We have a user profile that was enhanced to add the "Transfer Cases" permission. The OWD for Case is "Public Read/Write/Transfer". The setup audit trail shows the change:
Changed profile E&E Admin Team: general user permission Transfer Cases was changed from disabled to enabled
We confirmed by logging on as the user and all is fine. Great.
A few weeks later, the user indicates that the Change Owner button has "gone missing". We check, and the permission is no longer on the profile.
Most interestingly, the setup audit trail has no entry for the change from enabled to disabled. It seems to be an entirely untracked change.
To work around the problem, we simply checked the "Transfer Cases" box again and the users are fine.
This has happened one other time. We've narrowed down the time of the change to a 3 day span, and the audit trail doesn't have any profile changes listed during that time. We've also reported a support case to Salesforce, but they are currently showing limited understanding of the issue.
Any ideas?
Update: Salesforce support is saying this might be a limitation of change sets. It may be that profiles included in a change set package might not have their changes reflected in the Setup Audit Trail. I am running a test to confirm.
Best Answer
Salesforce Support is saying this is expected behavior for change sets.
To confirm, I re-did the testing using the following steps. I was able to reproduce the issue:
Result: no entry in the Setup Audit Trail for profile permissions changes. A developer could escalate their production permissions in an untracked fashion.
I found documentation that confirms this security hole is a platform limitation: https://help.salesforce.com/s/articleView?id=000333147&type=1