Can I compare Profiles?
My name is Adam Torman and I'm a platform product manager at salesforce.com responsible for profiles and permission sets.
I get this question quite a bit and I wish there was an 'easy' button to push that could give you the information your looking for.
The reality is that the concept of 'easy' doesn't scale nearly as well as a user's profile or permission set.
Take an org with 100 custom objects, each object with approximately 50 fields. Add on average 2 page layouts per object with a record type a piece. Include 10 apps, 100 apex classes and 100 visual force pages. For any given profile or permission set, that means there are 11,000 permissions that can be configured ((100*6) + (100*50*2) + (100*2) + (200)) with an almost infinite number of possible combinations.
And that's not even everything that a profile can contain! Add to that 10 profiles you want to combine and compare across 100 users with 20 add-on permission sets and you have a proverbial needle in the haystack.
So when it comes to administering profiles and permission sets, it's really about finding the right tool for the job. There are many tools available to manage these profiles and permission sets, but no single tool I would recommend because every tool begins with a fundamental question, "what do I want to know" or "what do I want to do"?
Examples of questions I frequently hear include:
Who has Modify All Data?
Does Sam Bradley have the right to click on this tab or view that Visualforce page?
What's different between Sam Bradley and Mike Liescher?
What's different between the Standard User and the Basic profiles?
What's different between the PTO Manager and PTO Administrator permission sets?
How can I assign this permission set to 100 new users?
How can I remove the Modify All Data permission from any users with the Basic Profile or have North American Managers in their title
How can I automate the assignment of the API Enabled permission set anytime a user becomes a manager and remove it if it no longer applies?
How can I disable the View All Data permission from all profiles, add it to a single permission set, and assign it to all users who originally had the profile with the permission?
How can I organize my permission sets the same way I organize my business or distribute apps to people?
Each question maps to a specific task that I am performing as an administrator. Now combine each task with the concept that each user, profile, and permission set can contain an infinite number of permission and settings combinations and you have the need to find the right tool for the right job to answer the right question. And each task may map to a different tool or API that can be used to answer it.
There are some great resources to help answer specific questions. For instance:
I did a great dreamforce 2012 session with Sherrie Smith from Paychex Inc where we outlined some techniques comparing and managing profiles: http://www.youtube.com/watch?v=LcqS1KvMvK8
I did another great dreamforce 2012 session with some of my team members and partners where we dug into some of the great tools you can build on top of our API: http://www.youtube.com/watch?v=LcqS1KvMvK8
One of those tools included a graphical interface for comparing users, profiles, and permission sets but looking specifically at their user permissions: https://perm-comparator.herokuapp.com by John Brock
Check out: Using SOQL to determine your force.com user's permissions ( http://blogs.developerforce.com/engineering/2012/06/using-soql-to-determine-your-users-permissions-2.html )
Probably the best tool for a more extensive comparison of profiles is the force.com IDE native compare ( http://wiki.developerforce.com/page/Force.com_IDE ). Mike Chale's comment about using the ANT Migration Tool is another manfiestation of this.
There are some other great open resources that take the MdAPI XML and parses it to show differences like Quick Diff ( http://www.quickdiff.com/ ), or Model Metrics Diff Dog - Setting up and using DiffDog for Salesforce.com ( http://www.modelmetrics.com/tomgersic/setting-up-and-using-diffdog-for-salesforce-com-deployment-validation/ )
There are also some great AppExchange Packages including:
The Permissioner by Arkus: ( https://sites.secure.force.com/appexchange/listingDetail?listingId=a0N30000008XYMlEAO )
Snapshot by Dreamfactory: ( https://sites.secure.force.com/appexchange/listingDetail?listingId=a0N300000016cejEAA# )
The key part here really is identifying what you want to compare and why. The why part is pretty important since once you know how profiles are different, you'll want to do something with that information.
Hope this helps some! Give a shout if you want some help with it.
AT
Yes, you can compare profiles, how ever it's a bit limited. You can compare until 15 settings, using a view
Go to: Setup -> Manage Users -> profiles -> Create a new View.
Give it a name, and select the Settings you want to compare.
It's indeed limited, but it's better than nothing.
I'll point out that the way I solved the too_many_profiles was to start and move users from one to another, and wait for them to complain. I use to notify them of the change, and ask them to let me know if/what has changed. Than I create a permission set for them, and all is well.
Found that solution to be very sufficient.
*Some personal story: this was actually an idea in SF ideas that I asked for, and it was delivered :-)
http://success.salesforce.com/ideaView?id=08730000000BpoAAAS
My preferred method is by retrieving the profile details with the ANT-based Migration Tool. You can configure it to retrieve profiles and roles, which will come down as XML files. These can then be compared using your favorite diff tool.
More details on the Migration tool can be found on the Salesforce site.