[SalesForce] Lightning App in managed package gets assigned to all profiles

I have a Lightning app — a collection of custom object tabs, plus a couple Lightning component tabs. It should only be accessible to the admin, permission for which happens during installation via a perm set. In the App Manager, I have not selected ANY profiles to which the app should be assigned. It's that way on my scratch org, and that way in my packaging org.

However, when I package it and install on an Enterprise org for testing, the app is visible to all. When I go into App Manager, all profiles are sitting over on the right side, as selected.

Any idea why this happens?

Best Answer

This is detailed in the following article:

https://developer.salesforce.com/docs/atlas.en-us.appExchangeInstallGuide.meta/appExchangeInstallGuide/appexchange_install_installation.htm

Install for Admins Only

Specifies the following settings on the installing administrator’s profile and any profile with the "Customize Application" permission.

  • Object permissions—“Read,” “Create,” “Edit,” “Delete,” “View All,” and “Modify All” enabled
  • Field-level security—set to visible and editable for all fields
  • Apex classes—enabled
  • Visualforce pages—enabled
  • App settings—enabled
  • Tab settings—determined by the package creator
  • Page layout settings—determined by the package creator
  • Record Type settings—determined by the package creator

After installation, if you have Enterprise, Performance, Unlimited, or Developer Edition, set the appropriate user and object permissions on custom profiles as needed.

Install for All Users

Specifies the following settings on all internal custom profiles.

  • Object permissions—“Read,” “Create,” “Edit,” and “Delete” enabled
  • Field-level security—set to visible and editable for all fields
  • Apex classes—enabled
  • Visualforce pages—enabled
  • App settings—enabled
  • Tab settings—determined by the package creator
  • Page layout settings—determined by the package creator
  • Record Type settings—determined by the package creator
  • Note: The Customer Portal User, Customer Portal Manager, High Volume Customer Portal, Authenticated Website, Partner User, and standard profiles receive no access.

Install for Specific Profiles...

Enables you to choose the usage access for all custom profiles in your organization. You can set each profile to have full access or no access for the new package and all its components.

  • Full Access—Specifies the following settings for each profile.
    • Object permissions—“Read,” “Create,” “Edit,” “Delete,” “View All,” and “Modify All” enabled
    • Field-level security—set to visible and editable for all fields
    • Apex classes—enabled
    • Visualforce pages—enabled
    • App settings—enabled
    • Tab settings—determined by the package creator
    • Page layout settings—determined by the package creator
    • Record Type settings—determined by the package creator
    • No Access—Specifies the same settings as Full Access, except all object permissions are disabled.

You might see other options if the publisher has included settings for custom profiles. You can incorporate the settings of the publisher’s custom profiles into your profiles without affecting your settings. Choose the name of the profile settings in the drop-down list next to the profile that you need to apply them to. The current settings in that profile remain intact.

Alternatively, click Set All next to an access level to give this setting to all user profiles.

Related Topic