communities , Pardot
Last updated 2020-08-05 ·Reference W-6156078 ·Reported By 1000 users
Fixed
Summary
For the latest information on this issue, please read our root cause update:
https://help.salesforce.com/articleView?id=000320234&type=1&mode=1
What’s the issue?
On May 17, 2019, Salesforce blocked access to certain instances after an incident involving broader permissions being applied to users within Salesforce orgs that have -- or previously had -- Pardot. As of May 18, 2019, access for users with a System Administrator profile has been restored to customers affected by the database script issue, and full access has been restored to customers unaffected by the database script issue.
NOTE: Only users within an impacted org could have been granted additional permissions for data within that org. To remedy those permissions, Salesforce blocked access by temporarily reducing permissions on instances and customer orgs, causing the disruption.
What was the impact?
While this issue only impacted customers that use the Pardot service or previously used the Pardot service, to protect our customers, Salesforce blocked access to all instances that contain affected orgs.
How did Salesforce respond?
Salesforce initially blocked access to all instances that contained affected customer orgs. Once we were able to isolate the affected orgs, we restored access to non-affected customer orgs. As of May 18, 2019, access for users with a System Administrator profile has been restored to affected customer orgs. We continue to work to restore permissions for affected orgs to where they were prior to this issue.
What actions can I take now?
Now that we have restored administrator access to all affected orgs, please see the workaround section for details on how to restore your profiles and user permissions
Repro
Not Applicable
Workaround
Can I restore my profiles and user permissions?
Two options exist to restore production profiles and permissions from a Sandbox Copy
Option 1: Sandbox containing production profiles and permission sets exists
- To determine if your Sandbox Copy contains a valid backup of the data, check the Profiles and Permission Sets in Setup under “Administration/Users”.
- If your non-admin profiles are configured such that all of the “Standard Object Permissions” (Read, Create, Edit, Delete) are unchecked, then the sandbox org was impacted and is not a valid source for recovery.
- Object permissions may be deployed from Sandbox to Production orgs.
Please see the documentation links below for details.
Change Set Documentation: https://help.salesforce.com/articleView?id=code_tools_changesets.htm&type=5
Ant Migration Tool Documentation: https://help.salesforce.com/articleView?id=code_tools_ant_using.htm&type=5
NOTE:
- The Sandbox configuration may be outdated and not identical to the production org before the incident. Carefully review these settings before deploying them to production. We recommend testing with a subset of profile and permission sets before migrating all en masse.
- Profile metadata for object permissions require the associated object and dependent components to be included in the same deployment for change sets. Since it is not possible to include standard objects as components in change sets, deploying profiles to reset object access is not advisable and will not work for standard objects.
Admins may deploy permission sets without including related object metadata as components in a change set to reset permission set object access.
If deploying profiles, it is recommended to leverage the Metadata API and supported client tool such as the Ant Migration Tool or Force.com IDE.
Option 2: Sandbox containing production profiles and permission sets does not exist
If a Sandbox containing production profiles and permission sets does not exist and there is an organizational need for you to restore, Admins can manually modify Profile and Permission Set configurations to grant appropriate access to their users.
Edit Profiles Documentation:
https://help.salesforce.com/articleView?id=users_profiles_orig_ui_editing.htm&type=5
Permission Sets Documentation:
https://help.salesforce.com/articleView?id=perm_sets_overview.htm&type=5
I'm an Admin experiencing errors logging into my org. What should I do?
- If you are unable to log into your Salesforce org as a user with a System Administrator profile, please contact Salesforce for help resolving this issue.
How do I modify permissions or profiles that are uneditable?
- Admins of affected orgs are able to modify Custom Profiles and Permission Sets only.
Salesforce is working on restoring edit capabilities for Standard Profiles and Permission Sets.
As a Field Service Lightning (FSL) administrator, how can I update the Permission Sets that it requires?
- Please see the following document for instructions on how to update Field Service Lightning Permission Sets: https://quip.com/ajsaAQ0mlT0f
When I try to edit a Custom Profile, I receive an error message about dependencies. What should I do?
These dependency errors can be resolved by identifying the permission depended upon, and toggling it off and then back on in the Profile.
NOTE: Please make sure you want the designated permission enabled. These error messages are expected when the required permission is not enabled for the user.
1. Go to the Setup tree and click on the "User Management Settings" node under the "Manage Users" sections, and turn off the "Enhanced Profile User Interface".
2. Edit the Custom Profile and click OFF and ON for every user permission that is resulting in an error.
- For example, if you see the error "Permission Manage Cases depends on permission(s): Create Cases, Delete Cases, Edit Cases, Read Cases" then click OFF AND ON for the user permission "Manage Cases."
When I try to edit a Custom Permission Set, I receive an error message about dependencies. What should I do?
These dependency errors can be resolved by identifying the permission depended upon, and toggling it off and then back on in the Permission Set.
NOTE: Please make sure you want the designated permission enabled. These error messages are expected when the required permission is not enabled for the user.
1. Go to the Setup tree and click on the "User Management Settings" node under the "Manage Users" sections, and turn off the "Enhanced Profile User Interface"
2. Using the API/Workbench, turn off the affected user permissions identified in the dependency errors, in one API call. This will be on the PermissionSet object.
3. Go to Setup, edit the Custom Permission Set, turn on the same user permissions disabled in step 2.This will set the dependent object permissions.
- For example, if you see the user permissions dependencies error, "Permission Manage Cases depends on permission(s): Create Cases, Delete Cases, Edit Cases, Read Cases" then take the following steps to toggle the "Manage Cases" permission:
-- Using the API/Workbench, update the Permission Set record to turn off this permission: PermissionsManageCases.
-- Using Setup in the browser, edit the Permission Set to turn on "Manage Cases."
Reported By (1000)

































































































































































































































Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.